Logging of system activity

The daemon that controls much (but not all) of the logging of activity on modern Unix / Linux systems is called rsyslogd. Ordinarily the log files to which rsyslogd makes entries are held in the directory /var/log. There are usually many different log files in this directory. Two particularly important log files are /var/log/secure and /var/log/messages.

You might also see logfiles with names very similar to each other such as /var/log/secure.210114, /var/log/secure.200114 , … and /var/log/messages.210114 1, /var/log/messages.200114 , … please note these numbers are an example, yours will differ

What is the significance of the numbers appended to these log files?

Inspect some of these log files, particularly /var/log/secure and /var/log/messages, then explain what kinds of information are logged in them.

The configuration file for logging by rsyslogd is /etc/rsyslog.conf. Inspect this file and ensure that you have a general understanding of what is being configured. Again show evidence of this understanding in your report.

Remote log host

Now modify /etc/rsyslog.conf to send all messages handled by it to a remote log host instead of to the local /var/log directory. You will also need to modify the file /etc/sysconfig/rsyslog, which configures rsyslogd options. You should restore all files to their original states at the end of your session. Create some backup copies in the usual way:

cd /etc

cp rsyslog.conf rsyslog.conf.BACKUP

cd /etc/sysconfig

cp rsyslog rsyslog.BACKUP

You should work with a colleague (or several colleagues). Designate one computer to be the remote log host.

1. On the computers that are not the remote log host, edit /etc/rsyslog.conf and replace, for example:

authpriv.*                                            /var/log/secure

by

authpriv.*                                            @remote-log-host

where remote-log-host should be replaced by the actual network address of the remote log host.

2. On the remote log host, configure the rsyslogd options to receive messages from the network. Edit /etc/sysconfig/rsyslog and include the “r” qualifier in the entry for SYSLOGD_OPTIONS. For our current system set the options to      “-c 2 –r514”

3. For both (1) and (2), cause rsyslogd to re-read its configuration files and restart. Use either of the following commands:

/etc/rc.d/init.d/rsyslog restart

or

service rsyslog restart

On the computer that is not the remote log host (1), add a new user with a distinctive name to aid tracking its activity.

Check that log entries are indeed being recorded on the remote log host.

If not is the firewall on the remote log host interfering? If so, add UDP port 514 to the firewall (using GUI  select  System, Administration, Firewall click on Other Ports then on Add, next select User Define and input port number 514 as udp finally Apply changes).

Logwatch

Fedora Linux uses logwatch to simplify the checking of log files. Logwatch runs automatically at about 04:02 and emails a summary of noteworthy events recorded in the log files to the root username. The configuration files and scripts for logwatch can be found in directory /etc/logwatch.

Inspect these files and explain them.

As always, make notes of everything you do – commands, what fails, what succeeds, explanations, answers to questions, etc.

Remember to restore /etc/rsyslog.conf and /etc/sysconfig/rsyslog to their original states from the backup copies. If you stopped the firewall, restart it.

Part 2 – System Hardening

 Bastille

Bastille  is software for “system hardening”. It allows the security settings of a Unix / Linux system to be assessed and/or configured for greater security. A useful feature is that changes made by Bastille can also be undone, with the system being restored to its state before bastille was run using the –r switch.

Note that bastille is also allows people to investigate and learn about computer security so the recommendations should not be applied.

Start up the Fedora VM guest and log on then convert to root.

Read the man pages (man bastille) for further information.

You can assess the security of the system with the following command.

bastille –assess

You can inspect the assessment that appears in your browser. See also the information held in the directory /var/log/Bastille/Assessment. Investigate the entries in the security assessment and make notes.

To allow bastille to configure your system, use the following command:

bastille -c

 Then go through the questions and explanations to determine the configuration. At the end of the questions these settings can be saved or discarded. Discard the changes and make notes in your logbook to demonstrate your understanding.

Summarise the questions asked by bastille so that you have a step by step guide to hardening any computer.

 Investigation

Outline the features and benefits of SELinux.

 Discuss the question: Is it possible to have too much computer security?

As always, maintain your logbook thoroughly including references to sources used, consider the broad implications and draw some conclusions from your findings.

Use the order calculator below and get ordering with essaygeek.com now! Contact our live support team for any assistance or inquiry.

Free Quote