Saturday, October 29, 2005

Linux System Integrity Monitor - Installation and Configuration Guide

SIM - System Integrity Monitor



# ./setup
-i Install
-q Quick install
-u Uninstall
-c Install/Uninstall cronjob

--------
Paths to pertent files for SIM are (defaults):
- Executable: /usr/local/sim/sim
- Executable symlink: /usr/local/sbin/sim
- Config file: /usr/local/sim/conf.sim
- Autoconf script: /usr/local/sim/autoconf
- Autoconf symlink: /usr/local/sbin/sim-autoconf
3) Configuration:
SIM comes with a well commented configuration file to make modifications
as easy as possible. As well their is also a 'autoconf' script that can be
used to 'walk' you through the configuration of SIM.

The autoconf script is perhaps the best method to configure SIM to meet your
needs. The script is located in, by default: /usr/local/sim/autoconf

# /usr/local/sim/autoconf
or
# /usr/local/sbin/sim-autoconf

Running the script will begin the autoconf process. This script is also run now
from the 'setup' script when using the normal '-i' install method. The alternate
'-q' quick install method does not automaticly run the autoconf script.

If you feel the need to manualy edit the conf.sim file it is easily done. The
default location of conf.sim is: /usr/local/sim/conf.sim
It is strongly encouraged that you take the time to read the comments in the
conf file and edit it to your needs. If you use pico as your editor please be
sure to start it with the -w argument to stop line wrapping.

# pico -w /usr/local/sim/conf.sim

4) Running SIM:
Once SIM is configured, you should be able to run it from either
'/usr/local/sim/sim' or '/usr/local/sbin/sim'. SIM has a few command line
arguments that should be simple to comprehend.

Running 'sim' with no arguments, will display all availible arguments:
-q Quiet mode
-v Verbose mode
-c Clear data & log files
-l Display log file
-s Display status information
-u Check for SIM updates
-j Install/Remove SIM cronjob

Ideally once SIM is configured it is best to run from a cronjob. The 'setup'
script provides a feature to toggle the SIM cronjob, simple run the -c option.

# ./setup -c

As of SIM version 1.7 you can also run the main SIM script with the '-j'
argument to toggle the cronjob.

# /usr/local/sbin/sim -j

This feature 'toggles' the cronjob for sim - so if it is already setup in
crontab it will remove it and vise-versa. A copy of crontab is backed up to,
/etc/crontab.bk

Alternativly if you feel the need to 'do it yourself', you can add the below
entry or equivilant to /etc/crontab - to have sim run once every 5 minutes.

# Run SIM every 5 minutes
*/5 * * * * /usr/local/sim/sim -q >> /dev/null

5) Comments/Questions:
If you have any comments, questions, death threats or presents for me, send
them to: or



A typical installation session

SIM 2.5-3
Creating installation paths: [##########]
Installing SIM 2.5-3 to /usr/local/sim: [##########]

SIM 2.5-3 installation completed, related notes:
Executable: /usr/local/sim/sim
Executable symlink: /usr/local/sbin/sim
Config file: /usr/local/sim/conf.sim
Autoconf script: /usr/local/sim/autoconf
Autoconf symlink: /usr/local/sbin/sim-autoconf
Cronjob setup: /usr/local/sim/sim -j

SIM 2.5-3 must now be configured for use on this system, Press
return to run the autoconf script (/usr/local/sim/autoconf).

SIM 2.5-3 Auto-Config Script

All questions default to value in brackets if no answer is given. If you
make a typo during the autoconf process, hit CTRL+C (^C) to abort and
rerun the autoconf script (/usr/local/sim/autoconf).

The below are general configuration options for SIM:
press return to continue...


SIM 2.5-3 Auto-Config Script

All questions default to value in brackets if no answer is given. If you
make a typo during the autoconf process, hit CTRL+C (^C) to abort and
rerun the autoconf script (/usr/local/sim/autoconf).

The below are general configuration options for SIM:
press return to continue...

Where is SIM installed ?
[/usr/local/sim]:

Where should the sim.log file be created ?
[/usr/local/sim/sim.log]:

Max size of sim.log before rotated ? (value in KB)
[128]:2048

What is the location of your kernel log ?
Found kernel log at /var/log/messages

Where should alerts be emailed to ? (e.g: root, user@domain)
[root]:

Disable alert emails after how many events, to avoid email flood ?
(Note: events stats are cleared daily)
[8]:20

The below are configuration options for Service modules:
press return to continue...

...............



The below are configuration options for System modules:
press return to continue...

Enable NETWORK monitoring ? (true=enable, false=disable)
[false]:true

interface to monitor ?
[eth0]:

Path to NETWORK init script ?
Found service init script at /etc/init.d/network

Enable LOAD monitor ? (true=enable, false=disable)
[false]:true

Load level before status condition 'warning' ?
[25]:

Load level before status condition 'critical' ?
[45]:

Enable a global (wall) message at status condition 'warning' & 'critical' ?
[false]:true

Renice services at status condition 'warning' or 'critical' ?
(3 values - warn, crit, false - false=disabled)
[false]:true

Stop nonessential services at status condition 'warning' or 'critical' ?
(3 values - warn, crit, false - false=disabled)
[false]:warn

Reboot system on status condition 'warning' or 'critical' ?
(3 values - warn, crit, false - false=disabled)
[false]:crit

Configuration completed, saving conf.sim...
Done, conf.sim saved to /usr/local/sim.




