Lab Assignment 5: Due 11/18Wed

Lab Assignment 5: due 11/18Wed

Submission

1. Use scp to download the lab report file at /home/shengbo/it443/lab5.txt

$scp:/home/shengbo/it443/lab5.txt .

1. Write all the answers in the file.
2. Rename the file to lab5_firstname1_firstname2.txt. E.g., if Alice and Bob form a team, the file name should be lab5_alice_bob.txt
3. Email the lab report to the TA () and CC the instructor ()

Task 1: Remote log

Log files contain valuable information for detecting intrusions. However, once someone has taken over a computer and become root, she can manipulate the log files to obscure any traces of her activity. Manipulating log files can consist of deleting entries or trying to hide the relevant information by filling the log files with huge amounts of irrelevant entries.One way to prevent the manipulation of log files by deletion of entries is to not only log on the host itself, but to send the log information across the network to another host. The intruder could stop the sending of logging information to the log host, but the lack of entries would alert you, as would any suspicious ones.

In this task, your goal is to configure the VM ‘Ubuntu’ to remotely write its logs to the other VM ‘Ubuntu-2’. First, you need to Installsyslogdon both ‘Ubuntu’ and ‘Ubuntu-2’:

$sudo apt-get install sysklogd

Step 1: Configure ‘Ubuntu-2’ to accept logs from remote machines: Open file /etc/default/syslogd and change the option line to SYSLOGD=”-r”. Then restart syslog service by executing

$sudo /etc/init.d/sysklogd restart

Step 2: Configure ‘Ubuntu’: Open file /etc/syslog.conf and add the following line at the top,

*.* @IP_OF_Ubuntu-2

Then restart syslog service by executing

$sudo /etc/init.d/sysklogd restart

Step 3: Start monitoring the log at Ubuntu-2 by executing

$tail -f /var/log/messages

Questions:

Generate an event on ‘Ubuntu’ that will be logged by the system and monitor the corresponding log files on ‘Ubuntu-2’. You can choose any type of log files under /var/log .

1. What event you generated on ‘Ubuntu’? What messages you observed on ‘Ubuntu-2’? Does ‘Ubuntu’ have a local copy of the log message?

1. When you monitor on ‘Ubuntu-2’, how can you distinguish a local log message from a remote log message (from ‘Ubuntu’)?

Task 2: Host-based IDS

In this task, you will use a Host-based Intrusion Detection System (HIDS) to detect compromises on your Linux machine. You will be using AIDE, a HIDS that uses techniques similar to that of the well-known Tripwire. It attempts to detect intrusions by monitoring the filesystem and alerting administrators when suspicious changes occur.You should review an AIDE manual before beginning this task,

Step 1: Install AIDE

$sudo apt-get install bison flex zlib1g-dev libcrypto++-devlibmhash-devlibgpg-error-dev

Download the source codes of AIDE-0.15.1.tar.gz from the following URL

Unzip the tar ball and enter the directory “aide-0.15.1”. Execute the following commands

$./configure

$make

$make install

Step 2: Configuration: Enter “doc” directory and open the configure file “aide.conf”. Read through the comments and sample rules. Create a new rule called “MyRule” which checks permission and ctime using MD5 and SHA1. Apply this new rule to all files under “/bin” and “/sbin”.Copy “aide.conf” to “/usr/local/etc/”.

Step 3: Initialize aide by “aide -i". A new database “aide.db.new” will be generated. Copy it to aide.db for comparison later. Try to change the permissions or ctime of the files under /bin or /sbin. Then run aide again by “aide -C" or “aide -u".

Questions:

1. Attach the lines you added in the configure file “aide.conf” in step 2.

1. Try two different examples for testing the rule in step 3. Describe how you tested it and what aide reported