Open main menu

CDOT Wiki β

Changes

SEC520/labs/Lab 8

15,831 bytes added, 10:17, 1 February 2018
Created page with "<h1> <span class="mw-headline">Intrusion Detection</span></h1> <a name="Introduction" id="Introduction"></a><h2> <span class="mw-headline">Introduction</span></h2> <dl><dd><ul..."
<h1> <span class="mw-headline">Intrusion Detection</span></h1>
<a name="Introduction" id="Introduction"></a><h2> <span class="mw-headline">Introduction</span></h2>
<dl><dd><ul><li>Students will learn how to routinely check a computer system's performance (one of the side-effects of system intrusion). Students will specifically check log files in order to detect intrusion activity.
</li></ul>
</dd></dl>
<dl><dd><ul><li> Students will also configure the <b>syslog</b> file in Linux in inform the system administrator of any suspected intrusions that have occurred in thier computer system.
</li></ul>
</dd></dl>
<dl><dd><ul><li>Students will also learn how to automate the tasks to
intrusion detection by installing, configuring and running a common
Intruction Detection System (IDS) called <b>Tripwire</b> in order to flag and report suspected computer system intrusions.
</li></ul>
</dd></dl>
<br>
<a name="Objectives" id="Objectives"></a><h2> <span class="mw-headline">Objectives</span></h2>
<ol><li>Check the <b>computer's performance</b> for indications of computer system intrusion activity.</li>
<li><b>Monitor log files</b> (in Linux) to detect any suspected system intrusions.</li>
<li>Configure the <b>Syslog File</b> (in Linux) to notify the adminstrator of any suspected system intrusions.</li>
</li><li>Install, configure and run the <b>Tripwire</b> open-source application to automatically flag and report suspected system instructions.
</li></ol>
<p><br>
</p>
<a name="Required_Materials_.28Bring_to_All_Labs.29" id="Required_Materials_.28Bring_to_All_Labs.29"></a><h2> <span class="mw-headline">Required Materials (Bring to All Labs)</span></h2>
<ul>
<li> <b>SATA Hard Disk</b> (in removable disk tray).
</li><li> <b>Lab Logbook (Lab8 Reference Sheet)</b> (to make notes and observations).
</li></ul>
<p><br>
</p>
<a name="Prerequisites" id="Prerequisites"></a><h2> <span class="mw-headline">Prerequisites</span></h2>
<ul><li> <a href="https://scs.senecac.on.ca/%7Efac/sec520/labs/SEC520_Lab_7.html">SEC520 Lab 7</a>
</li></ul>
<p><br>
</p>
<a name="Linux_Command_Online_Reference" id="Linux_Command_Online_Reference"></a><h2> <span class="mw-headline">Online Tools and References</span></h2>

<ul>
<li><a href="https://www.sans.org/media/score/checklists/ID-Linux.pdf" target="_new">Intrusion Discovery (Linux)</a></li>
<li><a href="http://help.ubuntu.com/community/LinuxLogFiles" target="_new">Using Syslog Files (Linux)</a></li>
<li><a href="http://en.wikipedia.org/wiki/Open_Source_Tripwire" target="_new">Tripwire Definition</a></li>
<li><a href="http://sourceforge.net/projects/tripwire/" target="_new">Download Tripwire</a></li>
<li><a href="http://www.thegeekstuff.com/2008/12/tripwire-tutorial-linux-host-based-intrusion-detection-system/" target="_new">Using Tripwire</a></li>
<li><a href="" target="_new">Online Linux Manpages</a></li>
</ul>
<p><br>
</p>

</p>
<a name="Resources_on_the_web" id="Resources_on_the_web"></a><h2> <span class="mw-headline">Course Notes</span></h2>
<ul>
<li><a href="http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w9_l1.odp" target="_new">odp</a> | <a href="http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w9_l1.pdf" target="_new">pdf</a> | <a href="http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w9_l1.ppt" target="_new">ppt</a> (Slides: Intrusion Detection)</li>
</ul>

<p><br>
</p>
<a name="Performing_Lab_2" id="Performing_Lab_2"></a><h1> <span class="mw-headline">Performing Lab 8</span></h1>
<a name="Task1" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"></a><h2> <span class="mw-headline">Task #1: Checking System Performance</span></h2>
<br />
Usually system administrators continually monitor thier computer systems to check for reductions in system performance. These "monitoring checks" can be <b>benchmark programs</b> (or operating system commands) to identify system performance. Reduced system performance may be an indicator of an intrusion by a malicious hacker.<br /><br />In this lab, we will issue several Linux commands to help monitor to monitor a Linux system's performance.<br />
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
<div style="float: left; margin-left: -40px;"><a href="https://scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Important.png" height="35" border="0" width="35"></a></div>
<div><b>Use your Hardened Linux VM for this Lab</b><br>You are to use your hardened Linux VM for the duration of this lab.</div>
</div>
<br />
INSTRUCTIONS:

