how to detect if a service is stopped by privileged user?

Support for security such as Firewalls and securing linux
Post Reply
remy06
Posts: 13
Joined: 2010/11/08 08:44:03

how to detect if a service is stopped by privileged user?

Post by remy06 » 2011/08/23 06:54:38

Hi,

Need some advice on a scenario. I have a tool installed on serverA to collect logs and forward them to a central log server.

However there's a concern that an admin with privileged access (root) can log-in to the system,stop the service for this tool,do malicious things and then restart the tool, and one of the things I'm trying to detect is when an admin has stopped/start the service.

Can anyone advice on how to detect this in CentOS?

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

how to detect if a service is stopped by privileged user?

Post by unspawn » 2011/08/23 17:16:06

[quote]However there's a concern that an admin with privileged access (root) can log-in to the system,stop the service for this tool,do malicious things and then restart the tool, and one of the things I'm trying to detect is when an admin has stopped/start the service.[/quote]
AFAIK a out-of-the-box audit trail starts with PAM logging the login. This can not be circumvented on login but log cleaning can happen afterwards (remote impenetrable log server?) or logging can be stopped altogether (monitor services?) or configuration files could be changed (monitor conf file changes?). Obviously local monitoring isn't tamper-proof but if the process could be started from /sbin/init then will reap the Dead and resurrect them. On login the shell records plain CLI commands or it could be done through at or cron. Shell history can be unset easily so having a shell wrapper like Rootsh (which can log to syslog) makes sense. A shell wrapper would also show any key strokes the user entered when trying to bypass logging using an editor to create and save a cron or at job under an innocuously sounding name. When executing SysV init script services will report change but killing a service with a plain 'kill' might not so monitoring processes and watching for init script changes here makes sense too. On Centos we have audit, which does log some events even w/o configuration, and audit rules are relatively easy to create. Apart from the monitoring tool being started from /sbin/init your service can be too. The only problem you'll have to face that crosses my mind is log rotation as init doesn't keep dead processes around long enough for a large log file to be processes (go for delayed compression?). As for a monitoring tool I'll suggest Samhain as it can watch files and processes for change, logins and log files and it can send logs to a remote log server without relying on (r)syslog. HTH

remy06
Posts: 13
Joined: 2010/11/08 08:44:03

Re: how to detect if a service is stopped by privileged user?

Post by remy06 » 2011/12/08 08:52:51

Hi,

Currently there are two ways I thought of that could stop my log monitoring tool. I'm currently testing it on a test vm running centos and i'm running splunk.

1)
splunk tool can be start and stop by executing these:
/path/installationdirectory/splunk/bin/splunk start
/path/installationdirectory/splunk/bin/splunk stop

2) kill -9 12345 (killing the process itself)

I'm thinking of using auditd to log the event and appreciate some advice on specifying the rule properly so as not to log unnecessary stuff..

Will this work as well for example?
-a entry,always -F arch=b32 -S kill

My objective is to log any success/fail attempt to stop the service.

Post Reply