Lecture 16: UNIX Forensics

1
Lecture 16 UNIX Forensics

• 6/26/2003
• CSCE 590
• Summer 2003

2
Syslog

• A standard system logging facility
• Unix, Windows, routers, switches, blenders, etc
• On UNIX, configuration in /etc/syslog.conf
• Daemon called syslogd
• Can syslog over the network to a dedicated syslog
  server
• Targeted by intruders

3
Syslog.conf

• Which messages are sent to which logs
• Each line contains
• Facility field subsystem that produces the log
  file
• Auth(security), authpriv, cron, daemon, kern,
  lpr, mail, ftp, news, syslog, user, uucp,
  local0-local7
• Priority field severity of log (8 levels)
• Debug, info, notice, warning, err, crit, alert,
  emerg
• Action field name of log file, IP or remote
  syslog server

4
Syslog Priority Field

• Debug - all occurrences, everything
• Info usual occurrences (like fyis)
• Notice unusual occurrences, investigate
• Warning warning messages
• Err other error conditions
• Crit critical condition or failure
• Alert urgent situation
• Emerg (panic) panic situation (warp core breach)

5
Programmers interface

• include ltsyslog.hgt
• void openlog(const char ident, int option, int
  facility)
• Opens a connection to the system logger for a
  program
• void syslog(int priority, const char format,
  ...)
• Generates a log message to be distributed by
  syslogd
• void closelog(void)
• Closes the descriptor to the system logger for a
  program

6
Sample syslog.conf
7
Shell Histories

• History of all commands you type
• In each users home directory
• .history
• .bash_history
• .sh_history
• .ksh_history
• Commonly targeted by intruders
• Delete it, recreated as directory
• Delete it, link it to /dev/null (bit bucket)
• Just turn off history function in your shell,
  delete it

8
The grep Family

• grep search for string in file
• bzgrep - in a bzip2 compressed file
• zgrep search possibly compressed files
• zipgrep - search files in a ZIP archive
• grepjar - search files in a jar file for a
  pattern
• fgrep search for strings identified within a
  given file, one pattern per line
• bzfgrep - in a bzip2 compressed file
• Egrep search using extended regular expressions
• bzegrep - in a bzip2 compressed file

9
grep Options

• -r recursion
• -i case insensitive
• -a handle binary files (kind of like piping to
  strings)
• -v NOT this string

10
find

• grep looks in files, find searches other
  attributes of files (metadata)
• File name, including regular expressions, case
  insensitive
• Time periods for MAC
• Belongs to GID or groups name
• Belongs to a UID or user name
• Nouser and nogroup doesnt have a user or group
  defined for its GID or UID

11
find

• Is on file system of type xxxx
• Has a particular inode number
• Has a particular number of links to it
• Is a symbolic link
• Search on permission bits
• File size
• File type

12
find Actions

• -print print what you find
• -printf
• -exec xxx execute xxx command on a hit
• -ls list it in ls dils format
• Much more stuff! Good man page to read.

13
Hiding in the File System

• Hide in a rarely visited or busy directory
• /dev
• Look for regular files, should be too many
• Font directories
• OS source code directories
• Man page directories
• Creative naming
• .
• ..

14
Hiding in the File System

• Slack space
• Deleted files
• Unlinked open files
• Trojaned system files
• Decoy file system mounts
• Mount a file system over existing data in a
  current file system
• Existing data becomes hidden, could hide an
  executable being run or a file being written to
• df may show a lot more space used in a file
  system that you can account for with du

15
Checking RPMs

• RPM are applications packages (Linux)
• Compares info about files in an installed package
  with info stored about themin the RPM database
• Simple integrity check
• for i in rpm qa do rpm V i done
• Error prone and can be subverted
• Catches less skilled intruders

16
Output of Verify RPMs

• S - file Size differs
• M - Mode differs, includes permissions, file type
• 5 - MD5 sum differs
• D - Device major/minor number mis-match
• L (readlink(2)) path mis-match
• U - User ownership differs
• G - Group ownership differs
• T - mtime differs
• c configuration file (expected to change)

