Securing Solaris –
Using syslogs during
an Intrusion
Randy Marchany
va-scan
Copyright 2002, Marchany
Introduction
 Reference document: “Inspecting your
Solaris system and network logs for
evidence of intrusions”,
www.cert.org/securityimprovements/implementations/i003.html
 Inspect log files daily
 Document unusual entries you find
va-scan
Copyright 2002, Marchany
Introduction
 Investigate each documented abnormality
– Can it be explained by an authorized user?
– Can it be explained by known system activity?
– Can it be explained by known changes to
programs?
 Report all confirmed evidence of intrusion
to your sysadmin (Milko) or
[email protected].
va-scan
Copyright 2002, Marchany
System Log Files
 Most log information is sent to
/var/adm/messages.
 Mail.debug information is sent to
/var/log/syslog or /var/adm/syslog.
 Auth.notice aren’t logged by default.
 Check /etc/syslog.conf for the exact
locations of the system log files.
va-scan
Copyright 2002, Marchany
System Log Files
 /var/adm/messages
– Records system console outpu and syslog
messages.
– Look for unexpected system halts
• Mar 31 12:48:31 <hostname> unix: halted by
<user>
– Look for unexpected system boots
– Look for failed su and login commands
– Look for unexpected successful su commands
va-scan
Copyright 2002, Marchany
System Log Files
 /var/adm/pacct
– Records all commands run by users. Process
accounting must be enabled before this file is
generated.
– lastcomm command will show the commands
 /var/adm/aculog
– Keeps track of dial-out modems
– Look for dial-out records or unauthorized use
of dial-out modems
va-scan
Copyright 2002, Marchany
System Log Files
 /var/log/syslog
– Contains the sendmail log entries for the
system.
– TCP Wrapper, portsentry loggers write their
entries to this file.
va-scan
Copyright 2002, Marchany
Process Analysis
 Normal System Functions
– What processes do you expect to be running
on this system?
 System Users
– Is it normal for each of these users to be using
the system at this time of day?
– From where are they accessing the system? Is
this expected?
va-scan
Copyright 2002, Marchany
Process Analysis
 Executing Processes
– How was the process started? By what user?
– What is the current status of the process?
Running, stopped, suspended, swapped out,
exiting?
– Is it missing from the processes you expected
to be active?
– What system setting are in effect for this
process.
va-scan
Copyright 2002, Marchany
Process Analysis
 Executing Processes
– What options or input arguments is the process
executing? Are they valid?
– Are the system resources being used consistent
with what you expect the process to be using?
– What is the relationship between the process
and other processes running on the system? Is
there a parent-child relationship?
va-scan
Copyright 2002, Marchany
Process Analysis
 Open Files
– What files are opened by the process?
– Are they authorized to open these files?
– Any access to sensitive system files, e.g.,
password files?
– Any unauthorized attempts to open a file?
– Any file access errors?
– What files are imported or exported?
va-scan
Copyright 2002, Marchany
Process Analysis
 Network Connections
– Has the process opened any network connections to
–
–
–
–
–
va-scan
external sites?
Have any connection failures been recorded?
Have there been any unexpected connections?
Are there any open network sockets that can’t be
attributable to valid processes?
What mode is each socket open?
Are all of the network interfaces operating as
expected?
Copyright 2002, Marchany