Hack 5 Protect Your Logs from Tampering
So Welcome guys to second section of hacker’s diary .So today we see how we can protect our log files.
By the time you must be thinking why it is important to protect log file ??
well an attacker more likely leave telltale sign of his action in various logs.This is a very valuable audit that should be protect so that it can help us to figure out how the attacker got in
,or where the attack came from .
So the big question is if Attacker gains ROOT privileges then how to stop him from removing the traces of his misbehavior?
One useful attribute for protecting log files is append-only. When this attribute is set, the file cannot be deleted, and writes are only allowed to append to the end of the file.
To set the append-only flag under Linux, run this command:
# chattr +a filename
Obviously, an intruder who has gained root privileges could realize that file attributes are being used and just remove the append-only flag
from our logs by running chattr -a. To prevent this, we need to disable the ability to remove the append-only attribute. To accomplish this
under Linux, use its capabilities mechanism.
The Linux capabilities model divides up the privileges given to the all-powerful root account and allows you to selectively disable them. In order to prevent a user from removing the append-only attribute from a file, we need to remove the CAP_LINUX_IMMUTABLE capability. When present in the running system, this capability allows the append-only attribute to be modified. To modify the set of capabilities available to the system, we will use a simple utility called lcap (http://packetstormsecurity.org/linux/admin/lcap-0.0.3.tar.bz2).
To unpack and compile the tool, run this command:
# tar xvfj lcap-0.0.3.tar.bz2 && cd lcap-0.0.3 && make
Then, to disallow modification of the append-only flag, run:
# ./lcap CAP_LINUX_IMMUTABLE
# ./lcap CAP_SYS_RAWIO
The first command removes the ability to change the append-only flag, and the second command removes the ability to do raw I/O. This is needed so that the protected files cannot be modified by accessing the block device they reside on. It also prevents access to /dev/mem and /dev/kmem, which would provide a loophole for an intruder to reinstate the CAP_LINUX_IMMUTABLE capability. To remove these capabilities at boot, add the previous two commands to your system startup scripts (e.g., /etc/rc.local). You should ensure that capabilities are removed late in the boot order, to prevent problems with other startup scripts. Once lcap has removed kernel capabilities, they can be reinstated only by rebooting the system.
Note:lcap only work for linux kernel version <2.6.But I am still trying to figure out a way through which I can make it work for new kernel versions also.If you have any idea please share here.