Task I - Using BSM for user auditing In this task, you will combine combine syslog, swatch, and BSM to monitor remote connections and user activity. You will configure BSM to audit a specific user. After BSM is configured, you will start swatch on your syslog files. This user from the client host will attempt a malicious attack. As the administrator of the server host, It will be your responsibility to track the user and terminate their session. This lab requires partners. One host will be the server host running BSM and its terminal windows will be denoted with an x. The other host will be the client host and its terminals will be denoted with a y. 1) Enable BSM on the server host by running the bsmconv script. Do not reboot yet. [x1] # cd /etc/security [x1] # ./bsmconv 2)Add a user called "guest" and set a password called "guest." [x1] # useradd -d /export/home/guest -m guest [x1] # passwd guest 3)Edit the BSM /etc/security/audit_user file and enable auditing on the user guest. Track all of guest's login/logouts, file writes, unsuccsessful file reads, and all commands executed. [x1] # vi /etc/security/audit_user guest:+fw,-fr,ex,lo:no 4)Edit the /etc/security/audit_startup file and enable BSM to log all command line arguments along with commands executed [x1] # vi /etc/security/audit_startup auditconfig -setpolicy +argv 5)Reboot the server host [x1] # reboot 6)Log back into the server and check to see if the auditd daemon is running. [x1] # pgrep -lf auditd 7)Look in the /var/audit directory for BSM log files. [x1] # ls -l /var/audit 8)Test your BSM configuration by telneting to your server through the localhost. Log in and log out as the user guest. [x1] # telnet localhost [x1] $ exit 9)As root on the server host, check to see if BSM logged guest connection. Remember, the audit reduce command reads the BSM log files in /var/audit. The -A option specifies all log files, the -u option specifies a user, the -c option specifies a class of commands. The praudit command converts BSM log entries into ASCII. The -l option specifies one line output and the -s specifies simple output. [x1] # auditreduce -A -u guest -c lo | praudit -ls | more 10)Once you have successfully tested BSM, delete the audit log files in /var/audit and start a new log. [x1] # cd /var/audit [x1] # rm -r * [x1] # audit -s <---force auditd to reread config files and start a new log 11) Open a new console window (not terminal) and start a swatch process in the foreground monitoring your /var/adm/inetdlogs file for the client host IP address. Check to make sure the swatch process is running. [x2] # vi /etc/swatch.daemon.conf watchfor /daemon.notice/ echo inverse bell 2 [x2] # swatch -c /etc/swatch.daemon.conf -t /var/adm/inetdlogs [x1] # pgrep -lf swatch 12)Open a console window on the client host. As root, start probing the server host for a guest account. [y1] # finger @server [thunderbolt] Login Name TTY Idle When Where root 0000-Admin(0000) console Thu 16:40 :0 [y1] # rusers server server root Is the user guest logged in? 13)Probe the unconfigured sendmail daemon on the server host for a guest account. [y1] # telnet server 25 # telnet thunderbolt 25 Trying 12.22.215.94... Connected to thunderbolt. Escape character is '^]'. 220 thunderbolt.la.sunedu.com ESMTP Sendmail 8.10.2+Sun/8.10.2; Thu, 31 Jan 2002 16:47:34 -0800 (PST) expn guest 250 2.1.5 Guest Account quit Is there a guest account on this system? 14)Attempt to brute force a telnet login as user guest. Try the password "guest." [y1] # telnet server 15)Once in the guest's home directory, do some probing of the server host. [y1] $ cat /etc/shadow [y1] $ ls -l /export/home [y1] $ /usr/sbin/snoop [y1] $ ls -ld /tmp 16)As a blackhat, you have noticed that the /tmp is publically writeable. This can be a way to do a memory DOS on the server host. Perform a memory DOS with the following shell script. Once you are finished, you will have to make the script executable. This script will gradually fill virtual memory with 1 mb files. Once virtual memory has been depleted, the server host will not be able to invoke any new applications. [y1] $ vi hog #!/bin/ksh -x x=0 until [ $x -eq 10000000 ] do cat /var/sadm/install/contents > /tmp/file.$x let x=x+1 done [y1] $ chmod +x hog [y1] $ ./hog 17)By now, swatch on the server host should have alerted the system administrator to a login from the client IP. Do some basic information gathering to find out who is logged onto the server host. [x1] # who [x1] # whodo 18)Noticing that guest is indeed logged in, start an analysis of guest's activity on the server host. a. Using BSM, first check all login and logout events for guest. # auditreduce -A -u guest -c lo | praudit -ls | more header,81,2,login - telnet,,Thu 31 Jan 2002 04:31:50 PM PST, + 870002270 msec,subject,guest,guest,staff,guest,staff,4 43,443,8209 65559 lightning,text,successful login,return,success,0 header,77,2,logout,,Thu 31 Jan 2002 04:31:57 PM PST, + 889999276 msec,subject,guest,guest,staff,guest,staff,443,443,8 209 65559 lightning,text,logout guest,return,success,0 How did guest login to the server host? ________________ b. Using BSM, next check to see all of commands executed by the user guest. # auditreduce -A -u guest -c ex | praudit -ls | more Can you