SEC520/labs/Lab 8
Intrusion Detection
Introduction
- Students will learn how to routinely check a computer system's performance (one of the side-effects of system intrusion). Students will specifically check log files in order to detect intrusion activity.
- Students will also configure the syslog file in Linux in inform the system administrator of any suspected intrusions that have occurred in thier computer system.
- Students will also learn how to automate the tasks to intrusion detection by installing, configuring and running a common Intruction Detection System (IDS) called Tripwire in order to flag and report suspected computer system intrusions.
Objectives
- Check the computer's performance for indications of computer system intrusion activity.
- Monitor log files (in Linux) to detect any suspected system intrusions.
- Configure the Syslog File (in Linux) to notify the adminstrator of any suspected system intrusions.
- Install, configure and run the Tripwire open-source application to automatically flag and report suspected system instructions.
Required Materials (Bring to All Labs)
- SATA Hard Disk (in removable disk tray).
- Lab Logbook (Lab8 Reference Sheet) (to make notes and observations).
Prerequisites
Online Tools and References
- Intrusion Discovery (Linux)
- Using Syslog Files (Linux)
- Tripwire Definition
- Download Tripwire
- Using Tripwire
Course Notes
Performing Lab 8
Task #1: Checking System Performance
Usually system administrators continually monitor thier computer systems to check for reductions in system performance. These "monitoring checks" can be benchmark programs (or operating system commands) to identify system performance. Reduced system performance may be an indicator of an intrusion by a malicious hacker.
In this lab, we will issue several Linux commands to help monitor to monitor a Linux system's performance.
INSTRUCTIONS:
- Start your Kali Linux (host) system, and start your Hardended Linux VM.
- Switch to your Hardened Linux VM, and open a shell terminal.
- Issue the Linux command: uptime. Record the value for the load average of your Linux system. Research on the Internet to determine what load average for a Linux system means and what a higher load average may indicate. Record your findings in your lab log-book.
- Issue the Linux command: df -h and view the remaining amount of disk space. For detailed information regarding particular file sizes within a directory, you can use the du -h command. What directories may indicate a higher size to indicate hacking, worm or a virus on your Linux system? Recording your findings in your lab log-book.
- How would you monitor the same measurements of system performance for a Windows system?
- Proceed to Task #2
Answer the Task #1 observations / questions in your lab log book.
Task #2: Checking Unusual Activity
Checking for unusual activity in a Linux system focuses of several key indicators:
- Unusual Running Processes
- Unusual Network Usage
- Unusual User Accounts
- Unusual Large Files
- Unusual Log Entries
In the next 2 sections, we will learn how to monitor these indicators to help identify Linux system intrusion. In this section, use man pages or perform or research on the Intenet in order to understand how the following Linux commands can be used to detect system intrusion (or "suspicious activity").
INSTRUCTIONS:
- Issue the Linux command: chkconfig --list (or systemctl list-units --all on newer systems). List all the running services in your lab log-book.
- Issue the Linux commands:
ps aux | more lsof | more lsof -p PID
How does the information from this listing differ from the previous Linux command that you issued?
What sort of services/processes might indicate a problem? - Issue the following Linux commands:
netstat -nap lsof -i arp -a
What sort of network usage would indicate an intrusion problem? - Issue the following Linux commands:
sort -nk3 -t: /etc/passwd | more egrep ':0+:' /etc/passwd
What is the purpose of these commands, and how would you check the results for intrusion? - Next, look for unusual files by using the following Linux commands:
find / -size +10000k -print ls -a .* lsof +L1 rpm -Va | sort
Write these commands in your lab log-book and give a brief purpose of how they can be used to interpret system intrusion. - Proceed to Task #3
Answer the Task #2 observations / questions in your lab log book.
Task #3: Checking System Logs & Using Syslog File
In this section, you will learn how to configure the Syslog File in
Linux in order to detect and report suspected intrusion actions on your
computer system.
INSTRUCTIONS:
- Read the article on Linux Log Files: Linux Log Files
- In your hardened Linux server, experiment with each of the log files mentioned in the article above (including configuration files). Note that your system may not have the same services installed, so some of the files may not be there.
- Read the man pages for syslogd and syslog.conf. Learn what types of activities generate various types of system messages.
- What line would you put in syslog.conf to send all security messages to the console? How would you send them directly to the printer?
- What would the following line achieve?
kern.none /var/log/messages
- What does the following line do?
*.emerg *
- How would you send all access control messages directly to the root user?
- Read your syslog.conf file. Make sure you understand what each line means.
- Using research and experimentation, configure your syslogd so that any reboots are logged on your lab mate's /var/log/messages log file. Demonstrate that this works by rebooting your system.
- Record all of your observations/answers in your lab log-book.
- Proceed to Task #4
Answer the Task #3 observations / questions in your lab log book.
Task #4: IDS Example: Tripwire
In this section, students will learn how to install, configure and run a commonly-used open source application called Tripwire
that will automatically detect system intrusion. Tripwire is used to
create an initial database of information on all the system files then
runs periodically (via cron) in order to compare the system to the database. This allows the IT security manager to "manage by exception", and allow them to concentrate on providing a balanced and effective method of system security.
INSTRUCTIONS:
- We will be installing tripwire on your hardened Linux server.
- While in your hardened Linux server, open a shell terminal, and issue the command which tripwire
to check to see if the application has been installed. If the
application is not installed, then issue the following command:
sudo yum install tripwire
http://sourceforge.net/projects/tripwire/
Alternatively, you can download and install tripwire at the following link:
- Based on instructions in the README.Fedora file
(located in /usr/share/docs/tripwire-2.4.2.2 directory)
You are required to issue the following commands to initialize and run the tripwire application (using default settings):/usr/sbin/tripwire-setup-keyfiles # Generate the system-specific # cryptographic key files # Remember your password phrase /usr/sbin/tripwire --init # Initialize the Tripwire # database file. Note: this process # may take several minutes to perform /usr/sbin/tripwire --check # Run the first integrity check # May take several minutes
- There were some errors when initializing the tripwire database. Why do you think these errors occurred?
- Create a cronjob to be run on a daily basis that will run the tripwire --check" as root
- Record your findings in your lab log-book.
- Proceed to "Completing the Lab"
Answer Task #4 observations / questions in your lab log book.
Completing the Lab
Arrange evidence for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:
- Results of uptime and df commands.
- Display information regarding Linux system's Process, network usage and any unusual user accounts.
- Run Linux command to display files over 10000 Kilobytes.
- Contents of syslog.conf file.
- Cron job (root) running tripwire --check command.
- Completed Lab 8 notes.
Preparing for Quizzes
- Write 2 Linux command to help measure Linux system performance.
- List and explain 5 types of unusual activities (indicators) that could affect system performance from a system intrusion. For each indicator, write a Linux command used to help detect the unusual activity due to system intrusion.
- List 4 types of logs to view to detect unusual activity associated with system intrusion.
- Briefly list the steps to setup syslog on your Linux server.
- Define the term IDS.
- Write the Linux command to generate a Tripwire report.