Logs are very important for security. He records a variety of things that happen every day, you can check the cause of the wrong occurrence, or the traces left when attacked. The main functions of the log are: audit and monitoring. He can also monitor system status, monitor, and track invasants.
In the Linux system, there are three major log subsystems:
Connection time log - executed by multiple programs, write records to / var / log / wtmp, and / var / run / utmp, login, etc. Update WTMP and UTMP files, so that the system administrator can track when who is logged in Go to the system.
Process statistics - executed by the system kernel. When a process is terminated, a record is written to the process statistics file (PACCT or ACCT) for each process. The purpose of process statistics is to provide commands to use statistics for basic services in the system.
Error log - executed by syslogd (8). Various system daemons, user programs and kernels report to file / var / log / messages via syslog (3). There are also many UNIX programs to create logs. Servers that provide network services like HTTP and FTP also maintain a detailed log.
Common log files are as follows:
Access-log record HTTP / Web transmission
ACCT / PACCT Record User Command
Aculog Record MODEM Activity
BTMP record failure record
Lastlog Record recently successfully logged in events and last unsuccessful login
Messages record information from syslog (some links to syslog files)
Sudolog Record Using SUDO
Sulog Record uses the use of the su order
Syslog records information from syslog (usually linked to Messages file)
UTMP record currently logged in for each user
WTMP a permanent record for an user to enter and exit time each time
XFerlog Record FTP Session
UTMP, WTMP, and LastLog log files are the key to mostly UNIX log subsystems - keep the user log in to enter and exit records. Information on the current login user is recorded in the file UTMP; log in to enter and exit records in the file wtmp; the last login file can be viewed by the lastLog command. Data exchange, shutdown and restart are also recorded in the WTMP file. All records contain timestamps. These files (LastLog is usually not large) grow very rapidly in systems with a large number of users. For example, the WTMP file can be infinitely increased unless periodic interception. Many systems configure the WTMP into cyclic uses in units one day or one week. It is usually modified by the script running by cron. These scripts are renamed and cycled with the WTMP file. Typically, WTMP is named wtmp.1 after the first day; WTMP.1 is changed to WTMP.2 after the second day until WTMP.7.
Every time there is a user login, the Login program takes place to see the user's UID in the file lastlog. If you find it, write the user to the standard output last time, exit time, and host name, and then login new login time in LastLog. After the new LastLog record, the UTMP file opens and inserts the user's UTMP record. This record has been deleted when the user logs in and exits. UTMP files are used by various command files, including WHO, W, Users, and Finger.
Next, the Login program opens the UTMP record of the file WTMP additional user. When the user logs in to exit, the same UTMP record with the update timestamp is attached to the file. The WTMP file is used by the programs Last and AC.
The specific commands WTMP and UTMP files are binary files, they cannot be scrapped or merged, such as tail commands (using a cat command). Users need to use WHO, W, Users, Last, and AC to use the information contained in these two files. The Who: who command queries the UTMP file and reports each user currently logged in. The default output of WHO includes user name, terminal type, login date, and remote host. For example: WHO (Enter) display
ChYANG PTS / 0 AUG 18 15:06
YNGUO PTS / 2 AUG 18 15:32
YNGUO PTS / 3 AUG 18 13:55
Lewis PTS / 4 AUG 18 13:35
YNGUO PTS / 7 AUG 18 14:12
Ylou PTS / 8 AUG 18 14:15
If the WTMP file name is specified, the who command queries all previous records. Command WHO / VAR / LOG / WTMP will report every login since the WTMP file is created or deleted.
The W: w command queries the UTMP file and displays the process information for each user in the current system and it runs. For example: W (Enter) shows: 3: 36pm Up 1 Day, 22:34, 6 Users, Load Average: 0.23, 0.29, 0.27.
