Hi,
Need some advice on a scenario. I have a tool installed on serverA to collect logs and forward them to a central log server.
However there's a concern that an admin with privileged access (root) can log-in to the system,stop the service for this tool,do malicious things and then restart the tool, and one of the things I'm trying to detect is when an admin has stopped/start the service.
Can anyone advice on how to detect this in CentOS?
how to detect if a service is stopped by privileged user?
how to detect if a service is stopped by privileged user?
[quote]However there's a concern that an admin with privileged access (root) can log-in to the system,stop the service for this tool,do malicious things and then restart the tool, and one of the things I'm trying to detect is when an admin has stopped/start the service.[/quote]
AFAIK a out-of-the-box audit trail starts with PAM logging the login. This can not be circumvented on login but log cleaning can happen afterwards (remote impenetrable log server?) or logging can be stopped altogether (monitor services?) or configuration files could be changed (monitor conf file changes?). Obviously local monitoring isn't tamper-proof but if the process could be started from /sbin/init then will reap the Dead and resurrect them. On login the shell records plain CLI commands or it could be done through at or cron. Shell history can be unset easily so having a shell wrapper like Rootsh (which can log to syslog) makes sense. A shell wrapper would also show any key strokes the user entered when trying to bypass logging using an editor to create and save a cron or at job under an innocuously sounding name. When executing SysV init script services will report change but killing a service with a plain 'kill' might not so monitoring processes and watching for init script changes here makes sense too. On Centos we have audit, which does log some events even w/o configuration, and audit rules are relatively easy to create. Apart from the monitoring tool being started from /sbin/init your service can be too. The only problem you'll have to face that crosses my mind is log rotation as init doesn't keep dead processes around long enough for a large log file to be processes (go for delayed compression?). As for a monitoring tool I'll suggest Samhain as it can watch files and processes for change, logins and log files and it can send logs to a remote log server without relying on (r)syslog. HTH
AFAIK a out-of-the-box audit trail starts with PAM logging the login. This can not be circumvented on login but log cleaning can happen afterwards (remote impenetrable log server?) or logging can be stopped altogether (monitor services?) or configuration files could be changed (monitor conf file changes?). Obviously local monitoring isn't tamper-proof but if the process could be started from /sbin/init then will reap the Dead and resurrect them. On login the shell records plain CLI commands or it could be done through at or cron. Shell history can be unset easily so having a shell wrapper like Rootsh (which can log to syslog) makes sense. A shell wrapper would also show any key strokes the user entered when trying to bypass logging using an editor to create and save a cron or at job under an innocuously sounding name. When executing SysV init script services will report change but killing a service with a plain 'kill' might not so monitoring processes and watching for init script changes here makes sense too. On Centos we have audit, which does log some events even w/o configuration, and audit rules are relatively easy to create. Apart from the monitoring tool being started from /sbin/init your service can be too. The only problem you'll have to face that crosses my mind is log rotation as init doesn't keep dead processes around long enough for a large log file to be processes (go for delayed compression?). As for a monitoring tool I'll suggest Samhain as it can watch files and processes for change, logins and log files and it can send logs to a remote log server without relying on (r)syslog. HTH
Re: how to detect if a service is stopped by privileged user?
Hi,
Currently there are two ways I thought of that could stop my log monitoring tool. I'm currently testing it on a test vm running centos and i'm running splunk.
1)
splunk tool can be start and stop by executing these:
/path/installationdirectory/splunk/bin/splunk start
/path/installationdirectory/splunk/bin/splunk stop
2) kill -9 12345 (killing the process itself)
I'm thinking of using auditd to log the event and appreciate some advice on specifying the rule properly so as not to log unnecessary stuff..
Will this work as well for example?
-a entry,always -F arch=b32 -S kill
My objective is to log any success/fail attempt to stop the service.
Currently there are two ways I thought of that could stop my log monitoring tool. I'm currently testing it on a test vm running centos and i'm running splunk.
1)
splunk tool can be start and stop by executing these:
/path/installationdirectory/splunk/bin/splunk start
/path/installationdirectory/splunk/bin/splunk stop
2) kill -9 12345 (killing the process itself)
I'm thinking of using auditd to log the event and appreciate some advice on specifying the rule properly so as not to log unnecessary stuff..
Will this work as well for example?
-a entry,always -F arch=b32 -S kill
My objective is to log any success/fail attempt to stop the service.