Open main menu

CDOT Wiki β

Changes

SEC520/labs/Lab 8

2,739 bytes removed, 10:50, 1 February 2018
no edit summary
<h1> <span class="mw-headline">Intrusion Detection</span></h1>
<a name="Introduction" id="Introduction"></a><h2> <span class="mw-headline">Introduction</span></h2>
<dl><dd><ul><li>Students will learn how to routinely check a computer system's performance (one of the side-effects of system intrusion). Students will specifically check log files in order to detect intrusion activity.
</li></ul>
</dd></dl>
<br>
<a name="Objectives" id="Objectives"></a><h2> <span class="mw-headline">Objectives</span></h2>
<ol><li>Check the <b>computer's performance</b> for indications of computer system intrusion activity.</li>
<li><b>Monitor log files</b> (in Linux) to detect any suspected system intrusions.</li>
<p><br>
</p>
<a name="Required_Materials_.28Bring_to_All_Labs.29" id="Required_Materials_.28Bring_to_All_Labs.29"></a><h2> <span class="mw-headline">Required Materials (Bring to All Labs)</span></h2>
<ul>
<li> <b>SATA Hard Disk</b> (in removable disk tray).
<p><br>
</p>
<a name="Prerequisites" id="Prerequisites"></a><h2> <span class="mw-headline">Prerequisites</span></h2><ul><li> <a href="[https://scswiki.senecaccdot.onsenecacollege.ca/%7Efacwiki/sec520SEC520/labs/SEC520_Lab_7.html">Lab_7 SEC520 Lab 7</a>]
</li></ul>
<p><br>
</p>
<a name="Linux_Command_Online_Reference" id="Linux_Command_Online_Reference"></a><h2> <span class="mw-headline">Online Tools and References</span></h2>
<ul>
<li><a href="[https://www.sans.org/media/score/checklists/ID-Linux.pdf" target="_new">Intrusion Discovery (Linux)</a>]</li> <li><a href="[http://help.ubuntu.com/community/LinuxLogFiles" target="_new">Using Syslog Files (Linux)</a>]</li> <li><a href="[http://en.wikipedia.org/wiki/Open_Source_Tripwire" target="_new">Tripwire Definition</a>]</li> <li><a href="[http://sourceforge.net/projects/tripwire/" target="_new">Download Tripwire</a>]</li> <li><a href="[http://www.thegeekstuff.com/2008/12/tripwire-tutorial-linux-host-based-intrusion-detection-system/" target="_new">Using Tripwire</a></li> <li><a href="" target="_new">Online Linux Manpages</a>]</li>
</ul>
<p><br>
</p>
 </p><a name="Resources_on_the_web" id="Resources_on_the_web"></a><h2> <span class="mw-headline">Course Notes</span></h2>
<ul>
<li><a href="[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w9_l1.odp" target="_new">odp</a> ] | <a href="[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w9_l1.pdf" target="_new">pdf</a> ] | <a href="[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w9_l1.ppt" target="_new">ppt</a> ] (Slides: Intrusion Detection)</li>
</ul>
<p><br>
</p>
<a name="Performing_Lab_2" id="Performing_Lab_2"></a><h1> <span class="mw-headline">Performing Lab 8</span></h1><a name="Task1" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"></a><h2> <span class="mw-headline">Task #1: Checking System Performance</span></h2>
<br />
Usually system administrators continually monitor thier computer systems to check for reductions in system performance. These "monitoring checks" can be <b>benchmark programs</b> (or operating system commands) to identify system performance. Reduced system performance may be an indicator of an intrusion by a malicious hacker.<br /><br />In this lab, we will issue several Linux commands to help monitor to monitor a Linux system's performance.<br />
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"><div style="float: left; margin-left: -40px;"><a href="https:{{Admon//scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Important.png" height="35" border="0" width="35"></a></div><div><b>important|Use your Hardened Linux VM for this Lab</b><br>|You are to use your hardened Linux VM for the duration of this lab.</div></div>|}}
<br />
INSTRUCTIONS:
<br /><br />
<a name="Task2" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"></a><h2> <span class="mw-headline">Task #2: Checking Unusual Activity </span></h2>
<br />
Checking for unusual activity in a Linux system focuses of several key indicators:
<li>Issue the Linux commands:<br />
<pre>
<b>ps aux | more</b>
<b>lsof | more</b>
<b>lsof -p PID</b>
</pre>
How does the information from this listing differ from the previous Linux command that you issued?<br />What sort of services/processes might indicate a problem?<br /><br /></li>
<li>Issue the following Linux commands:
<pre>
<b>netstat -nap</b>
<b>lsof -i</b>
<b>arp -a</b>
</pre>
What sort of network usage would indicate an intrusion problem?<br /><br /></li>