CODE



CODE


1.1) Features:
- Service monitoring of HTTP, FTP, DNS, SSH, MYSQL & more
- Event tracking and alert system
- Auto restart ability for downed services
- Checks against network sockets & process list to ensure services are online
- HTTP log size monitor, to avoid segfaults from apache due to large logs
- URL Aware monitoring, to ensure HTTP does not 'lockup'
- System load monitor with customizable warning levels, actions, and more...
- Informative command line status display
- Easily customizable configuration file
- Auto configuration script
- Auto cronjob setup feature
- Caching feature for ps/netstat output, to ease on runtime load
- Simple & Informative installation script
- Integrated auto-update feature
- And more...

Brute Force Detection - BFD Installation

Installing BFD


wget http://www.r-fx.ca/downloads/bfd-current.tar.gz
gunzip bfd-current.tar.gz
tar -xvf bfd-current.tar
sh install.sh


Here is the installation progress for brute force detection.


.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd
Imported tracking and options from BFD 0.9 to 0.9.


This is it. Our installation for BFD is complete.
Assuming APF is installed on your system, you are good to go. Just configure bfd and start it. Following is an excerpt of APF (Advanced Policy Firewall) features



- simple and well commented configuration files
- layered firewall with independent ingress and egress filtering system
- uid based egress filtering via simple configuration variables
- global tcp/udp ports & icmp types configurtion
- configurable policies for each ip on the system with convenience vars
- prerouting rules for optimal network responce; TOS (type of service)
- icmp based rate limiting to prevent common icmp 'dos' abuses
- antidos subsystem to stop attacks before they become a significant threat
- dshield.org block list support to ban networks exhibiting suspicious activity
- advanced set of sysctl parameters for tcp/ip stack hardening
- advanced set of filter rules to remove undesired traffic
- advanced use of kernel features such as abort_on_overflow & tcp syncookies
- easy to use firewall managment script
- trust based rule files (allow/deny); with advanced syntax support
- 3rd party addon projects that compliment APF features
- and much more...


To use APF



APF version 0.9.6
Copyright (C) 1999-2004, R-fx Networks
Copyright (C) 2004, Ryan MacDonald
This program may be freely redistributed under the terms of the GNU GPL

usage /usr/local/sbin/apf [OPTION]
-s|--start ......................... load all firewall policies
-r|--restart ....................... stop (flush) & reload firewall rules
-f|--stop........ .................. stop (flush) all firewall rules
-l|--list .......................... list chain rules
-t|--status ........................ firewall status
-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall
-u|--unban HOST .................... remove host from [glob_]deny_hosts.rules
and immediately remove rule from firewall
-o|--ovars ......................... output all conifguration options


Modify the crontab (/etc/cron.d/bfd) and setup logging using

/usr/local/sbin/bfd -q >> /var/log/log

. For more information, see Brute force detection

To run brute force detection manually, use

bfd -s




SSH - cannot login to web server - Access denied

If you were editing the file /etc/passwd and during the process the server was rebooted, you may not be able to login to your box due to presence of /etc/.pwd.lock files. Try logging in as a user that can su to a super user and then fix the issue. The issue can also occur when there is a misconfiguration in sshd config file.



Mounting /tmp with noexec

These commands will help you in creating a /tmp partition with noexec



cd /dev
# 100MB file for /tmp
dd if=/dev/zero of=tmpMnt bs=1024 count=100000
# extended filesystem
mke2fs /dev/tmpMnt
# backup
cp -p -r /tmp /home/backup/tmp
# if you have mysql.sock file, recreate the symbolic link for it
cd /
cp -R /tmp /tmp_backup
# mount with noexec
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
chmod 0777 /tmp
# copy stuff back
cp -R /home/backup/tmp/* /tmp/
rm -rf /tmp_backup
# add to fstab so it can reboot
#vi /etc/fstab
# /dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
# now nothing should run
# bash: ./binary-program: Permission denied


You may get the following errors


mke2fs 1.27 (8-Mar-2002)
/dev/tmpMnt is not a block special device. If so, try "continue anyway"


No need to reboot. Confirm the mount by using


df -h


On Dell dual Xeon servers, trying above will give you:



Disk usage quota:
Device (/dev/tmpMnt) filesystem is mounted on isn't block or
character device nor it's loopback or bind mount. Skipping.
quota: Quota file not found or has wrong format. 0.00 Megabytes


To unmount, undo the changes in /etc/fstab and execute


umount /dev/tmpMnt


If you get a device is busy message, remake your /tmp folder and give it executable permissions (not recommended). Then, depending on your server configuration, create a mysql.sock symlink to /var/lib/mysql/mysql.sock using


ln -s /var/lib/mysql/mysql.sock /tmp/mysql.sock




Note: Even with a noexec on /tmp , a program can still get executed by invoking it using

sh <script> syntax. noexec protects a hacker from setting the execute permission bit on a script.


RANDOM TIP: Quota Config: /etc/quota.conf


Credits