| The purpose of this exercise is to log situations where a user or application gets a Permission denied message. | ||
| 1. | We have decided that the product SNARE will do what we need to track this activity at the kernel level. | |
| 2. | Isolating only this activity will be done through a trimmed down audit.conf. | |
This objectives section should log the activity in question:
[Objectives]
criticality=4 event=open(.*),creat,mkdir,mknod,link,symlink return=Failure user=.* match=.*.*
criticality=4 event=chmod,rename,truncate,truncate64,chown,lchown,chown32,lchown32 return=Failure user=.* match=.*.*
criticality=4 event=open(O_RDONLY) return=Failure user=.* match=.*.*
criticality=4 event=open(O_WRONLY|O_RDWR|O_CREAT|O_TRUNC|O_APPEND),creat,mkdir,mknod,link,symlink return=Failure user=.* match=.*.*
criticality=4 event=rmdir,unlink return=Failure user=.* match=.*.*
| ||
| 3. | SNARE can be made to log centrally with this snippet added to audit.conf |
[Output]
network=192.168.1.10:514
file=/var/log/audit.log
|
| 4. | The central logging server needs to be configured to received incoming messages with these configuration parameters. | in file "/etc/sysconfig/syslog"
add the line:
SYSLOGD_OPTIONS="-r -m 0" |
| 5. | The installation of SNARE can be automated programmatically. | The first step is to gather ssh keys using getkeys.pl |
| 6. |
Once the ssh keys have been gathered the SNARE kernel can
be installed programmatically. This requires that you have a payload properly named. | installsnare.pl |
| 7. | Once the SNARE remote servers are logging the lines per minute can be determined. | countloglines.pl |
| 8. | Once the lines have been counted with countloglines.pl these gnuplot commands can build a graph. |
set terminal png large set xlabel "Time" set ylabel "Number of lines" set title "Log Lines Per Minute" set xtics rotate set output 'foo.png' plot "linecount.data" with lines |
| 9. | Logs are gathered into a central place. Once there a program can break them into day chunks. | breaklogs.pl |
| 10. | Day logs can be searched and reports generated using a program like 'swatch'. | details |