<li>Issue the following Linux commands: <pre>
<b>sort -nk3 -t: /etc/passwd | more</b>
<b>egrep ':0+:' /etc/passwd</b>
</pre>
What is the purpose of these commands, and how would you check the results for intrusion?<br /><br /></li>
<li>Next, look for unusual files by using the following Linux commands:
<pre>
<b>find / -size +10000k -print</b>
<b>ls -a .*</b>
<b>lsof +L1</b>
<b>rpm -Va | sort</b>
</pre>
Write these commands in your lab log-book and give a brief purpose of how they can be used to interpret system intrusion.<br /><br /></li>
</p>
<br /><br />
<a name="Task3" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"></a><h2> <span class="mw-headline">Task #3: Checking System Logs &amp; Using Syslog File</span></h2>
<br>
In this section, you will learn how to configure the <b>Syslog File</b> in
INSTRUCTIONS:
<ol>
<li>Read the article on Linux Log Files: <a href="[https://help.ubuntu.com/community/LinuxLogFiles" target="_new">Linux Log Files</a>]</li>
<li>In your hardened Linux server, experiment with each of the log files
mentioned in the article above (including configuration files). Note that your system may not have the same services installed, so some of the files may not be there.</li>
<li>What would the following line achieve?
<pre>
<b>kern.none /var/log/messages</b>
</pre><br></li>
<li>What does the following line do?
<pre>
<b>*.emerg *</b>
</pre>
<br></li>
</p>
<br><br>
<a name="Task4" d="Investigation_2:_How_many_file_packages_and_files_are_installed_on_the_system.3F"></a><h2> <span class="mw-headline">Task #4: IDS Example: Tripwire</span></h2>
<p><br>
INSTRUCTIONS:
<br><br>
</p><div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"><div style="float: left; margin-left: -40px;"><a href="https://scs.senecac.on.ca/wiki/index.php{{Admon/File:35px-Idea.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Idea.png" height="35" border="0" width="35"></a></div><div><b>tip|About Tripwire</b><br>|Tripwire is an optional package during install. Tripwire for earlier releases is available from the RedHat/Fedora Powertools CD in RPM format. Upon installation, it will proceed to scan your entire filesystem to create a default database of what your system looks like. (files and sizes etc) It might take as long as ten minutes to initially scan...</div></div>|}}
<br>
application is not installed, then issue the following command:
<pre>
<b>sudo yum install tripwire</b>
</pre>
<br />
Alternatively, you can download and install tripwire at the following link:
<br />
<a href="[http://sourceforge.net/projects/tripwire/" target="_new">http://sourceforge.net/projects/tripwire/</a>]<br /><br /></li>
<li>Based on instructions in the <b>README.Fedora</b> file<br />
(located in <b>/usr/share/docs/tripwire-2.4.2.2</b> directory)<br />
You are required to issue the following commands to initialize and run the tripwire application (using default settings):
<pre>
<b>/usr/sbin/tripwire-setup-keyfiles</b> # Generate the system-specific
# cryptographic key files
# Remember your password phrase
<b>/usr/sbin/tripwire --init</b> # Initialize the Tripwire
# database file. Note: this process
# may take several minutes to perform
<b>/usr/sbin/tripwire --check</b> # Run the first integrity check
# May take several minutes
</pre>
</ol>
<br>
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"><div style="float: left; margin-left: -40px;"><a href="https:{{Admon//scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Important.png" height="35" border="0" width="35"></a></div><div><b>important|Tripwire Configuration Files</b><br>|Configuration file pathnames for Tripwire should be:<br><br><b>/etc/tripwire/twcfg.txt<br>/etc/tripwire/twpol.txt</b><br><br>These files are first edited and then processed by issueing the command:<br /><b>tripwire --update-policy &nbsp; POLICY-TEXT-FILENAME</b><br /><br />In order to have tripwire report any violations:<ol><li>Edit the file /etc/tripwire/twpol.txt and comment out the lines where it says files not found</li><li>Issue the command:<br /><br /><b>/usr/sbin/tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt</b><br /><br /></li></ol></div></div>|}}
<br>
<ol>
</p>
<a name="Completing_the_Lab" id="Completing_the_Lab"></a><h1> <span class="mw-headline"> Completing the Lab </span></h1>
<p><b>Arrange evidence for each of these items on your screen, then ask
your instructor to review them and sign off on the lab's completion:</b>
<p><br>
</p>
<a name="Preparing_for_Quizzes" id="Preparing_for_Quizzes"></a><h1> <span class="mw-headline"> Preparing for Quizzes </span></h1>
<ol>