Product SiteDocumentation Site

4.13. 日志与警告的重要性

显而易见, 日志和警告对于一个安全的系统非常重要. 假设一个系统配置的非常完美并且 99% 的安全, 当 1% 的攻击发生时, 如果没有到位的安全工具, 首先, 检测到, 其次, 发出警告, 那么这个系统根本就不安全.
Debian GNU/Linux provides some tools to perform log analysis, most notably swatch, [27] logcheck or log-analysis (all will need some customisation to remove unnecessary things from the report). It might also be useful, if the system is nearby, to have the system logs printed on a virtual console. This is useful since you can (from a distance) see if the system is behaving properly. Debian's /etc/syslog.conf comes with a commented default configuration; to enable it uncomment the lines and restart syslogd (/etc/init.d/syslogd restart):
  daemon,mail.*;\
        news.=crit;news.=err;news.=notice;\
        *.=debug;*.=info;\
        *.=notice;*.=warn       /dev/tty8
To colorize the logs, you could take a look at colorize, ccze or glark. There is a lot to log analysis that cannot be fully covered here, so a good information resource would be books should as http://books.google.com/books?id=UyktqN6GnWEC. In any case, even automated tools are no match for the best analysis tool: your brain.

4.13.1. 使用和定制 logcheck

在 Debian中, logcheck 分为三部分, logcheck(主程序), logcheck-database(程序的正则表达式库)和 logtail (打印未读的日志内容). 在 Debian 中缺省(/etc/cron.d/logcheck)logcheck 系统空闲时每小说运行一次和系统重起时运行一次.
如果配置合适, 这个工具可能对于管理员发现系统的异常事件相当有用. Logcheck 可以设置为, 从日志中发现值得注意的事件, 并发送邮件. 默认安装的profile忽略事件和违规策略, 分为三种不同的设定 (workstation, server, paranoid). Debian的软件包包括一个/etc/logcheck/logcheck.conf, 源自程序,用于定义检查给哪些用户发送邮件. 它还为软件包在以下目录下实现新的策略提供了一种方法: /etc/logcheck/cracking.d/_packagename_, /etc/logcheck/violations.d/_packagename_, /etc/logcheck/violations.ignore.d/_packagename_, /etc/logcheck/ignore.d.paranoid/_packagename_, /etc/logcheck/ignore.d.server/_packagename_, 和 /etc/logcheck/ignore.d.workstation/_packagename_. 但是, 并非当前的包都是如此. 如果您有一种对其他用户有用的策略. 请将其作为对应软件包的一个问题报告提交 (作为一个wishlist问题). 更多信息请参阅/usr/share/doc/logcheck/README.Debian.
最佳的配置 logcheck 的方式是安装后, 编辑其配置文件 /etc/logcheck/logcheck.conf 将缺省用户(root)修改为邮件接收者. 您还需要设置报告级别:logcheck-database有三种报告级别: workstation, server, paranoid. "server" 为缺省级别, paranoid 只有在运行着尽可能少的服务的高安全性机器上才需要, workstation 使用于, 受保护的安全性不高的机器. 如果您想补充日志文件, 将其加入/etc/logcheck/logcheck.logfiles即可. 这对于默认的 syslog 安装来说是适宜的.
Once this is done you might want to check the mails that are sent, for the first few days/weeks/months. If you find you are sent messages you do not wish to receive, just add the regular expressions (see regex(7) and egrep(1)) that correspond to these messages to the /etc/logcheck/ignore.d.reportlevel/local. Try to match the whole logline. Details on howto write rules are explained in /usr/share/doc/logcheck-database/README.logcheck-database.gz. It's an ongoing tuning process; once the messages that are sent are always relevant you can consider the tuning finished. Note that if logcheck does not find anything relevant in your system it will not mail you even if it does run (so you might get a mail only once a week, if you are lucky).

4.13.2. 配置警告发送地

Debian comes with a standard syslog configuration (in /etc/syslog.conf) that logs messages to the appropriate files depending on the system facility. You should be familiar with this; have a look at the syslog.conf file and the documentation if not. If you intend to maintain a secure system you should be aware of where log messages are sent so they do not go unnoticed.
例如, 发送信息至控制台就是一个很棒的设定, 对生产系统很有用. 但是为多个这种系统增加一台设备作为日志主机(即从其他系统接收日志)也是非常重要.
也应当被考虑 root 的邮件, 许多安全控制台(象 snort) 发送警告信息到 root 的邮箱. 这个邮箱通常是指系统创建的第一个用户(检查 /etc/aliases). 注意要把 root 的邮件发送到他能接收的地方(本地或远程).
在您的系统里还有其他的角色账号和别名. 在一个小型系统里, 将所有这类别名指向 root 账号并将给 root 的邮件转送的系统管理员的个人邮箱应当非常简单.
FIXME: It would be interesting to tell how a Debian system can send/receive SNMP traps related to security problems (jfs). Check: snmptrapfmt, snmp and snmpd.

4.13.3. 使用日志主机

A loghost is a host which collects syslog data remotely over the network. If one of your machines is cracked, the intruder is not able to cover the tracks, unless hacking the loghost as well. So, the loghost should be especially secure. Making a machine a loghost is simple. Just start the syslogd with
syslogd -r
and a new loghost is born. In order to do this permanently in Debian, edit /etc/default/syslogd and change the line
SYSLOGD=""
改为
SYSLOGD="-r"
其次, 配置其它机器发送数据到日志主机. 在/etc/syslog.conf 中增加如下类似内容:
  facility.level            @your_loghost
查找文献, 看用什么可以替代 facilitylevel (它们不应当象这样逐字输入). 如果您要纪录远程的所有信息, 仅需这样写:
  *.*                       @your_loghost
into your syslog.conf. Logging remotely as well as locally is the best solution (the attacker might presume to have covered his tracks after deleting the local log files). See the syslog(3), syslogd(8) and syslog.conf(5) manpages for additional information.

4.13.4. 日志文件的权限

It is not only important to decide how alerts are used, but also who has read/modify access to the log files (if not using a remote loghost). Security alerts which the attacker can change or disable are not worth much in the event of an intrusion. Also, you have to take into account that log files might reveal quite a lot of information about your system to an intruder who has access to them.
系统安装后, 一些日志文件的权限并不理想(但这当然取决于你的本地安全策略). 首先 /var/log/lastlog/var/log/faillog 对于普通用户不应当是可读的. 在 lastlog 文件中您会看到最近谁登录了, 在 faillog 中, 您则能看到失败的登录列表. 作者推荐修改两个文件chmod 660. 检查一下您的日志文件,然后谨慎的确定对哪个 UID 不为0且不属于 'adm' 或 'root' 组的用户设置 可读/可写 权限. 您可以简单运行下边的命令, 对您的系统做出检查:
  #  find /var/log -type f -exec ls -l {} \; | cut -c 17-35 |sort -u
  (see to what users do files in /var/log belong)
  #  find /var/log -type f -exec ls -l {} \; | cut -c 26-34 |sort -u
  (see to what groups do files in /var/log belong)
  # find /var/log -perm +004
  (files which are readable by any user)
  #  find /var/log \! -group root \! -group adm -exec ls -ld {} \;
  (files which belong to groups not root or adm)
为了定制日志文件的创建, 您可能需要定制生成它们的程序. 如果日志文件是轮换的, 您则需要定制创建和轮换性能.


[27] there's a very good article on it written by http://www.spitzner.net/swatch.html