17
Rpm Verify Example
18
Inode Timelines

• ls lit sort more
• List all inodes
• Looking for entries that seem out of place, very
  high or very low
• If you find any out of place, look for other
  inodes around that number to find possible
  related files

19
Inode Timelines Example
20
Signals

• Simple interprocess communications
• One program sends a message to another
• Pre-defined messages
• 16 or 32 depending on platform
• Some are useful for terminating a program
  gracefully
• Might be able to freeze it in memory so as not to
  lose evidence

21
Useful Signals

• HUP (1) Hangup
• INT (2) Interrupt, stop running ltctrlgtC
• KILL (9) Stop unconditionally and immediately
• TERM (15) Terminate gracefully if possible
• STOP (17) Stop unconditionally continue
  with CONT
• TSTP (18) Stop executing, ready to continue
• CONT (19) Continue executing after STOP
  or TSTP
• USR1 (30) A user defined signal

22
Startup and Shutdown Scripts

• Usually found in /etc
• Can be files like rc.local and rc.shutdown
• Can be directories of scripts or links to scripts
  like rc0.d-rc6.d, rc.d, and init.d
• The kernel boots and first loads
• init process control initialization
• If init dies, the system reboots
• Makes sure the system enters the correct run
  level (single user, multi-user, etc)

23
BSD-Like RC Scripts

• Simpler scripts
• rc.conf configuration variables for what to
  start, included in other startup scripts
• Rc starts up a bunch of system services that
  must be run before securelevel changes
• rc.securelevel levels 1 through 2
• rc.local run next, local services, network,
  system daemons
• rc.shutdown clean up commands when system is
  going down
• Ex. Gracefully stopping a databse

24
rc.securelevel

• Run after rc script
• Level 1 Permanently insecure
• Init cant raise securelevel but sysctl can
• Level 0 Insecure mode
• During bootstrapping, single user
• all devices may be read/written subject to
  permissions
• system file flags may be cleared

25
rc.securelevel

• Level 1 Secure mode (default multi-user)
• Only init may lower securelevel
• /dev/mem and /dev/kmem may not be written to
• raw disk devices of mounted file systems are
  read-only
• Cant remove system immutable and append-only
  file flags
• kernel modules may not be loaded or unloaded
• Level 2 Highly secure mode (Level 1 still
  applies)
• raw disk devices are always read-only, mounted or
  not
• settimeofday(2) may not set the time backwards
• ipf(8) and ipnat(8) rules may not be altered
• the ddb.console and ddb.panic sysctl(8) variables
  may not be raised (keeps people from using
  in-kernel debugger ddb(4) to modify securelevel)

26
System V-ish RC Scripts

• On a Solaris machine
• 8 different run levels, 0-6 and s and S (same
  thing)
• Default runlevel in /etc/inittab
• Level s or S single user state
• Level 0 firmware mode
• Level 1 sys admin mode, single user, all
  filesystems mounted, limited processes running
• Level 2 multi-user mode, all multiuser processes
  running

27
Init Levels (cont.)

• Level 3 extended multiuser mode, level 2 local
  resources are available over the network
• Level 4 usually not used, can ber defined as
  alternative multiuser environment
• Level 5 Shut the machine down, safe to power off
• Level 6 stop the OS and reboot to default state
  level

28
Startup Scripts

• There is a directory for each of the 0-6
  runlevels.
• /etc/rc.d/rc0.d -gt /etc/rc.d/rc0.d
• Also /etc/rc.d/init.d
• Contains the actual startup/shutdown scripts
• Are shell scripts that take as arguments
• start start up the process
• stop stop the process
• restart sometimes a restart

29
Startup Scripts

• Each of the rcX.d directories contain symbolic
  links to scripts in the init.d directory
• Format of name of link determines argument to
  start up script and when it is started
• K03nfs
• run script pointed to by this link with the stop
  option (KKill)
• Run it third in the order of scripts
• S75ntpd
• run script pointed to by this link with the start
  option (SStart)
• Run it 75th in the order of scripts

30
References

• Chapters 11,12