<ol>
<li>Start your Kali Linux (host) system, and start your Hardended Linux VM.</li>
<li>Switch to your Hardened Linux VM, and open a shell terminal.</li>
<li>Issue the Linux command: <b>uptime</b>. Record the value for the <b>load average</b> of your Linux system. Research on the Internet to determine what <i>load average</i> for a Linux system means and what a higher <i>load average</i> may indicate. Record your findings in your lab log-book.</li>
<li>Issue the Linux command: <b>df -h</b> and view the remaining amount of disk space. For detailed information regarding particular file sizes within a directory, you can use the <b>du -h</b> command. What directories may indicate a higher size to indicate hacking, worm or a virus on your Linux system? Recording your findings in your lab log-book.</li>
<li>How would you monitor the same measurements of system performance for a Windows system?</li>
<li>Proceed to Task #2</li>
</ol>
<p><b>Answer the Task #1 observations / questions in your lab log book.</b>
</p>
<br /><br />

<a name="Task2" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"></a><h2> <span class="mw-headline">Task #2: Checking Unusual Activity </span></h2>
<br />
Checking for unusual activity in a Linux system focuses of several key indicators:
<ul>
<li><i>Unusual Running Processes</i></li>
<li><i>Unusual Network Usage</i></li>
<li><i>Unusual User Accounts</i></li>
<li><i>Unusual Large Files</i></li>
<li><i>Unusual Log Entries</i></li>
</ul>
<br />
In the next 2 sections, we will learn how to monitor these indicators to help identify Linux system intrusion. In this section, use <b>man pages</b> or perform or <i>research on the Intenet</i> in order to understand how the following Linux commands can be used to detect system intrusion (or "suspicious activity").
<br /><br />
INSTRUCTIONS:
<ol>
<li>Issue the Linux command: <b>chkconfig --list</b> (or <i>systemctl list-units --all</i> on newer systems). List all the running services in your lab log-book.</li>
<li>Issue the Linux commands:<br />
<pre>
<b>ps aux | more</b>

<b>lsof | more</b>

<b>lsof -p PID</b>
</pre>
How does the information from this listing differ from the previous Linux command that you issued?<br />What sort of services/processes might indicate a problem?<br /><br /></li>
<li>Issue the following Linux commands:
<pre>
<b>netstat -nap</b>

<b>lsof -i</b>

<b>arp -a</b>
</pre>
What sort of network usage would indicate an intrusion problem?<br /><br /></li>
<li>Issue the following Linux commands: <pre>
<b>sort -nk3 -t: /etc/passwd | more</b>

<b>egrep ':0+:' /etc/passwd</b>
</pre>
What is the purpose of these commands, and how would you check the results for intrusion?<br /><br /></li>
<li>Next, look for unusual files by using the following Linux commands:
<pre>
<b>find / -size +10000k -print</b>

<b>ls -a .*</b>

<b>lsof +L1</b>

<b>rpm -Va | sort</b>
</pre>
Write these commands in your lab log-book and give a brief purpose of how they can be used to interpret system intrusion.<br /><br /></li>
<li>Proceed to Task #3</li>
</ol>
<p><b>Answer the Task #2 observations / questions in your lab log book.</b>
</p>
<br /><br />
<a name="Task3" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"></a><h2> <span class="mw-headline">Task #3: Checking System Logs &amp; Using Syslog File</span></h2>
<br>
In this section, you will learn how to configure the <b>Syslog File</b> in
Linux in order to detect and report suspected intrusion actions on your
computer system.
<br><br>
INSTRUCTIONS:
<ol>
<li>Read the article on Linux Log Files: <a href="https://help.ubuntu.com/community/LinuxLogFiles" target="_new">Linux Log Files</a></li>
<li>In your hardened Linux server, experiment with each of the log files
mentioned in the article above (including configuration files). Note that your system may not have the same services installed, so some of the files may not be there.</li>
<li>Read the <b>man pages</b> for <b>syslogd</b> and <b>syslog.conf</b>. Learn what types of activities generate various types of system messages.</li>
<li>What line would you put in <b>syslog.conf</b> to send all security
messages to the console? How would you send them directly to the
printer?</li>
<li>What would the following line achieve?
<pre>
<b>kern.none /var/log/messages</b>
</pre><br></li>
<li>What does the following line do?
<pre>
<b>*.emerg *</b>
</pre>
<br></li>
<li>How would you send all access control messages directly to the root user?</li>
<li>Read your <b>syslog.conf</b> file. Make sure you understand what each line means.</li>
<li>Using research and experimentation, configure your <b>syslogd</b> so that any reboots are logged on your lab mate's <b>/var/log/messages</b> log file. Demonstrate that this works by rebooting your system.</li>
<li>Record all of your observations/answers in your lab log-book.</li>
<li>Proceed to Task #4</li>
</ol>
<p><b>Answer the Task #3 observations / questions in your lab log book.</b>
</p>
<br><br>
<a name="Task4" d="Investigation_2:_How_many_file_packages_and_files_are_installed_on_the_system.3F"></a><h2> <span class="mw-headline">Task #4: IDS Example: Tripwire</span></h2>