User Tty from login @ idle jcpu pcpu what
Chyang PTS / 0 202.38.68.242 3:06 PM 2:04 0.08S 0.04S -Bash
YNGUO PTTS / 2 202.38.79.47 3:32 PM 0.00S 0.14S 0.05 W
Lewis PTS / 3 202.38.64.233 1:55 PM 30:39 0.27S 0.22S -BASH
Lewis PTS / 4 202.38.64.233 1:35 PM 6.00S 4.03S 0.01S SH / Home / Users /
YNGUO PTS / 7 Simba.nic.ustc.e 2:12 PM 0.00S 0.47S 0.24S Telnet Mail
Ylou PTS / 8 202.38.64.235 2:15 PM 1: 09M 0.10S 0.04S -BASH
Users: Users print out the currently logged in user with a separate line, each of which corresponds to a login session. If a user has more than one login session, then his username will display the same number. For example: Users (Enter) Show: Chyang Lewis Lewis Ylou Ynguo Ynguo
The Last: Last command returns to the WTMP to display users who have been logged in since the file was created. E.g:
Chyang PTS / 9 202.38.68.242 Tue Aug 1 08:34 - 11:23 (02:49)
CFAN PTS / 6 202.38.64.224 Tue Aug 1 08:33 - 08:48 (00:14)
Chyang PTS / 4 202.38.68.242 Tue Aug 1 08:32 - 12:13 (03:40)
Lewis PTS / 3 202.38.64.233 Tue Aug 1 08:06 - 11:09 (03:03)
Lewis PTS / 2 202.38.64.233 Tue Aug 1 07:56 - 11:09 (03:12)
If the user is specified, then Last only reports the user's recent activities, for example: Last Ynguo Display:
YNGUO PTS / 4 SIMBA. Nic.ustc.e fri Aug 4 16:50 - 08:20 (15:30) YNGUO PTS / 4 Simba.nic.ustc.e Thu Aug 3 23:55 - 04:40 (04: 44)
YNGUO PTS / 11 Simba.nic.ustc.e Thu Aug 3 20:45 - 22:02 (01:16)
YNGUO PTS / 0 SIMBA. Nic.ustc.e Thu Aug 3 03:17 - 05:42 (02:25)
YNGUO PTS / 0 SIMBA. Nic.ustc.e Wed Aug 2 01:04 - 03:16 1 02: 12)
YNGUO PTS / 0 simba.nic.ustc.e WED AUG 2 00:43 - 00:54 (00:11)
YNGUO PTS / 9 Simba.nic.ustc.e Thu Aug 1 20:30 - 21:26 (00:55)
The AC: AC command reports the time (hour) of the user link according to the login entering and exiting in the current / var / log / wtmp file. If the flag is not used, the total time is reported. For example: AC (Enter) Show: Total 5177.47
AC -D (Enter) shows the total connection time of daily
Aug 12 Total 261.87
Aug 13 Total 351.39
Aug 14 Total 396.09
AUG 15 Total 462.63
AUG 16 Total 270.45
Aug 17 Total 104.29
Today Total 179.02
AC -P (Enter) Displays the total connection time of each user
YNGUO 193.23
Yucao 3.35
Rong 133.40
HDai 10.52
ZJZHU 52.87
ZqZhou 13.14
LiangLiu 24.34
Total 5178.24
LastLog: LastLog file is queried when you log in every time you log in. You can use the LastLog command to check the time for a particular user last login, and format the contents of the last login log / var / log / lastlog. It displays the login name, port number (TTY) and last login time according to UID sorting. If a user has never logged in, LastLog displays "** NEVER Logged **. Note that you need to run this command with root, for example:
Rong 5 202.38.64.187 fri Aug 18 15:57:01 0800 2000
DBB ** never logged in **
xinchen ** never logged in **
PB9511 ** never logged in **
Xchen 0 202.38.64.190 Sun aug 13 10:01:22 0800 2000
Alternatively, some parameters can be added, for example, the Last -u 102 will report the UID 102; Last -T 7 represents a report of the last week.
