Project: Linux Howtos

Intrusion Detection Systems, Part IV: Logcheck

By Trevor Warren <trevor@freeos.com>
Posted: ( 2001-02-12 11:26:06 EST by )
The last in this four part series on IDS, looks at Logcheck: a software package that is designed to automatically run and check system log files for security violations and unusual activity.

If a man can write a better book,
preach a better sermon,
or make a better mouse trap than his neighbor,
though he builds his house in the woods,
the world would eventually make a beaten path to this door.
- Emerson

In the last three articles in this series, we looked at the concept of an Intrusion Detection System (IDS) and its implementation on your network. We discussed some of the top-notch tools like Tripwire and Snort, that you could use as your Swiss army knife in detecting intrusions into your network.

But position yourself in this scenario: you have a tough security framework in place scanning almost every packet that tries to get into your network, you even have some of the most sophisticated Intrusion Detection Systems implemented for your whole network. However, you erred on the permissions of your log files and never bother to monitor the logs until you have been hit very hard. Of course, the well known distributions, work in a way such that they have certain scripts running in cron, which from time to time, tars the logs and back them up, so file permissions aren?t anything you should worry about. You should also make sure that no one apart from root, has write access to the logs.

The first thing any intruder would do is to wipe out any tell tale signs of intrusions. This task would be of high priority to the cracker, so that there are no fingerprints to follow up on, or no other leads that would eventually lead to disclosing the origin of the attack. Therefore, a good system administrator will always implement a log file monitor. There are various tools out there, which will help you get this task done, among them being Logcheck and Swatch. In this article we take a look the working and implementation of Logcheck. The author of Logcheck is Craig H. Rowland. As with most of the other Open Source projects, this too is distributed under the GNU GPL license.

Logcheck is a software package that is designed to automatically run and check system log files for security violations and unusual activity. Logcheck uses a program called logtail that remembers the last position it read from in a log file and will use this position on subsequent runs to process new information. All source code is available for review and the implementation has been kept simple to avoid problems. This package is a clone of the frequentcheck.sh script from the Trusted Information Systems Gauntlet(tm) firewall package.
Auditing and logging on any system is of great significance as it makes sure that a serious breach of any kind is always tracked. What is great about Unix is that most modern implementations, use the syslog facility to report extensively--if configured and supported correctly-- all happenings, good or bad on the host system. This allows the creation of an audit trail that can be used very effectively to subvert potential attacks and alert system administrators. However, all this is of no use if the system administrator has no time to look at the logs. One reason for this is the very nature and quantity of logging happening on a machine. We have known Systems Administrators complaining about daily logs on machines, running to the tune of more than 10 - 20 Megs?hardly an enviable task. This is where logcheck will help. Logcheck automates the auditing process and weeds out normal log information, to give you a condensed look at problems and potential troublemakers mailed to wherever you please.

How Logcheck works

The logcheck shell script and logtail.c programs have been written from scratch and are implemented in a manner, which allow two methods of log file auditing:

1) By reporting everything, you tell it to specifically look for via keywords.
2) By reporting everything, you did not tell it to ignore, via keywords.

This ensures that important messages are specifically brought to your attention (via the keywords you look for) and that important messages that you may have overlooked are also reported (by only ignoring items you tell it to). The original frequentcheck.sh script was implemented in a somewhat similar manner. The keywords that we are talking about here are the keywords that on occurrence in the logs, would trigger an alert to the system administrator. The logcheck configuration files come with some of the default keyword entries common to most of the *nix system logs out there. However, we warn you, as the author does, it is up to you as the system administrator, to see that the appropriate keywords are entered in the configuration files to tune up Logcheck for your installation.

The logcheck script is a simple shell-programming model and the logtail.c program uses basic ANSI C compatible functions. The logcheck script should be run at least hourly on your hosts from the cron daemon. This script will check files for unusual activity by scanning the logs using simple grep commands and will mail all findings (if any) to the administrator. If nothing is found you will receive no mail.

Logcheck Installation and Configuration

You can download Logcheck from http://www.psionic.com and go for the download URL. Get the latest sources. At the time of writing the article, Logcheck was in version 1.1.1. A point to be noted out here; while you can download Logcheck as a non root user, you would have to login as root while installing as Logcheck prefers to install its scripts, binaries and other configuration files to directories owned by root.

Step 1: Untarring the sources

Untarring the sources is the first step towards installing the package. Use the following command to untar the sources

bash# tar -xvzf logcheck-1.1.1.tar.gz

This will untar the sources amd scripts into a directory called logcheck-1.1.1. CD into the directory and read the following files.

trevor@freeos.com:~/logcheck-1.1.1> less README
trevor@freeos.com:~/logcheck-1.1.1> less README. How to interpret
trevor@freeos.com:~/logcheck-1.1.1> less INSTALL

Basic Configuration before Installing

We had mentioned the Syslog daemon earlier in this article which is used by most of the *nix systems to track and maintain logging events. On a Linux box, this daemon is configured through the /etc/syslog.conf file. You need to login as root to access this file. Depending on the Linux distribution you use, your Syslog configuration file entries would vary. Illustrated below is our Syslog configuration file that we have tweaked a bit for our convenience. Explaining the /etc/syslog.conf entries is not in the scope of this article but we try to pointers towards understanding the entries better.

