Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 16: UNIX Forensics 6/26/2003 CSCE 590 Summer 2003.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 16: UNIX Forensics 6/26/2003 CSCE 590 Summer 2003."— Presentation transcript:

1 Lecture 16: UNIX Forensics 6/26/2003 CSCE 590 Summer 2003

2 Syslog A standard system logging facility –Unix, Windows, routers, switches, blenders, etc On UNIX, configuration in /etc/syslog.conf Daemon called syslogd Can syslog over the network to a dedicated syslog server Targeted by intruders

3 Syslog.conf Which messages are sent to which logs Each line contains: –Facility field – subsystem that produces the log file Auth(security), authpriv, cron, daemon, kern, lpr, mail, ftp, news, syslog, user, uucp, local0-local7 –Priority field – severity of log (8 levels) Debug, info, notice, warning, err, crit, alert, emerg –Action field – name of log file, IP or remote syslog server

4 Syslog Priority Field Debug - all occurrences, everything Info – usual occurrences (like fyi’s) Notice – unusual occurrences, investigate Warning – warning messages Err – other error conditions Crit – critical condition or failure Alert – urgent situation Emerg (panic) – panic situation (warp core breach)

5 Programmer’s interface #include void openlog(const char *ident, int option, int facility); –Opens a connection to the system logger for a program void syslog(int priority, const char *format,...); –Generates a log message to be distributed by syslogd void closelog(void); –Closes the descriptor to the system logger for a program

6 Sample syslog.conf

7 Shell Histories History of all commands you type In each user’s home directory –.history –.bash_history –.sh_history –.ksh_history Commonly targeted by intruders –Delete it, recreated as directory –Delete it, link it to /dev/null (bit bucket) –Just turn off history function in your shell, delete it

8 The grep Family grep – search for string in file –bzgrep - in a bzip2 compressed file –zgrep – search possibly compressed files –zipgrep - search files in a ZIP archive –grepjar - search files in a jar file for a pattern fgrep – search for strings identified within a given file, one pattern per line –bzfgrep - in a bzip2 compressed file Egrep – search using extended regular expressions –bzegrep - in a bzip2 compressed file

9 grep Options -r – recursion -i – case insensitive -a – handle binary files (kind of like piping to strings) -v – NOT this string

10 find grep looks in files, find searches other attributes of files (metadata) –File name, including regular expressions, case insensitive –Time periods for MAC –Belongs to GID or group’s name –Belongs to a UID or user name –Nouser and nogroup – doesn’t have a user or group defined for its GID or UID

11 find –Is on file system of type xxxx –Has a particular inode number –Has a particular number of links to it –Is a symbolic link –Search on permission bits –File size –File type

12 find Actions -print – print what you find -printf -exec xxx – execute xxx command on a hit -ls – list it in “ls –dils” format Much more stuff! Good man page to read.

13 Hiding in the File System Hide in a rarely visited or ‘busy’ directory –/dev Look for regular files, should be too many –Font directories –OS source code directories –Man page directories Creative naming –… –“. “ –“.. “ –“ “

14 Hiding in the File System Slack space Deleted files Unlinked open files Trojaned system files Decoy file system mounts –Mount a file system over existing data in a current file system –Existing data becomes hidden, could hide an executable being run or a file being written to –df may show a lot more space used in a file system that you can account for with du

15 Checking RPMs RPM are applications packages (Linux) Compares info about files in an installed package with info stored about themin the RPM database Simple integrity check –# for i in `rpm –qa`; do rpm –V $i; done Error prone and can be subverted Catches less skilled intruders

16 Output of Verify RPMs S - file Size differs M - Mode differs, includes permissions, file type 5 - MD5 sum differs D - Device major/minor number mis-match L – (readlink(2)) path mis-match U - User ownership differs G - Group ownership differs T - mtime differs c – configuration file (expected to change)

17 Rpm Verify Example

18 Inode “Timelines” ls –lit | sort |more List all inodes Looking for entries that seem out of place, very high or very low If you find any out of place, look for other inodes around that number to find possible related files

19 Inode “Timelines” Example

20 Signals Simple interprocess communications –One program sends a message to another –Pre-defined messages –16 or 32 depending on platform Some are useful for terminating a program gracefully Might be able to freeze it in memory so as not to lose evidence

21 Useful Signals HUP (1) – Hangup INT (2) – Interrupt, stop running C KILL (9) – Stop unconditionally and immediately TERM (15) – Terminate gracefully if possible STOP (17) – Stop unconditionally; continue with CONT TSTP (18) – Stop executing, ready to continue CONT (19) – Continue executing after STOP or TSTP USR1 (30) – A user defined signal

22 Startup and Shutdown Scripts Usually found in /etc Can be files like rc.local and rc.shutdown Can be directories of scripts or links to scripts like rc0.d-rc6.d, rc.d, and init.d The kernel boots and first loads –init – process control initialization –If init dies, the system reboots –Makes sure the system enters the correct run level (single user, multi-user, etc)

23 BSD-Like RC Scripts Simpler scripts: –rc.conf: configuration variables for what to start, included in other startup scripts –Rc: starts up a bunch of system services that must be run before securelevel changes –rc.securelevel: levels –1 through 2 –rc.local: run next, local services, network, system daemons –rc.shutdown: clean up commands when system is going down Ex. Gracefully stopping a databse

24 rc.securelevel Run after rc script Level –1: Permanently insecure –Init can’t raise securelevel but sysctl can Level 0: Insecure mode –During bootstrapping, single user –all devices may be read/written subject to permissions –system file flags may be cleared