rebuild the sequenc of commands that guest executed? header,145,2,execve(2),,Thu 31 Jan 2002 04:32:53 PM PST, + 479997497 msec,path,/usr/bin/cat,attribute,100555,root,bin ,32,74543,0,exec_args,2,cat,/etc/shadow,subject,guest,guest,staff,guest,staff,460,453,8209 131095 lightning,return,su ccess,0 header,147,2,execve(2),,Thu 31 Jan 2002 04:33:00 PM PST, + 59998772 msec,path,/usr/bin/ls,attribute,100555,root,bin,3 2,74626,0,exec_args,3,ls,-l,/export/home,subject,guest,guest,staff,guest,staff,461,453,8209 131095 lightning,return,s uccess,0 header,148,2,execve(2),,Thu 31 Jan 2002 04:33:17 PM PST, + 489998143 msec,path,/usr/sbin/snoop,attribute,100555,root, bin,32,962410,0,exec_args,1,/usr/sbin/snoop,subject,guest,guest,staff,guest,staff,463,453,8209 131095 lightning,retur n,success,0 header,140,2,execve(2),,Thu 31 Jan 2002 04:33:22 PM PST, + 349997520 msec,path,/usr/bin/ls,attribute,100555,root,bin, 32,74626,0,exec_args,3,ls,-ld,/tmp,subject,guest,guest,staff,guest,staff,464,453,8209 131095 lightning,return,success ,0 header,135,2,execve(2),,Thu 31 Jan 2002 04:33:28 PM PST, + 340001075 msec,path,/usr/bin/vi,attribute,100555,root,bin, 32,74571,0,exec_args,2,vi,hog,subject,guest,guest,staff,guest,staff,465,453,8209 131095 lightning,return,success,0 header,144,2,execve(2),,Thu 31 Jan 2002 04:34:59 PM PST, + 599999703 msec,path,/usr/bin/chmod,attribute,100555,root,b in,32,74545,0,exec_args,3,chmod,+x,hog,subject,guest,guest,staff,guest,staff,466,453,8209 131095 lightning,return,suc cess,0 header,157,2,execve(2),,Thu 31 Jan 2002 04:35:02 PM PST, + 909999884 msec,path,/export/home/guest/hog,attribute,10075 5,guest,staff,136,219023,0,exec_args,3,/bin/ksh,-x,./hog,subject,guest,guest,staff,guest,staff,467,453,8209 131095 li ghtning,return,success,0 What command seems to be executed repeatedly? c. Using BSM, finally check all the files being written by the user guest. [x1] # auditreduce -A -u guest -c fw | praudit -ls | more header,123,2,open(2) - write,creat,trunc,,Thu 31 Jan 2002 04:35:02 PM PST, + 919999843 msec,path,/tmp/file.0,attribut e,100644,guest,staff,0,2676672,18446744073709551615,subject,guest,guest,staff,guest,staff,468,453,8209 131095 lightni ng,return,success,3 header,123,2,open(2) - write,creat,trunc,,Thu 31 Jan 2002 04:35:03 PM PST, + 280000101 msec,path,/tmp/file.1,attribut e,100644,guest,staff,0,2633121,18446744073709551615,subject,guest,guest,staff,guest,staff,469,453,8209 131095 lightni ng,return,success,3 header,123,2,open(2) - write,creat,trunc,,Thu 31 Jan 2002 04:35:03 PM PST, + 339999319 msec,path,/tmp/file.2,attribut e,100644,guest,staff,0,2633041,18446744073709551615,subject,guest,guest,staff,guest,staff,470,453,8209 131095 lightni ng,return,success,3 header,123,2,open(2) - write,creat,trunc,,Thu 31 Jan 2002 04:35:03 PM PST, + 410001441 msec,path,/tmp/file.3,attribut e,100644,guest,staff,0,2633481,18446744073709551615,subject,guest,guest,staff,guest,staff,471,453,8209 131095 lightni ng,return,success,3 header,123,2,open(2) - write,creat,trunc,,Thu 31 Jan 2002 04:35:03 PM PST, + 470000382 msec,path,/tmp/file.4,attribut e,100644,guest,staff,0,2632921,18446744073709551615,subject,guest,guest,staff,guest,staff,472,453,8209 131095 lightni ng,return,success,3 header,123,2,open(2) - write,creat,trunc,,Thu 31 Jan 2002 04:35:03 PM PST, + 530001609 msec,path,/tmp/file.5,attribut e,100644,guest,staff,0,2698922,18446744073709551615,subject,guest,guest,staff,guest,staff,473,453,8209 131095 lightni ng,return,success,3 header,123,2,open(2) - write,creat,trunc,,Thu 31 Jan 2002 04:35:03 PM PST, + 599999959 msec,path,/tmp/file.6,attribut e,100644,guest,staff,0,2699002,18446744073709551615,subject,guest,guest,staff,guest,staff,474,453,8209 131095 lightni ng,return,success,3 Do you notice any patterns in the files being written? 19)Try to open two instances of netscape by clicking on the globe icon located at the bottom left of the control panel. Did you notice anything different? 20) Open a new terminal window on the server host. Check your virtual memory usage with the vmstat command. Look under the "swap" column in the output. The out put is in kilobytes. A server with a gig of virtual memory should have a number around 800,000. [x3] # vmstat 1 21)By this point, you should have deduced that the user guest logged in via telnet. The user than created a script called "hog." The hog script used the cat command to open a multiple large files and redirect them into the /tmp directory. It appears that the "hog" script has completely filled up the server host's /tmp directory with these arbitrary files. This has cause a memory denial of service on the server host that was evident by the inability to start new instances of netscape. The vmstat output showed that virtual memory was down to about 2,000 - 3,000k. A standard instance of netscape requires 10,000k. 22)Kick the the unwanted guest user off of the server host. After the connection is closed, lock the guest account until further notice. [x1] # who -a <---- get the process ID of the guest account [x1] # kill -9 PID [x1] # passwd -l guest <---- lock the account 23)Clear the virtual memory by removing the files from the /tmp directory. Check the output of vmstat in the terminal window #3. [x1] # ls -l /tmp/* [x1] # rm -r /tmp/file*