Intro
Prevention
Detection
CERT Intruder Detection Checklist
CERT Sniffer Detection Checklist
Policy
1. Make frequent backups. These are needed to compare your system to determine unauthorized changes. In the worst cases, a system might need to be completely restored from a know safe backup. I recommend backing up workstations at least once a month, servers with numerous users, at least weekly.
2. Keep system log files for at least a month. Sometimes,
you'll find out that some unauthorized use of your system went on recently
and may even continued up to the present time. SGI's come with cron
jobs that rotate the system log, /var/adm/SYSLOG. This means after
a period of time, usually a week or so, the file with a record of most
access to your system is renamed to /var/adm/OLDsyslog and the previous
/var/adm/OLDsyslog is removed. Below is a program from Marty Dellwo
that renames SYSLOG, auth.log, mail.log, local0.log and potentially other
files with a number suffix, allowing you to keep as many weeks of these
files as you'd like. (auth.log, mail.log and local0.log are from
TCP Wrappers).
To add log rotation perform the following steps:
1. Add the following lines to a script file, /var/adm/logroll.sh; ( make the file executable: "chmod u+rwx /var/adm/logroll.sh")
logdir=/var/adm
if [ ! -d $logdir ] ; then exit ; fi
gz=/usr/sbin/gzip
umask 077
cd $logdir
for log in SYSLOG auth.log mail.log local0.log ; do
if [ -f $log ] &&
[ "`/sbin/stat -qs $log`" -ge 10240 ]
then
[ -f $log.6.gz ] && /sbin/mv $log.6.gz $log.7.gz
[ -f $log.6 ] && /sbin/mv $log.6 $log.7
[ -f $log.5.gz ] && /sbin/mv $log.5.gz $log.6.gz
[ -f $log.5 ] && /sbin/mv $log.5 $log.6
[ -f $log.4.gz ] && /sbin/mv $log.4.gz $log.5.gz
[ -f $log.4 ] && /sbin/mv $log.4 $log.5
[ -f $log.3.gz ] && /sbin/mv $log.3.gz $log.4.gz
[ -f $log.3 ] && /sbin/mv $log.3 $log.4
[ -f $log.2.gz ] && /sbin/mv $log.2.gz $log.3.gz
[ -f $log.2 ] && /sbin/mv $log.2 $log.3
[ -f $log.1.gz ] && /sbin/mv $log.1.gz $log.2.gz
[ -f $log.1 ] && /sbin/mv $log.1 $log.2
/sbin/mv $log $log.1 ; touch $log
if [ "`/sbin/stat -qs $log.1`" -ge 1048576 ]
then
[ -x $gz ] && $gz -v $log.1
fi
fi
find . -local -type f -name "${log}.*" -mtime +50 -exec /sbin/rm -rf
{} \;
done
killall 1 syslogd
3.
Here are some quick tips for detecting unauthorized use:
-Examine the /var/adm/SYSLOG file.
-Enter "last" to see log ins.
CERT Intruder Detection Checklist
CERT Sniffer Detection Checklist
To
To
last updated 990318 by Martin McCormick, martinm@sas.upenn.edu