Process Statistics Unix can track each command running in each user. If you want to know which important files have been messy last night, the process statistics can tell you. It is helpful to track an invasator. Unlike the connection time log, the process statistics subsystem default is not activated, it must start. In the Linux system Starting Process Statistics Using the accton command, you must run with root identity. The form of accton commands accton file, file must exist first. First use the touch command to create a PACCT file: Touch / VAR / LOG / PACCT, then run accton: accton / var / log / pACCT. Once Accton is activated, you can use the LastComm command to monitor the commands performed in the system. To turn off the statistics, you can use the accton command without any parameters. The Lastcomm command reports the previously executed file. When there is no parameters, the LastComm command displays information about all commands recorded during the current statistics file lifecycle. Including the CPU time and a timestamp that the command name, user, TTY, command cost. If there are many users in the system, the input may be very long. The following example:
Crond f root ?? 0.00 secs sun aug 20 00:16
PROMISC_CHECK.S S root ?? 0.04 second sun aug 20 00:16
PROMISC_CHECK ROOT ?? 0.01 Secs Sun Aug 20 00:16
Grep root ?? 0.02 second sun aug 20 00:16
Tail root ?? 0.01 second sun aug 20 00:16
SH root ?? 0.01 second sun aug 20 00:15
Ping s root ?? 0.01 second sun aug 20 00:15
PING6.PL F root ?? 0.01 second sun aug 20 00:15
SH root ?? 0.01 second sun aug 20 00:15
Ping S root ?? 0.02 second sun aug 20 00:15
PING6.PL F root ?? 0.02 second sun aug 20 00:15
SH root ?? 0.02 second sun aug 20 00:15
Ping S root ?? 0.00 secs sun aug 20 00:15
PING6.PL F root ?? 0.01 second sun aug 20 00:15
SH root ?? 0.01 second sun aug 20 00:15
Ping s root ?? 0.01 second sun aug 20 00:15
SH root ?? 0.02 second sun aug 20 00:15
Ping S root ?? 1.34 SECS SUN AUG 20 00:15
Locate root ttyp0 1.34 second sun aug 20 00:15
Accton S root ttyp0 0.00 secs sun aug 20 00:15
One problem with process statistics is that PACCT files may grow very rapid. At this time, you need to interactively or through the CRON mechanism to run the SA command to keep log data in system control. SA command report, clean up and maintain process statistics. It can compress the information in / var / log / pACCT to the summary file / var / log / savacct and / var / log / usracct. These summary contain system statistics classified by command name and username. SA is default, read them first, then read the PACCT file, so that the report can contain all available information. SA output has some of the following tags: avio - average number I / O operation per execution
CP - user and system time summary, in minutes
CPU - and CP
The average CPU time used by the K - kernel, in 1K unit
K * sec - CPU storage integrity, in 1k-core second
RE - real-time time, in minutes
S - system time, minute
Total number of TiO - I / O operations
U - user time, in minutes
E.g:
842 173.26RE 4.30CP 0AVIO 358K
2 10.98R 4.06CP 0AVIO 299K FIND
9 24.80RE 0.05cp 0avio 291k *** Other
105 30.44RE 0.03CP 0AVIO 302K PING
104 30.55RE 0.03CP 0AVIO 394K SH
162 0.11Re 0.03CP 0AVIO 413K Security.sh *
154 0.03RE 0.02CP 0AVIO 273K LS
56 31.61RE 0.02CP 0AVIO 823K ping6.pl *
2 3.23RE 0.02cp 0avio 822k ping6.pl
35 0.02RE 0.01CP 0AVIO 257K MD5SUM
97 0.02RE 0.01CP 0AVIO 263K Initlog
12 0.19Re 0.01cp 0avio 399k promisc_check.s
15 0.09R 0.00CP 0AVIO 288K GREP
11 0.08R 0.00CP 0AVIO 332K AWK
The user can also provide a summary report according to the user rather than a command. For example, SA -M is shown as follows:
885 173.28RE 4.31CP 0avk
Root 879 173.23RE 4.31CP 0avk
Alias 3 0.05RE 0.00CP 0avk
QMAILP 3 0.01RE 0.00cp 0avk
Syslog Devices Syslog has been adopted by many log functions, which can be used in many protection measures - any program can via the Syslog record event. Syslog can record system events, you can write to a file or device, or send a user to the user. It can record local events or record the events on another host through the network.
Syslog devices are based on two important files: / etc / syslogd (daemon), and /etc/syslog.conf profiles, most Syslog information is written to the / var / ADM or / var / log directory information file Messages. *). A typical syslog record includes the name of the generator and a text message. It also includes a device and a priority range (but does not appear in day).
Each Syslog message is given one of the following primary devices:
LOG_AUTH - Authentication system: login, su, getty, etc.
