Trilight Zone

[thedark]

msyslog: For a cracker to successfully hide her intrusion, she must edit the logs.When a cracker breaks into a computer, the first step to covering his tracks is to delete the log entries that show anything suspicious. If the logs are edited well and not much is done to the system, it may be months before a system administrator notices that the system has been cracked, or it may even never happen. Because of the importance put on to log files to report what is going on in a system and because of ease of editing log files, they do not help in detecting intrusions as much as they should.

Enter msyslog, the obvious solution to the problem of logs not helping in intrusion detection. Msyslog is a syslogd and klogd replacement that encrypts and hashes the log files. With msyslog, crackers will need a significantly more time to hide their tracks, time that they probably does not have. While a cracker can still delete the log file all together, that is a pretty big sign that the box has been broken into, something they don't want.



http://www.core-sdi.com/soft/msyslog-v1.01.tar.gz


After unzipping and untarring it, read the README and INSTALL files. Then, edit the modules.conf file to something similar to this:
UNIX=static
BSD=
LINUX=static
UDP=
CLASSIC=static
PEO=static
REGEX=static
MYSQL=
PGSQL=

UNIX refers to receiving input from /dev/log. BSD refers to receiving input from the special BSD logging device, /dev/klog. LINUX refers to receiving input from the special Linux logging device. UDP refers to receiving input from other systems on a specific port. CLASSIC refers to the outputting tasks the syslogd normally does. PEO refers to hashing the logs into the PEO-1 and L-PEO algorithms. REGEX refers to allowing output redirection based on a set of regular expressions. MYSQL refers to outputting the logs into a mysql database. PGSQL refers to outputting the logs into a postgresql database.

Now run:

./configure --prefix=/usr/local


For installation, run:
make clean;make;make install

After installing msyslog, there will be directions given to edit /etc/rc.d/init.d/syslog. After editing and saving it, remove the klogd start up and shut down process since msyslog can log kernel messages. Now, move run this command:
mv /usr/local/sbin/syslogd /sbin/syslogd

Assuming everything worked correctly so far, /etc/syslog.conf must be edited. The changes to syslog.conf will be minimal if all that is needed is encryption and hashes of the log files. To do this, these two lines:
*.info;mail.none;authpriv.none /var/log/messages
authpriv.* /var/log/secure

becomes
*.info;mail.none;authpriv.none %peo -l -m md5 -k /var/syslog/.var.log.messages.key %classic /var/log/messages
authpriv.* %peo -l -m md5 -k /var/syslog/.var.log.secure.key %classic /var/log/secure

The second set of files will be encrypted with the key in /var/syslog and an md5 hash of them made of them. Now, the keys to be used for encryption must be made. Make the keys for the above example like this:
/usr/local/sbin/peochk -g -f /var/log/messages -i messagekey0 -m md5
/usr/local/sbin/peochk -g -f /var/log/secure -i securekey0 -m md5

The keys messagekey0 and securekey0 should be stored in a very safe place, like a CD



After this, kill both klogd and syslogd and start msyslog using the start up script. Start msyslog like this:
/etc/rc.d/init.d/syslog start