Today I've learned: The Logging System
Jonas Satkauskas
Intro
For any Linux user it’s a must to be known in the use of the log files.
For a hacker, the log files can be a trail to your target’s activities and identity.
But it can also be a trail to your own activities on someone else’s system. It is an evidence of your appearance on the system.
We’ll see how to remove evidence of your activity and even disable logging on the system.
What’s Daemon?
In computing, a daemon is a program that runs continuously as a background process. Kind of a background service.
The rsyslog
Linux uses a daemon called syslogd to automatically log events on your computer.
Since I use Kali and it is built on Debian, and Debian uses rsyslog for logging, I’ll focus on that utility in this article.
Try to take a look where rsyslog occurs in the system:
locate rsyslog
We can configure the logging using conf file.
nano /etc/rsyslog.conf
As we can see the configuration is well documented with comments explaining what each part does
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
###############
#### RULES ####
###############
#
# Log anything besides private authentication messages to a single log file
#
*.*;auth,authpriv.none -/var/log/syslog
#
# Log commonly used facilities to their own log file
#
auth,authpriv.* /var/log/auth.log
cron.* -/var/log/cron.log
kern.* -/var/log/kern.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
Rules section is where you can set the rules for what your Linux system will automatically log for you.
Rules
Rules determine what kind of information is logged, what programs have their messages logged, and where that log is stored.
###############
#### RULES ####
###############
#
# Log anything besides private authentication messages to a single log file
#
*.*;auth,authpriv.none -/var/log/syslog
#
# Log commonly used facilities to their own log file
#
auth,authpriv.* /var/log/auth.log
cron.* -/var/log/cron.log
kern.* -/var/log/kern.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
Each line is a separate logging rule. The basic format for these rules are:
facility.priority action
facility - references the program such as mail, kernel, etc..
priority - it determines what kind of messages to log for that program
action - it references the location where the log will be sent
Facility
It refers to whatever software is generating the log. It can be kernel, mail system, or the user. Here’s the valid codes for the facility:
auth, authpriv - security/authorization messages
cron - clock daemons
daemon - other daemons
kern - kernel messages
lpr - printing system
mail - mail system
user - generic user-level messages
An asterisk wildcard (*) in place of word refers to all facilities.
Priority
It tells the system what kinds of messages to log. Here’s the full list of valid codes for priority:
debug
info
notice
warning
warn (deprecated)
error (deprecated)
err
crit
alert
emerg
panic (deprecated)
Deprecated means that it shouldn’t be used.
NOTE: Generally log files are sent to the var/log directory
Cleaning logs with logrotate
Log files take up space, so if you don’t delete them periodically, they’ll fill your entire hard drive.
There’s a logrotate which is a handy process for this case.
logrotate - the process of regularly archiving log files by moving them to some other location, leaving you with a fresh log file. That archived location will then get cleaned after a specified period of time.
You can configure logrotate with /etc/logrotate.conf file.
nano /etc/logrotate.conf
# see "man logrotate" for details
# global options do not affect preceding include directives
# rotate log files weekly
weekly
# keep 1 week worth of backlogs
rotate 1
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
#dateext
# uncomment this if you want your log files compressed
#compress
# packages drop log rotation information into this directory
include /etc/logrotate.d
# system-specific logs may also be configured here.
You can set the unit of time your rotate numbers refer to. In our case we have weekly.
The number represents weeks for rotation to happen. If you rotate every week, you'll save the space. If you have plenty of storage and want to keep a semi-permanent record, you could change this setting to rotate 26 (six months).
By default a new empty log file is created when old ones are rotated out.
You can also choose to compress your rotated log files.
For more details see the man logrotate page.
Remaining Stealthy
Once you’re in the system it’s useful to disable logging and remove any evidence of your intrusion in the log files to reduces the chances of detection.
We could delete logs, but deleted can generally be recovered by a skilled forensic investigator.
A better and more secure solution is to shred the log files. Lucky for us, Linux has a command named shred for just this purpose.
To see information about this command you can write:
shred --help
There are many options available.
Shred will delete the file and overwrite it several times - by default it overwrites 4 times.
Each overwrite takes time, so for very large files, shredding may become time-consuming
Let’s shred auth.log file:
shred -f -n 10 /var/log/auth.log
-f - gives us permission to shred auth file.
-n - with this option we can specify how many times do we want to overwrite the file. In our case 10.
Now try to open a file
nano /var/log/auth.log
0����0��x� ���/���+^[���g^\b"0%��l�ܡ�'�]`M�^Ga�^H#�;��&���W���3^E��6F^N�^X��d�,����^Ze^R�
��g�8{^]��H�"d�^^�^PW��%^[�;�\^_J�7�^^̎�����vV�=;/^C�����GE{�<9eγ^H�#�_y^H�4n��=)��z3"�^T�^S/�,^U��eԃ^_�^]plw�:hj=����7>
Ɩ^X�3"�2��'t����z�"�N^RL�1u�w���^By�^Y�E��f���2R��w��l�D��^D�,�Zcwq�^H�^C^\� ^M��^@�;;_�� �^H�kg^K�)Tb�,r^MYr6p�>
YH��t[�^Xk�Y����g�.2L����5������^B-RMڎq� �E�b^F�^Y:G���^F��{���}���Ȃt^ZmșӨ�^T�^U�� ^[�a?��N�ݳ���=ɚ��^E��F���&VfF;K�^_}>
���^F�kW�}�o�lгDZ"7��݇�N�^Q��N��C�6�z����@^K�\^O/�7[^FL���.���F*��%ۅ��1�]^Zl!3`p�I���ѿ5��Tm^U5��h)?�g�u.A^Y^CT��D
@G^V�t��^P��^_
File is unreadable.
Now if the security engineer or forensic investigator examines the log files, they will find nothing of use because none of it is recoverable.
Disabling Logging
Another option for covering your tracks is to simply disable logging. You can just immediately disable logging to prevent the system from keeping tracks of their activities.
Keep in mind that this requires root privileges.
We’ll need to disable services of rsyslog.
We’ll learn more about services in the upcoming article
We can do it by writing:
service rsyslog stop
Now Linux will stop generating any log files until the service is restarted. At this point you’re not leaving any evidence in the log files.
Outro
Log files track nearby everything that happens on your Linux system. For hackers log files can be evidence of their activities and identity.
However, an astute hacker can remove and shred these files and disable logging entirely, thus leaving no evidence behind.
Credits
I’m learning using this book:
Linux Basics For Hackers by OCCUPYTHEWEB (MASTER OTP)
You can purchase it here
Subscribe to my newsletter
Read articles from Jonas Satkauskas directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by