Secure remote logging design and implementation guide for Linux that utilizes syslog-ng, logrotate, and stunnel.

Table of Contents

About This Document

1. Secure Remote Logging Introduction
2. Syslog-ng
   1. Installation
3. Stunnel
   1. Installation
4. Logcheck
   1. Installation
5. Archiving
   1. Scripts
6. Configuration
   1. Syslog-ng
   2. Stunnel
   3. Logcheck
   4. Security
   5. Todo

[adsense:336x280:1:4]

This document explains how to institute a secure remote logging setup among linux boxes.

Having a secure remote logging setup can provide for enhanced intrusion forensics and centralized machine administration. Below, ideal secure logging setup is shown and solutions are provided in the subheadings below each ideal characteristic.

A secure logging setup should ideally have the following:

1. Logs sent to a remote logging host
   
   

   Having logs on another machine is a security measure because many rootkits delete the log files that reside locally on the box. This prevents ad hoc analysis of a breakin attempt. Having all your linux boxes logging to a common log server also allows for easier administration.

2. Logs sent to the log host encrypted
   

   The use of stunnel creates a ssl encrypted tunnel over which the log files pass between the log host and the client. Stunnel can encrypt any connection between two machines that are transferred using TCP. Because the original syslog can't send their logs to a remote log host over TCP, syslog-ng is used because it allows for TCP transfer.

   If the remote log connection isn't encrypted, a packet sniffer, such as ethereal, can be used to read the log files as they are passed without encryption. Valuable information can be gathered by sniffing these log files that might pose a security risk.

3. The log host is a very secure box
   

   If the log host can be cracked, then the security added by having duplicated logs are lost. The log host should run only the necessary services, hopefully only SSH and the stunnel connection.

4. Logs on the log host are sorted by machine
   

   Syslog-ng has built-in features to accomplish this. The advantage from controlled sorted logs is that it allows for more organized parsing. However, when using a automated log checker, often it is an advantage to have all your log entries into one file.

5. Logs are archived and stored to save disk space
   

   Logs are desired to be saved in case of an undetected break-in. The logs can be stored on a tertiary storage device and should be archived on the machine by shell scripts.

6. Logs are checked by a script and important entries are sent to an administra tor
   

   Email is often easier to check than manually looking through log files. Logcheck can be used to ignore irrelevant entries in log files to only alert to explicit violations or unknown incidents

2. Syslog-ng

2.1 Installation

These instructions are assuming that you are presently running syslog and most instructions might be redhat-specific, but can be easily translated for most linux distros. The version used in this particular installation was syslog-ng-1.4.11.

1. Configure syslog to not boot at startup to avoid a conflict
   • chkconfig --level 2345 syslog off
2. Install dependencies: libol
   • Libol can be acquired from the syslog-ng web page: Download page, or can be installed by rpm. The version used in this particular installation was libol-0.2.21-1 and libol-devel-0.2.21-1
3. Download and unzip the source of syslog-ng
   • Edit "src/syslog-ng.h".
   • Change the line
     #define PATH_SYSLOG_NG_CONF /etc/syslog-ng/syslog-ng.conf
     to
     #define PATH_SYSLOG_NG_CONF /etc/hidden/secret.conf
     or some other hard to guess name.
   • The path to the configuration file is changed because many crackers might look for the default log configuration files to find out if you are remote logging.
4. Install syslog-ng
   • Do a configure, make, make install
5. Install config scripts and configure system
   • cp contrib/init.d.RedHat /etc/rc.d/init.d/syslog-ng
   • Add the following to "/etc/rc.d/init.d/syslog-ng" in the commented out section at the top:
     # chkconfig: 2345 12 88
# description: blah
   • This is needed for chkconfig to recognize the script
   • cp contrib/syslog-ng.conf.RedHat /etc/hidden/secret.conf
   • chkconfig --level 2345 syslog-ng on
6. Test initial configuration
   • /etc/rc.d/init.d/syslog stop
     /etc/rc.d/init.d/syslog-ng start

3. Stunnel
3.1 Installation

The version of stunnel for this particular installation was stunnel-3.22.

1. Install dependencies: openssl and openssl-devel
   • Install from rpm or compile.
2. Download and unzip the source of stunnel
   • The source can be found at stunnel.org.
3. Install stunnel
   • Do a configure, make, make install

4. Logcheck
4.1 Installation

Logcheck is a log file parses with email alert. The version used for this particular installation was logsentry-1.1.1.

1. Download and unzip the source for logcheck
   • The source can be found at: logcheck.org
2. Read the "INSTALL" file for installation instructions.
   • Do a make linux if all the default paths are OK.
   • Put entries into cron to run "logcheck.sh"
   • Set the permissions up

5. Archiving
5.1 Scripts

6. Configuration

6.1 Syslog-ng

1. Example secret.conf for the client. client.conf
2. Example secret.conf for the log host. server.conf
3. An adjusted logrotate entry is needed. Remove "syslog" from "/etc/logrotate.d/" and replace with "syslog-ng".
4. Add entries into "/etc/services", both port numbers are arbitrary, just make sure they match between the syslog-ng.conf file and the stunnel command.
   • syslog-ng 515/tcp
   • syslog-ngs 1724/tcp

6.2 Stunnel

1. Generate a server certificate
   • Needed for stunnel to start on the server.
   • Go to the ssl certs directory, "/usr/share/ssl/certs/stunnel.pem" in redhat.
   • openssl x509 -hash -noout -in stunnel.pem
   • Point to the *.pem file form the server stunnel command
2. Run the following from a script, possibly "/etc/rc.d/rc.local". Make sure to replace 165.xxx.xxx.xxx with the IP number of your log host:
   • client: stunnel -c -d 127.0.0.1:syslog-ng -r 165.xxx.xxx.xxx:syslog-ngs -N syslogng
   • server: stunnel -p /usr/share/ssl/certs/stunnel.pem -d syslog-ngs -r 127.0.0.1:syslog-ng -N syslogng

6.3 Logcheck

1. Place the following code into "/etc/cron.hourly/logcheck"
   • #/bin/sh
/usr/local/etc/logcheck.sh

6.4 Security

1. Tcpwrappers
   • The -N switch in the stunnel command uses the service name of syslogng for the stunnel process. Place the following in "/etc/hosts.allow" and "/etc/hosts.deny" respectively.
   • syslogng : ALL@165.xxx.xxx.xxx 127.0.0.1
   • syslogng : ALL
2. Iptables
   • The only connection made between the client and log host is on the syslog-ngs port which was given above as port 1724. Use the following commands from the server machine to reject all traffic not from the client.
   • iptables -A INPUT -i eth0 -s 165.xxx.xxx.xxx/32 -p tcp --dport 1724 -j ACCEPT
iptables -A INPUT -i eth0 -s 0.0.0.0/0 -p tcp --dport 1724 -j REJECT

6.5 Todo

1. Figure out how to get certificate authorization working between the client and server. It would add another layer of security.
2. Find out exactly what packets are sent to which ports to be able to tighten iptables rules between the log host and client.
3. Get archival scripts done