Lecture 16: UNIX Forensics - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Lecture 16: UNIX Forensics

Description:

Just turn off history function in your shell, delete it. The grep Family ... Contains the actual startup/shutdown scripts. Are shell scripts that take as arguments ... – PowerPoint PPT presentation

Number of Views:110
Avg rating:3.0/5.0
Slides: 31
Provided by: ron66
Category:

less

Transcript and Presenter's Notes

Title: Lecture 16: UNIX Forensics


1
Lecture 16 UNIX Forensics
  • 6/26/2003
  • CSCE 590
  • Summer 2003

2
Syslog
  • A standard system logging facility
  • Unix, Windows, routers, switches, blenders, etc
  • On UNIX, configuration in /etc/syslog.conf
  • Daemon called syslogd
  • Can syslog over the network to a dedicated syslog
    server
  • Targeted by intruders

3
Syslog.conf
  • Which messages are sent to which logs
  • Each line contains
  • Facility field subsystem that produces the log
    file
  • Auth(security), authpriv, cron, daemon, kern,
    lpr, mail, ftp, news, syslog, user, uucp,
    local0-local7
  • Priority field severity of log (8 levels)
  • Debug, info, notice, warning, err, crit, alert,
    emerg
  • Action field name of log file, IP or remote
    syslog server

4
Syslog Priority Field
  • Debug - all occurrences, everything
  • Info usual occurrences (like fyis)
  • Notice unusual occurrences, investigate
  • Warning warning messages
  • Err other error conditions
  • Crit critical condition or failure
  • Alert urgent situation
  • Emerg (panic) panic situation (warp core breach)

5
Programmers interface
  • include ltsyslog.hgt
  • void openlog(const char ident, int option, int
    facility)
  • Opens a connection to the system logger for a
    program
  • void syslog(int priority, const char format,
    ...)
  • Generates a log message to be distributed by
    syslogd
  • void closelog(void)
  • Closes the descriptor to the system logger for a
    program

6
Sample syslog.conf
7
Shell Histories
  • History of all commands you type
  • In each users home directory
  • .history
  • .bash_history
  • .sh_history
  • .ksh_history
  • Commonly targeted by intruders
  • Delete it, recreated as directory
  • Delete it, link it to /dev/null (bit bucket)
  • Just turn off history function in your shell,
    delete it

8
The grep Family
  • grep search for string in file
  • bzgrep - in a bzip2 compressed file
  • zgrep search possibly compressed files
  • zipgrep - search files in a ZIP archive
  • grepjar - search files in a jar file for a
    pattern
  • fgrep search for strings identified within a
    given file, one pattern per line
  • bzfgrep - in a bzip2 compressed file
  • Egrep search using extended regular expressions
  • bzegrep - in a bzip2 compressed file

9
grep Options
  • -r recursion
  • -i case insensitive
  • -a handle binary files (kind of like piping to
    strings)
  • -v NOT this string

10
find
  • grep looks in files, find searches other
    attributes of files (metadata)
  • File name, including regular expressions, case
    insensitive
  • Time periods for MAC
  • Belongs to GID or groups name
  • Belongs to a UID or user name
  • Nouser and nogroup doesnt have a user or group
    defined for its GID or UID

11
find
  • Is on file system of type xxxx
  • Has a particular inode number
  • Has a particular number of links to it
  • Is a symbolic link
  • Search on permission bits
  • File size
  • File type

12
find Actions
  • -print print what you find
  • -printf
  • -exec xxx execute xxx command on a hit
  • -ls list it in ls dils format
  • Much more stuff! Good man page to read.

13
Hiding in the File System
  • Hide in a rarely visited or busy directory
  • /dev
  • Look for regular files, should be too many
  • Font directories
  • OS source code directories
  • Man page directories
  • Creative naming
  • .
  • ..

14
Hiding in the File System
  • Slack space
  • Deleted files
  • Unlinked open files
  • Trojaned system files
  • Decoy file system mounts
  • Mount a file system over existing data in a
    current file system
  • Existing data becomes hidden, could hide an
    executable being run or a file being written to
  • df may show a lot more space used in a file
    system that you can account for with du

15
Checking RPMs
  • RPM are applications packages (Linux)
  • Compares info about files in an installed package
    with info stored about themin the RPM database
  • Simple integrity check
  • for i in rpm qa do rpm V i done
  • Error prone and can be subverted
  • Catches less skilled intruders