Log_AUTHPRIV - with log_auth, but only logs in to the selected single user readable file
Log_cron - cron daemon
Log_daemon - Other System Guardings, such as ROUTEDLOG_FTP - File Transfer Protocol: FTPD, TFTPD
LOG_KERN - Messages generated by the kernel
LOG_LPR - System printer buffer pool: lpr, lpd
LOG_MAIL - Email System
LOG_NEWS - Network News System
LOG_SYSLOG - internal message generated by syslogd (8)
Log_user - Messages generated by a random user process
Log_UUCP - UUCP subsystem
LOG_LOCAL0 ~ LOG_LOCAL7 - For local use reservations
Syslog gives each event to several different priorities:
LOG_EMERG - emergency situation
LOG_ALERT - I should be corrected immediately, such as system database destruction
LOG_CRIT - Important, such as hard disk errors
Log_err - Error
Log_warning - warning information
LOG_NOTICE - is not wrong, but may need to handle
Log_info - intelligence information
Log_Debug - Information containing information, usually uses when you debug a program
The syslog.conf file indicates the behavior of the syslogd program logging log, which queries the configuration file at startup. This file consists of a single entry classified by different programs or messages, each accounting. Provide a selection domain and an action domain for each type of message. These domains are separated by TAB: Select the domain to indicate the type and priority of the message; the action domain indicates that the Syslogd is not performed when the message matches the message. Each option is composed of device and priority. When a priority is specified, Syslogd will record a message with the same or higher priority. So if you specify "crit", the message that is labeled crit, Alert, and Emerg will be recorded. Each line of action indicates where the selection is selected after a given message is selected. For example, if you want to record all email messages into a file, as follows:
#Log all the mail message in one place
Mail. * / var / log / maillog
Other devices also have their own logs. UUCP and NEWS devices can generate many external messages. It saves these messages to their own log (/ var / log / spooler) and limits the level as "ERR" or higher. E.g:
# Save mail and news errors of level err and higher in schement file.
UUCP, news.crit / var / log / spooler
When an emergency comes, you may want to get all users. May also want your log to receive and save it.
#Everybody Gets Emergency Messages, Plus log the on anti
* .emerg *
* .emerg @ Linuxaid.com.cn
Alert message should be written to the Root and Tiger personal accounts:
#Root and Tiger Get alert and higher messages
* .lert root, Tiger
Sometimes syslogd will produce a lot of news. For example, the kernel ("Kern" device) may be very lengthy. Users may want to record kernel messages into / dev / console. The following example shows that the kernel log record is commented:
#Log all kernel messages to the console
#Logging much else clutters up The screen
# kern. * / dev / console
Users can specify all devices in a row. The following example sent the INFO or higher message to / var / log / messages, except for Mail. Level "None" forbidden one device: #log anything (Except mail) of level info or higher
# Don't log private authentication messages!
* .info: mail.none; authpriv.none / var / log / messages
In some cases, you can send the log to the printer, so that the network robbery server has modified the log. It is usually a wide record log. Syslog devices are a significant goal of an attacker. A system for other host maintenance logs is particularly fragile for server attacks, so pay special attention.
There is a small command logger to provide a shell command interface for the Syslog (3) system log file, enabled entries in the log file. Usage: Logger, for example: Logger this is a test!
It will produce a Syslog record as follows: AUG 19 22:22:34 Tiger: this is a test!
Note Don't fully believe the log, because the attacker is easy to modify it.
5. Program log
Many programs reflect the system's security by maintaining logs. The su command allows the user to get the permissions of another user, so it is very important, its file is Sulog. There is also Sudolog. Also think about Apache has two logs: access_log and error_log.
6. Other log tools
Chklastlog
ftp://coast.cs.purdue.edu/pub/tools/unix/chklastlog/
Chkwtmp
ftp://coast.cs.purdue.edu/pub/tools/unix/chkwtmp/
Dump_lastlog
FTP: //coast.cs.purdue.edu/pub/tools/unix/dump_lastlog.z
spar
ftp://coast.cs.purdue.edu/pub/tools/unix/tamu/
Swatch
http://www.lomar.org/komar/alek/pres/swatch/cover.html
Zap
ftp://caost.cs.purdue.edu/pub/tools/unix/zap.tar.gz
Log classification method
http://csrc.nist.gov/nissc/1998/proceedings/paperd1.pdf
