Assignment for Week 6: Logging, Monitoring, Advanced Security

Description

UNIX systems have many methods for logging information about system events, and features for access control and system monitoring. This assignment will familiarize you with some of these methods.

What you need to do

1. Make sure syslogd is running on your system, and become familiar with its configuration file (typically /etc/syslog.conf). Determine which files it logs to, and read over those logs to become familiar with the information they contain. You may need to modify syslog.conf to ensure that it logs information you will be asked to examine for this assignment.
2. Make sure you have TCP wrappers or other domain- or IP address-based access control methods on your system. If your system uses the traditional inetd then you should also have TCP wrappers (usually /usr/sbin/tcpd) and you should use it to wrap all appropriate services in /etc/inetd.conf (some services, particularly RPC, cannot be usefully wrapped), with access control entries in /etc/hosts.allow and /etc/hosts.deny. If your system uses xinetd, then similar access control should be built in to it and can be configured for services in /etc/xinetd.d/* using the only_from and no_access directives. Some other services that are not managed via (x)inetd, such as Sendmail and ssh, can have TCP wrappers support built into them and will use access control entries in /etc/hosts.allow and /etc/hosts.deny as well as other access control methods in their own configurations.
3. Determine where your log information is going and test that it is working by connecting to a service and noting whether appropriate log information is generated. Also try limiting access to a service (permit or deny access from specific IP addresses or networks) and test this by trying to access the service from both permitted and denied locations.
4. Figure out how your system records login information. In particular, find information about failed logins and su attempts (both successes and failures). Again, you may need to change your system configuration to enable the appropriate logging.
5. Write a shell script that extracts information on recent login successes and failures and su successes and failures from your logs and mails this information to the people in your group. Ideally, this should extract information about the previous day's worth of login and su attempts and run from cron once a day.

What to turn in

Please follow the assignment submission guidelines when turning in material.

1. Show me specific log entries for the following events on your system:
   1. Mail sent from your system
   2. Mail sent to your system
   3. Successful user login
   4. Failed user login
   5. Successful su to root
   6. Failed su to root
   7. TCP wrapper accepted connection
   8. TCP wrapper refusal of connection
2. The script you wrote to mail yourselves login and su log entries.
3. Output from your script showing at least one login success, login failure, su success, and su failure (note that output from this script will not count towards the eight log-related items above).

All of the above may be turned in by email on Monday, August 4.

Each group member should also email to me separately their estimate of the percentage of the total work each group member (including themselves) contributed to this assignment, looking something like:

Alice: 40%
Bob: 30%
Carol: 30%

Evaluation

My evaluation of this assignment will be based on whether you can produce all the requested log information on your system.

Note that in some cases there are multiple log lines associated with an event, particularly involving Sendmail's logging of mail events; send all log lines associated with a particular event.

Don't send me entire log files -- I want you to demonstrate that you can identify specific events in the logs, so send me extracted lines relating only to specific events.