여기에서는 /var/log/secure 에 대한 로그파일만 대상으로 함.

(첨부파일에 syslog에 대해 자세히 나와 있음)

 

1. syslog에서 떨어지는 secure 파일 위치 : /var/log/secure

 

2. logrotate 사용하여 떨어지는 secure 파일 제어

    $> vi /etc/logrotate.d/syslog

        /var/log/secure {

             sharedscripts

             postrotate

                 /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true

                 /bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true

             endscript

             rotate 31                      # 한달분량 저장

             daily                              # 매일 파일 분리

             create 600 root root

          }

    $> cat /etc/cron.daily/logrotate    # 매일 실행

    /usr/bin/logroate /etc/logratate.conf

3. 서버내 이중저장

    $> vi /etc/syslog.conf

        authpriv.*                  /var/log/secure

        authpriv.*                  /root/logBackup/secure

    $> /etc/init.d/syslog restart

4. 서버 외부 저장

    <로그보낼서버>

    $> vi /etc/syslog.conf

       authpriv.*                   @XXX.XXX.XXX.XXX

    $> /etc/init.d/syslog restart

    <로그받을서버>

    $> vi /etc/sysconfig/syslog 파일내에 설정된

        SYSLOGD_OPTIONS=“-r –m 0” 로 변경

    $> /etc/init.d/syslog restart

    * 두 서버 모두의 hosts 파일 설정으로 hostname으로 기록 가능

5. /var/log/secure 파일 파싱

    $> vi montVarLogSecure.py

    #!/usr/bin/env python

    import sys, re, os, time

    def getWho():

        whosys = os.popen( 'who' ).read()

        return whosys

    def getScreen():

        screensys = os.popen( "screen -wls | awk -F 'in' '{print $1}'" ).read()

        return screensys

    def sucLogin( logfile ):

        loginsys = os.popen( "cat "+logfile+" | grep 'Accepted' | awk '{print $1 \" \" $2 \" \" $3 \" User: \" $9 \" \" }'" ).read()

    #   print "cat "+logfile+" | grep 'Accepted' | awk '{print $1 \" \" $2 \" \" $3 \" User: \" $9 \" \" }'"

        return loginsys

    def sudoSucLogin( logfile ):

        sudologin = os.popen( "cat "+logfile+" | grep 'session opened for user root' | awk '{print $1 \" \" $2 \" \" $3 \" Sudo User: \" $13 \" \" }' " ).read()

        return sudologin

    def invalidUser( logfile ):

        invalid = os.popen( "cat "+logfile+" | grep 'Invalid user' " ).read()

        return invalid

    def failedPassword( logfile ):

        failed = os.popen( "cat "+logfile+" | grep -v invaild | grep 'Failed password' ").read()

        return failed

    def refusedUser( logfile ):

        refused = os.popen( "cat "+logfile+" | grep 'refused' " ).read()

        return refused

    def deniedUser( logfile ):

        denided = os.popen( "cat "+logfile+" | grep -v cron | grep 'access denied\}Permission denied'" ).read()

        return denided

    def fatalNotices( logfile ):

        fatal = os.popen( "cat "+logfile+" | grep ssh | grep 'Permission denied\|fatal\|error' " ).read()

        return fatal

    def expireDate( logfile ):

        expire = os.popen( "cat "+logfile+" | grep 'changed password expiry\|expiration from' " ).read()

        return expire

    def top5ip( logfile ):

        top5 = os.popen( "awk 'gsub(\".*sshd.*Failed password for (invalid user )?\", \"\") {print $3}' "+logfile+" | sort | uniq -c | sort -rn | head -5" ).read()

        return top5

     try:

            if sys.argv[1:]:

                    logfile = sys.argv[1]

            else:

                    logfile = raw_input( "Please enter a log file to parse, e.g. /var/log/secure " )

            if sys.argv[2:]:

                    outpath = sys.argv[2]

            else:

                    outpath = raw_input( "Please enter a out path, 2.g. ~/logOut/ " )

            os.system( 'mkdir -p '+outpath )

            outfile = outpath + time.strftime( '%Y%m%d%H%M%S' )

            ofh = open( outfile,'w' )

            print >> ofh, "# Who is online: "

            print >> ofh, getWho()

            print >> ofh, "# Active Screen Sessions: "

            print >> ofh, getScreen()

            print >> ofh, "# List out successful ssh login attempts: "

            print >> ofh, sucLogin( logfile )

            print >> ofh, "# List out successful ssh login attempts from sudo users: "

            print >> ofh, sudoSucLogin( logfile )

            print >> ofh, "# List out ssh login attempts from non-existing and unauthorized user accounts: "

            print >> ofh, invalidUser( logfile )

            print >> ofh, "# List out ssh login attempts by authorized ssh accounts with failed password: "

            print >> ofh, failedPassword( logfile )

            print >> ofh, "# List out refused ssh login attempts: "

            print >> ofh, refusedUser( logfile )

            print >> ofh, "# List out denied ssh login attempts: "

            print >> ofh, deniedUser( logfile )

            print >> ofh, "# List out fatal and miscellaneous ssh session/restart notices: "

            print >> ofh, fatalNotices( logfile )

            print >> ofh, "# List out all successful system account expireation date changes: "

            print >> ofh, expireDate( logfile )

            print >> ofh, "# Top 5 attacker IP adresses: "

            print >> ofh, top5ip( logfile )

            ofh.close()

    except IOError, (errno, strerror):

            print "I/O Error (%s) : %s" % (errno,strerror)

     

    $> vi /etc/cron.daily/exe.cron

    python /usr/local/bin/montVarLogSecure.py /var/log/secure ~/logOut/

 

Posted by 옥탑방람보
,