Thursday, April 10, 2008

setup sudosh and swatch on Linux server

  • purpose:
assuming root password is locked in safebox, normal user like 'jephe' can only use 'sudo sudosh' to become root, after that, everything will be recorded and can be replayed later.

  • install sudosh
download it from DAG website(search google for 'DAG sudosh') for using 'yum install sudosh' from CentOS 5 or run 'yum install sudosh' from RHEL 5 after registering with RHN using command 'rhnreg_ks --proxy=http://x.y.z.k:port --username=user1 --password=pass1
  • put the folllowing to /etc/sudoers
jephe ALL=/usr/bin/sudosh
  • initialize sudo folder by running 'sudosh -i', the permission should be like this:
[root@jephe ~]# ls -ld /var/log/sudosh
drwx-wx-wx 2 root root 4096 Apr 10 15:37 /var/log/sudosh

  • install swatch to realtime scan /var/log/secure to monitor 'su, sudo and console root login'
1. installing swatch rpm using the same method as sudosh
2. put the following to /etc/swatch.conf
[root@jephe ~]# more /etc/swatch.conf
watchfor /sudo:.*/
mail root,subject=--- server sudo alert! ---

watchfor /su:.*/
mail root,subject=--- server su alert! ---

watchfor /login: ROOT LOGIN.*/
mail root,subject=--- server console login alert! ---
3. set root alias in /etc/alias, then run 'newaliases', for those environment that doesn't have DNS server, using /etc/mail/service.switch
[root@jephe ~]# cd /etc/mail
[root@jephe mail]# more service.switch
hosts files
4. put the following to /etc/rc.local
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon
5. put the following to /etc/logrotate.d/syslog
[root@jephe logrotate.d]# more syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
/bin/kill -HUP `cat /var/run/ 2> /dev/null` 2> /dev/null || true

##added by Jephe####
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 5
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon
6. put the following to /usr/local/sbin/restartsw (for restarting swatch)
[root@db7 logrotate.d]# more /usr/local/sbin/restartsw
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 2
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon

  • configuring to masquerade in non-dns environment
[root@db7 mail]# diff
> define(`SMART_HOST',`mailrelay')dnl
<> dnl EXPOSED_USER(`root')dnl
<> FEATURE(masquerade_envelope)dnl
<> FEATURE(masquerade_entire_domain)dnl
<> MASQUERADE_DOMAIN(localhost)dnl
> MASQUERADE_DOMAIN(localhost.localdomain)dnl

note: assuming server hostname is, so swatch will send out email using normally, which is not-exist domain, but is valid, so we masquerade it to

setup osiris for Windows

  • purpose: for recording down system user/group changes and Windows directory and any other directories changes.
  • how it works: osiris on Windows is agent, the management tool and daemon are residing on Linux server. You need to configure it on Linux sever after installing software on Windows. Then it will generate a base database for comparing every 24 hours by default, then send out email alert for any changes
  • install it on Windows
if you are installing it through terminal service, it will install to wrong place.
1. after installing , copy c:\document and settings\sysmgr\windows\osiris directory to c:\win2k03
2. copy c:\documents and setting\sysmgr\windows\osiris to c:\win2k03\system32
3. startup osiris service again

note: if you encounter error saying "error writing to file osimessage.dll", u can rename c:\windows\system32\osimessage.dll first
  • osiris on Linux
1. ./configure;make;make install
2. enable tcp port 2265 and 2266 for iptables host firewall
3. enable in-between firewall ports too for above 2 ports
4. on server, configure management console
# osiris
# login as username and password
# add-host
all the way to default, except for email alert part choose (y,y,n,y)

copy configuration file to the windows server name to be monitored
start-scan servername
list-db servername

Wednesday, April 9, 2008

setup Snare for Windows for centralized system log

  • download snare for Windows
  • after install, access it using http://localhost:6161
  • go to 'network configuration' to give the remote Linux syslog-ng server ip at 'Destination Snare Server address', also give 'Destination Port which is 514 for syslog-ng'
  • go to 'remote control' to setup password
  • access it next time using username and password pair 'snare/password you gave'