<p><br>
In this section, students will learn how to install, configure and run a commonly-used open source application called <b>Tripwire</b>
that will <u>automatically</u> detect system intrusion. Tripwire is used to
create an initial database of information on all the system files then
runs periodically (via <b>cron</b>) in order to compare the system to the database. This allows the IT security manager to <b><i>"manage by exception"</i></b>, and allow them to concentrate on providing a balanced and effective method of system security.
<br><br>
INSTRUCTIONS:
<br><br>
</p><div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
<div style="float: left; margin-left: -40px;"><a href="https://scs.senecac.on.ca/wiki/index.php/File:35px-Idea.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Idea.png" height="35" border="0" width="35"></a></div>
<div><b>About Tripwire</b><br>Tripwire is an optional package during
install. Tripwire for earlier releases is available from the
RedHat/Fedora Powertools CD in RPM format. Upon installation, it will
proceed to scan your entire filesystem to create a default database of
what your system looks like. (files and sizes etc) It might take as long
as ten minutes to initially scan...
</div>
</div>
<br>

<ol>
<li>We will be installing tripwire on your hardened Linux server.</li>
<li>While in your hardened Linux server, open a shell terminal, and issue the command <b>which tripwire</b>
to check to see if the application has been installed. If the
application is not installed, then issue the following command:
<pre>
<b>sudo yum install tripwire</b>
</pre>
<br />
Alternatively, you can download and install tripwire at the following link:
<br />
<a href="http://sourceforge.net/projects/tripwire/" target="_new">http://sourceforge.net/projects/tripwire/</a><br /><br /></li>
<li>Based on instructions in the <b>README.Fedora</b> file<br />
(located in <b>/usr/share/docs/tripwire-2.4.2.2</b> directory)<br />
You are required to issue the following commands to initialize and run the tripwire application (using default settings):
<pre>
<b>/usr/sbin/tripwire-setup-keyfiles</b> # Generate the system-specific
# cryptographic key files
# Remember your password phrase

<b>/usr/sbin/tripwire --init</b> # Initialize the Tripwire
# database file. Note: this process
# may take several minutes to perform

<b>/usr/sbin/tripwire --check</b> # Run the first integrity check
# May take several minutes
</pre>
<br />
<li>There were some errors when initializing the tripwire database. Why do you think these errors occurred?</li>
</ol>
<br>
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
<div style="float: left; margin-left: -40px;"><a href="https://scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Important.png" height="35" border="0" width="35"></a></div>
<div><b>Tripwire Configuration Files</b><br>Configuration file pathnames for Tripwire should be:<br><br><b>/etc/tripwire/twcfg.txt<br>/etc/tripwire/twpol.txt</b><br><br>These files are first edited and then processed by issueing the command:<br /><b>tripwire --update-policy &nbsp; POLICY-TEXT-FILENAME</b><br /><br />In order to have tripwire report any violations:<ol><li>Edit the file /etc/tripwire/twpol.txt and comment out the lines where it says files not found</li><li>Issue the command:<br /><br />
<b>/usr/sbin/tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt</b><br /><br /></li></ol></div>
</div>
<br>
<ol>
<li value="5">Create a cronjob to be run on a daily basis that will run the <b>tripwire --check"</b> as <b>root</b><br><br></li>
<li>Record your findings in your lab log-book.</li>
<li>Proceed to "Completing the Lab"</li>
</ol>

<p><b>Answer Task #4 observations / questions in your lab log book.</b>
</p><p><br>
</p>

<a name="Completing_the_Lab" id="Completing_the_Lab"></a><h1> <span class="mw-headline"> Completing the Lab </span></h1>
<p><b>Arrange evidence for each of these items on your screen, then ask
your instructor to review them and sign off on the lab's completion:</b>
</p>
<ol>
<li>Results of <b>uptime</b> and <b>df</b> commands.</li>
<li>Display information regarding Linux system's <b>Process</b>, <b>network usage</b> and any <b>unusual user accounts</b>.</li>
<li>Run Linux command to display files over <b>10000 Kilobytes</b>.</li>
<li>Contents of <b>syslog.conf</b> file.</li>
<li><b>Cron job</b> (root) running <b>tripwire --check</b> command.</li>
<li>Completed Lab 8 notes.</li>
</ol>
<p><br>
</p>
<a name="Preparing_for_Quizzes" id="Preparing_for_Quizzes"></a><h1> <span class="mw-headline"> Preparing for Quizzes </span></h1>

<ol>
<li>Write 2 Linux command to help measure Linux system performance.</li>
<li>List and explain 5 types of <b>unusual activities (indicators)</b> that could affect system performance from a system intrusion. For each indicator, write a Linux command used to help detect the unusual activity due to system intrusion.</li>
<li>List 4 types of logs to view to detect <b>unusual activity associated with system intrusion</b>.</li>
<li>Briefly list the steps to setup <b>syslog</b> on your Linux server.</li>
<li>Define the term <b>IDS</b>.</li>
<li>Write the Linux command to generate a <b>Tripwire report</b>.</li>
</ol>