16
Output of Verify RPMs
  • S - file Size differs
  • M - Mode differs, includes permissions, file type
  • 5 - MD5 sum differs
  • D - Device major/minor number mis-match
  • L (readlink(2)) path mis-match
  • U - User ownership differs
  • G - Group ownership differs
  • T - mtime differs
  • c configuration file (expected to change)

17
Rpm Verify Example
18
Inode Timelines
  • ls lit sort more
  • List all inodes
  • Looking for entries that seem out of place, very
    high or very low
  • If you find any out of place, look for other
    inodes around that number to find possible
    related files

19
Inode Timelines Example
20
Signals
  • Simple interprocess communications
  • One program sends a message to another
  • Pre-defined messages
  • 16 or 32 depending on platform
  • Some are useful for terminating a program
    gracefully
  • Might be able to freeze it in memory so as not to
    lose evidence

21
Useful Signals
  • HUP (1) Hangup
  • INT (2) Interrupt, stop running ltctrlgtC
  • KILL (9) Stop unconditionally and immediately
  • TERM (15) Terminate gracefully if possible
  • STOP (17) Stop unconditionally continue
    with CONT
  • TSTP (18) Stop executing, ready to continue
  • CONT (19) Continue executing after STOP
    or TSTP
  • USR1 (30) A user defined signal

22
Startup and Shutdown Scripts
  • Usually found in /etc
  • Can be files like rc.local and rc.shutdown
  • Can be directories of scripts or links to scripts
    like rc0.d-rc6.d, rc.d, and init.d
  • The kernel boots and first loads
  • init process control initialization
  • If init dies, the system reboots
  • Makes sure the system enters the correct run
    level (single user, multi-user, etc)

23
BSD-Like RC Scripts
  • Simpler scripts
  • rc.conf configuration variables for what to
    start, included in other startup scripts
  • Rc starts up a bunch of system services that
    must be run before securelevel changes
  • rc.securelevel levels 1 through 2
  • rc.local run next, local services, network,
    system daemons
  • rc.shutdown clean up commands when system is
    going down
  • Ex. Gracefully stopping a databse

24
rc.securelevel
  • Run after rc script
  • Level 1 Permanently insecure
  • Init cant raise securelevel but sysctl can
  • Level 0 Insecure mode
  • During bootstrapping, single user
  • all devices may be read/written subject to
    permissions
  • system file flags may be cleared

25
rc.securelevel
  • Level 1 Secure mode (default multi-user)
  • Only init may lower securelevel
  • /dev/mem and /dev/kmem may not be written to
  • raw disk devices of mounted file systems are
    read-only
  • Cant remove system immutable and append-only
    file flags
  • kernel modules may not be loaded or unloaded
  • Level 2 Highly secure mode (Level 1 still
    applies)
  • raw disk devices are always read-only, mounted or
    not
  • settimeofday(2) may not set the time backwards
  • ipf(8) and ipnat(8) rules may not be altered
  • the ddb.console and ddb.panic sysctl(8) variables
    may not be raised (keeps people from using
    in-kernel debugger ddb(4) to modify securelevel)

26
System V-ish RC Scripts
  • On a Solaris machine
  • 8 different run levels, 0-6 and s and S (same
    thing)
  • Default runlevel in /etc/inittab
  • Level s or S single user state
  • Level 0 firmware mode
  • Level 1 sys admin mode, single user, all
    filesystems mounted, limited processes running
  • Level 2 multi-user mode, all multiuser processes
    running

27
Init Levels (cont.)
  • Level 3 extended multiuser mode, level 2 local
    resources are available over the network
  • Level 4 usually not used, can ber defined as
    alternative multiuser environment
  • Level 5 Shut the machine down, safe to power off
  • Level 6 stop the OS and reboot to default state
    level

28
Startup Scripts
  • There is a directory for each of the 0-6
    runlevels.
  • /etc/rc.d/rc0.d -gt /etc/rc.d/rc0.d
  • Also /etc/rc.d/init.d
  • Contains the actual startup/shutdown scripts
  • Are shell scripts that take as arguments
  • start start up the process
  • stop stop the process
  • restart sometimes a restart

29
Startup Scripts
  • Each of the rcX.d directories contain symbolic
    links to scripts in the init.d directory
  • Format of name of link determines argument to
    start up script and when it is started
  • K03nfs
  • run script pointed to by this link with the stop
    option (KKill)
  • Run it third in the order of scripts
  • S75ntpd
  • run script pointed to by this link with the start
    option (SStart)
  • Run it 75th in the order of scripts

30
References
  • Chapters 11,12
Write a Comment
User Comments (0)
About PowerShow.com