Overview
System Logs
- Red Hat Enterprise Linux Systems Provides A Central Logging Facility
-
That Allows All The Applications To Stores The Messages, Errors & Debugging Information In A Central Manageable Place.
- Logging Daemons:
rsyslog - Configuration File:
/etc/rsyslog.conf - Generate Log Messages:
logger(1)
Monitoring System Logs
-
/var/log/dmesgThis Log file Contains The Kernel Messages That Were Raised During The Boot Process. -
/var/log/messagesThis is the standard system log file, which contains the messages from the system softwares, non-kernel boot issues & messages that go to the dmesg. Readable By root Only. -
/var/log/maillogThis Logfile Contains The Mail Systems Messages & Errors. Readable By root Only. -
/var/log/secureThis Logfile Contains The Security Related Messages & Errors, Such As Login, Tcp_Wrappers & Xinetd. Readable By root Only. -
/var/log/audit/audit.logThis Logfile Contains The Audited Messages From The Kernel Including SELinux Related Messages. Useausearch&aureportTo View This Log file.
Examples:
[root@Matrix ~]# ausearch -ui 501 [root@Matrix ~]# ausearch -gi 501
[root@Matrix ~]# ausearch -sv yes [root@Matrix ~]# ausearch -sv no
[root@Matrix ~]# aureport --auth [root@Matrix ~]# aureport --login
[mitesh@Matrix ~]$ logger This is logger command testing.
[root@Matrix log]# tail -n1 /var/log/messages
Dec 26 16:22:51 Matrix mitesh: This is logger command testing.Network Time Protocol
- Daemons:
ntpd - Services:
chkconfig ntpd on | offservice ntpd status | start | stop | restart
Configuration Files:
/etc/ntp.conf
Configuration Tools:
- CLI:
ntpqntpdate -
GUI:
system-config-dateSystem -> Administration -> Date & Time- Can set Date/Time Manually or use NTP
- Additional NTP Servers can be added
- Can use Local Time or UTC
Examples:
[root@Matrix ~]# ntpq -c peers
[root@Matrix ~]# ntpdate -u ipaddress-of-ntp-server
[root@Matrix ~]# ntpdate -s ipaddress-of-ntp-serverSELinux
- The Traditional Unix Security Model Is A Discretionary Access Control (DAC) System.
- In DAC System Users Are Allowed To Modify Access Control On Files They Own.
- So The NSA Agents Often Uses chmod 777 ~ Easy Way To Share Their Files With Other NSA Agents.
-
So By Using DAC, NSA Agents Makes Confidential Information Available For The Rest Of The World.
- The NSA Develop A Mandatory Access Control (MAC) System.
- The NSA Take The Advantage Of The Open Source Linux Kernel & Developed A Set Of Patches To Enable MAC.
- This Patches Are Known As Security Enhanced Linux (SELinux).
SELinux:
- Kernel Level Security System
- All The Files & Processes Has A Security Context
- Any Action Not Explicitly Allowed Is Denied By Default
SELinux Modes:
Enforcing: SELinux Security Policy Is EnforcedPermissive: SELinux Prints Warnings Instead Of EnforcingDisable: SELinux Is Disable
SELinuxTYPE:
- Targeted Targeted Processes Are Protected
- MLS Multi Level Security Protection
SELinux Configuration:
/etc/selinux/config/etc/sysconfig/selinux -> ../selinux/config
SELinux Logs:
/var/log/audit/audit.log/var/log/messages
SELinux Packages:
yum install policycoreutils-guiyum install setroubleshoot
SELinux Commands:
getenforceDisplay System Current SELinux Mode-
setenforceToggle Between The Enforcing(1) & Permissive(0) Mode -
sestatusSELinux Status Tool sealertCLI & GUI SELinux Troubleshoot Client Tool-
sealert-b Application -> System Tools -> SELinux Troubleshooter system-config-selinuxSystem -> Administration -> SELinux Management
Kernel Arguments
selinux=0 | 1enforcing=0 | 1
Examples:
[root@Matrix ~]# getenforce [root@Matrix ~]# sestatus
Enforcing SELinux status: enabled
SELinuxfs mount: /selinux
[root@Matrix ~]# setenforce 0 Current mode: enforcing
[root@Matrix ~]# getenforce Mode from config file: enforcing
Permissive Policy version: 24
Policy from config file: targeted
[root@Matrix ~]# setenforce 1
[root@Matrix ~]# getenforce
Enforcing