trevor@freeos.com:~/logcheck-1.1.1> vim syslog.conf

This is our Syslog.conf file as illustrated below [snipped part of /etc/syslog.conf]:
#
# Warnings in one file
#
*.=warn;*.=err -/var/log/warn
*.crit /var/log/warn
#
# save the rest in one file
#
*.*;mail.none;news.none -/var/log/messages
# enable this, if you want to keep all messages
# in one file
#*.* -/var/log/allmessages
# Added by Trevor on 28th October
# Monitor authentication attempts
auth.*;authpriv.* /var/log/authlog
# Monitor all kernel messages
kern.* /var/log/kernlog
# Monitor all warning and error messages
*.warn;*.err /var/log/syslog
/etc/syslog.conf line 26/60 (END)

Note the last four files as we have mentioned above at the end of the configuration file namely,
/var/log/messages
/var/log/authlog
/var/log/kernlog
/var/log/syslog

These are the files that Logcheck should monitor consistently for any untoward incidents on a system. Assuming Logcheck is running through the Cron daemon every 5 minutes, we would then have Logcheck parse all the log files important to us and mail us incident reports if there are any.

CD into the directory logcheck-1.1.1/systems/linux and edit the file llogcheck.sh in your favorite text editor. The default configuration of Logcheck only generates alerts for the files as mentioned below. In addition, as you can see, it has been tailored for an out of the box Red Hat installation. So all you Red Hat guys, have almost no tweaking to do. Others please tweak the script to monitor the log files as per the your severity rating.

Here is part of our ~/logcheck-1.1.1/systems/linux/logcheck.sh script,

# LOG FILE CONFIGURATION SECTION
# You might have to customize these entries depending on how
# you have syslogd configured. Be sure you check all relevant logs.
# The logtail utility is required to read and mark log files.
# See INSTALL for more information. Again, using one log file
# is preferred and is easier to manage. Be sure you know what the
# > and >> operators do before you change them. LOG FILES SHOULD
# ALWAYS BE chmod 600 OWNER root!!
# Linux Red Hat Version 3.x, 4.x
$LOGTAIL /var/log/messages > $TMPDIR/check.$$
$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$

which monitors the files /var/log/messages, /var/log/secure and /var/log/maillog. So, make the changes to reflect the logs you would want to monitor.

Having made the appropriate changes to your configuration file, have a look at the Configuration Section at the start of the llogcheck.sh file. It consists of paths to all the installation directories and the paths to place the binaries in. Under normal circumstances, you would not have to edit any of the settings for most of the Linux distributions around. We would suggest that you have a look at the settings but leave it alone.

Various Configuration Files

We now look at the various Logcheck configuration files. The description of each configuration file has been obtained from the documentation downloaded along with Logcheck.

logcheck.sh -- The main script. This file controls all processing and looks at log files with simple grep commands. This file is executed on a timed basis from cron and reports findings to the sysadmin.

logtail -- A custom executable that remembers the last position of a text file. This program is used by

logcheck-- to parse out information from the last time the log was opened, this prevents reviewing old material twice. All log files will be processed with this program and will have a file named #########.offset put in the same directory, where ####### is the name of the log file checked. This file contains the decimal offset information for logtail to work. If you delete it, logtail will parse the file from the beginning again. Logcheck tracks the size and inode of log files to enable it to tell when a log file has been rotated. If the inode of the log changes, or the file size is smaller than the last run, logtail will reset the counter and parse the entire file.

logcheck.hacking -- This file contains keywords that are certifiable attacks on your system. We leave this file sparse, unless I know what a certain pattern of attack looks like (The default keywords are usually generated by Internet Security Scanner attacks, or Sendmail if it is being fed illegal syntax in address lines). Any keyword in a log file that matches here will generate a report with a more obnoxious header to grab your attention faster: eg. ACTIVE SYSTEM ATTACK

logcheck.violations -- This file contains keywords of system events that are usually seen as negative. Words such as denied,, refused,, etc. Positive words such as successes are also put in here. This file is of course not all-inclusive and is heavily biased towards FWTK messages and BSDish messages with TCP wrappers installed. Violations here are reported under the heading Security Violations, in the reports.

logcheck.violations.ignore -- This file contains words that are reverse searched against the logcheck.violations file.

Make and Make Install

This brings us to the last part of the Installation and configuration procedure. su as root and run the following commands in the logcheck directory

trevor@freeos.com:~/logcheck-1.1.1>make linux
trevor@freeos.com:~/logcheck-1.1.1>make install

All the scripts and configuration files are installed to /usr/local/etc. Having installed the binaries and logcheck scripts to the respective directories we have come to the fag end of this article. What remains now is for you to ensure that Logcheck runs at regular intervals. And who does this better than CRON? So make the appropriate entries into your /etc/crontab file.

#15 Minute check (Linux Slackware Systems /var/spool/cron/crontabs/root):
00,15,30,45 * * * * /usr/local/etc/logcheck.sh

At every 15-minute interval, Logcheck will read the freshly appended part of your log files and grep it for any intrusions as per the keywords that it is looking out for. In case of any alerts, Logcheck immediately composes a mail to root (root@localhost) with a complete report of the findings. So, make sure your internal SMTP service is running file.

This brings to an end of our four part series on Intrusion Detection Systems and their implementation. Do send us your valuable comments, which will help us deliver better content to you.

Laws are dumb in the midst of arms - Cicero

Intrusion Detection Systems for your network: Part I
Intrusion Detection Systems: Part II - Installing Tripwire
Intrusion Detection System Part 3: Snort

Other articles by Trevor Warren

Current Rating: [ 7.38 / 10 ] Number of Times Rated: [ 29 ]

Contents Articles   Howtos   Interviews   News   Opinions   Reviews Comparison Links   Articles   Howtos   Interviews   Opinions   Reviews   Websites News

Linux About Linux

Print It! Printer Friendly Version