25 rc.securelevel Level 1: Secure mode (default multi-user) –Only init may lower securelevel –/dev/mem and /dev/kmem may not be written to –raw disk devices of mounted file systems are read-only –Can’t remove system immutable and append-only file flags –kernel modules may not be loaded or unloaded Level 2: Highly secure mode (Level 1 still applies) –raw disk devices are always read-only, mounted or not –settimeofday(2) may not set the time backwards –ipf(8) and ipnat(8) rules may not be altered –the ddb.console and ddb.panic sysctl(8) variables may not be raised (keeps people from using in-kernel debugger ddb(4) to modify securelevel)

26 System V-ish RC Scripts On a Solaris machine: –8 different run levels, 0-6 and s and S (same thing) –Default runlevel in /etc/inittab Level s or S: single user state Level 0: firmware mode Level 1: sys admin mode, single user, all filesystems mounted, limited processes running Level 2: multi-user mode, all multiuser processes running

27 Init Levels (cont.) Level 3: extended multiuser mode, level 2 + local resources are available over the network Level 4: usually not used, can ber defined as alternative multiuser environment Level 5: Shut the machine down, safe to power off Level 6: stop the OS and reboot to default state level

28 Startup Scripts There is a directory for each of the 0-6 runlevels. /etc/rc.d/rc0.d -> /etc/rc.d/rc0.d Also /etc/rc.d/init.d –Contains the actual startup/shutdown scripts –Are shell scripts that take as arguments start – start up the process stop – stop the process restart – sometimes a restart

29 Startup Scripts Each of the rcX.d directories contain symbolic links to scripts in the init.d directory Format of name of link determines argument to start up script and when it is started –K03nfs run script pointed to by this link with the stop option (K=Kill) Run it “third” in the order of scripts –S75ntpd run script pointed to by this link with the start option (S=Start) Run it “75 th ” in the order of scripts

30 References Chapters 11,12

Download ppt "Lecture 16: UNIX Forensics 6/26/2003 CSCE 590 Summer 2003."

Similar presentations

Operating-System Structures

Operating-System Structures
Introduction to Linux Linux startup process Unix Shells and scripts.

Introduction to Linux Linux startup process Unix Shells and scripts.
The UNIX File System Harry Chen Department of CSEE University of MD Baltimore County.

The UNIX File System Harry Chen Department of CSEE University of MD Baltimore County.
1 CS345 Operating Systems Φροντιστήριο Άσκησης 1.

1 CS345 Operating Systems Φροντιστήριο Άσκησης 1.
Basic Unix system administration

Basic Unix system administration
Managing logs with syslog-ng and SWATCH AfNOG 11, Kigali/Rwanda.

Managing logs with syslog-ng and SWATCH AfNOG 11, Kigali/Rwanda.
Some history PDP versions BSD/Version 7 split VAX virtual memory implementations End of line 4.4 BSD System V merges Modern versions OSF/1, Solaris, HPUX.

Some history PDP versions BSD/Version 7 split VAX virtual memory implementations End of line 4.4 BSD System V merges Modern versions OSF/1, Solaris, HPUX.
Genesis: from raw hardware to processes System booting sequence: how does a machine come into life.

Genesis: from raw hardware to processes System booting sequence: how does a machine come into life.
Chapter 9: Understanding System Initialization The Complete Guide To Linux System Administration.

Chapter 9: Understanding System Initialization The Complete Guide To Linux System Administration.
Booting and Shutting Down the UNIX Operating System Arcadio A. Sincero Jr. 6/6/2001 CMSC 691X, Section 6080.

Booting and Shutting Down the UNIX Operating System Arcadio A. Sincero Jr. 6/6/2001 CMSC 691X, Section 6080.
Linux Booting Procedure

Linux Booting Procedure
Operating-System Structures

Operating-System Structures
NetComm Wireless Logging Architecture Feature Spotlight.

NetComm Wireless Logging Architecture Feature Spotlight.
Syslog and log files1-1 Syslog and Log Files  From logfiles, you can find m important information m History m Errors/warnings  Logging policies m Reset.

Syslog and log files1-1 Syslog and Log Files  From logfiles, you can find m important information m History m Errors/warnings  Logging policies m Reset.
CIS 193A – Lesson3 Vigilance! Logging & Monitoring Syslog Logrotate Logwatch Accounting.

CIS 193A – Lesson3 Vigilance! Logging & Monitoring Syslog Logrotate Logwatch Accounting.
Unix Refresher This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Unix Refresher This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
Linux Intro Linux, the do it yourself OS Linux, successor to MINIX Linux, Unix for the masses (PC users) History:

Linux Intro Linux, the do it yourself OS Linux, successor to MINIX Linux, Unix for the masses (PC users) History:
1 Case Study 1: UNIX and LINUX Chapter 10 10.1 History of unix 10.2 Overview of unix 10.3 Processes in unix 10.4 Memory management in unix 10.5 Input/output.

1 Case Study 1: UNIX and LINUX Chapter History of unix 10.2 Overview of unix 10.3 Processes in unix 10.4 Memory management in unix 10.5 Input/output.
Syslogd Tracking system events. Log servers Applications are constantly encountering events which should be recorded –users attempt to login with bad.

Syslogd Tracking system events. Log servers Applications are constantly encountering events which should be recorded –users attempt to login with bad.
Security SIG: Introduction to Tripwire Chris Harwood John Ives.

Security SIG: Introduction to Tripwire Chris Harwood John Ives.

Similar presentations

Ads by Google