Module 8: Linux Endpoint Introduction

Linux Applications and Daemons

Daemons

Daemons are background programs that run without any user interaction. The terminology comes from Maxwell's demon, an imaginary entity that works in the background to help with experiments.

Any non-privileged user can query a daemon status through systemctl.

Querying the SSH daemon status

[offsec@linux02 ~]$ systemctl status sshd
 sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Tue 2021-06-15 09:52:57 CEST; 2s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
...

Starting the SSH daemon

[offsec@linux02 ~]$ sudo systemctl start sshd
[sudo] password for offsec:

Verifying the SSH daemon status

[offsec@linux02 ~]$ systemctl status sshd
 sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active:active (running) since Tue 2021-06-15 09:53:55 CEST; 4s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 78962 (sshd)
    Tasks: 1 (limit: 4627)
   Memory: 1.3M
   CGroup: /system.slice/sshd.service
           └─78962 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128->

Logging on Linux and the Syslog Framework

Log files are saved w ithin the /var/log folder and named after their category/role.

Linux log files locations

Purpose

Source Process

CentOS Location

Ubuntu Location

Authentication

sudo, sshd, etc.

secure

auth.log

Web Server

apache

httpd/

apache2/

System Logs

systemd,kernel, rsyslogd

messages

syslog

Package management Logs

dpkg

yum.log

dpkg.log

Raw log example of ssh attempt

[offsec@linux02 ~]$ sudo grep sshd /var/log/secure
...
Jun 28 11:22:55 linux02 sshd[156299]: pam_unix(sshd:session): session opened for user offsec by (uid=0)
...

Rsyslog configuration supporting RFC3164 translation and multiple optional transport protocols

...
#### RULES ####
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%\n"
...
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure;RFC3164fmt
...
# Forwarding to remote syslog collectors
# ----------------------------
#*.*	@linux01     # udp transport
#*.*	@@linux01    # tcp transport

Inspecting the SSH log event for failed login

[offsec@linux02 ~]$ sudo cat /var/log/secure | grep "Failed password"
<86>Jun 28 12:05:21 linux02 sshd[157165]:Failed password for offsec from 192.168.51.50 port 54209 ssh2

The event above is structed as so: Priority, Timestamp, Hostname, App Name, Process ID, Message.

Syslog Facilities Codes

Facility code

Keyword

Description

0

kern

Kernel messages

1

user

User-level messages

2

mail

Mail system

3

daemon

System daemons

4

auth

Security/authentication messages

5

syslog

Messages generated internally by syslogd

6

lpr

Line printer subsystem

7

news

Network news subsystem

8

uucp

UUCP subsystem

9

cron

Cron subsystem

10

authpriv

Security/authentication messages

11

ftp

FTP daemon

12

ntp

NTP subsystem

13

security

Log audit

14

console

Log alert

15

solaris-cron

Scheduling daemon

16–23

local0 – local7

Locally used facilities

Syslog Severity Levels

Value

Severity

Keyword

Description

0

Emergency

emerg

System is unusable - A panic condition

1

Alert

alert

Action must be taken immediately

2

Critical

crit

Critical conditions

3

Error

err

Error conditions

4

Warning

warning

Warning conditions

5

Notice

notice

Normal but significant conditions

6

Informational

info

Informational messages

7

Debug

debug

Debug-level messages

Rsyslog Meets Journal

By default, systemd_journald, or journal is responsible for processing log events first.

Inspecting Journal Logs

[offsec@linux02 ~]$ journalctl -u sshd.service --since "1 hour ago"
-- Logs begin at Tue 2021-06-01 16:05:01 CEST, end at Tue 2021-06-22 15:00:31 CEST. --
Jun 22 15:00:31 linux02 sshd[131733]: Accepted password for offsec for offsec from 192.168.51.50 port 58379 ssh2

Web Daemon Logging

Inspecting an Apache log

[offsec@linux02 ~]$ sudo cat /var/log/httpd/access_log
192.168.51.50  - - [12/Jul/2021:08:57:30 -0400] "GET / HTTP/1.1" 403 199691 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
...

  • 192.168.51.50 : The source IP that requested the web resource

  • - -: As Remote Log Name and User ID do not appear in the log, these are replaced with a hyphen (-)

  • [12/Jul/2021:08:57:30 -0400]: Date and Time Zone (timestamp)

  • GET: Request method

  • /: The resource path, in this case the web server's root folder

  • HTTP/1.1: Request version

  • 403: Response status3

  • 199691: The resource size

  • - : Since the referrer of the resource is also not present, it is replaced with a hyphen (-)

  • Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0: Client User Agent

Filtering Apache Logs

[offsec@linux02 ~]$ sudo cat /var/log/httpd/access_log | grep " 403 "
192.168.51.50  - - [12/Jul/2021:08:57:30 -0400] "GET / HTTP/1.1" 403 199691 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
...

Extracting a single log parameter

[offsec@linux02 ~]$ sudo cat /var/log/httpd/access_log  | cut -d " " -f 7
/
/icons/poweredby.png

Automating the Defensive Analysis

Python for Log Analysis

The following four regex operators are essential to building more complex expressions:

  • ^ matches position just before the first character of the string

  • $ matches position just after the last character of the string

  • . matches a single character, except the newline (\n) character

  • * matches preceding match zero or more times

  • + matches preceding match one or more times

Importing modules

import re
import os.path

Declaring log path variables

centos_ssh_log_file_path = "/var/log/secure"
ubuntu_ssh_log_file_path = "/var/log/auth.log"

Filling the array with variables

ssh_log_files = [centos_ssh_log_file_path, ubuntu_ssh_log_file_path]

Declaring the regex variable

regex_pattern = 'sshd\[.*\]'

Parsing the log files with nested for-loops

# Loop through each file in our array
for log_file in ssh_log_files:
  # If the file exists, open it in read mode
  if os.path.isfile(log_file):
    with open(log_file, "r") as file:
      # For each line in the file, search for the regex pattern
      for line in file:
        for match in re.finditer(regex_pattern, line, re.S):
          # If pattern is found, print the line without adding a newline character
          print(line, end='')

An easy way to test regular expressions is to use the regex101 online tool, which when given a regex input, indicates whether we have any match on the target text.

DevOps Tools

DevOps is an effort to combine traditional development practices and operational strategies into a joint mechanism that focuses on orchestration, automation, and consistency.

There are a few options available, such as Puppet, Chef, Ansible, etc.

Ansible Log Parser Playbook

---
- name: logparser
  hosts: soc200
  tasks:

   - name: list files in folder
     become: yes
     become_user: root
     script: /home/kali/SOC-200/Linux_Endpoint_Introduction/ssh_log_parser.py
     args:
        executable: python3
     register: output
   - debug: var=output.stdout_lines

Ansible Ping Reachability Test

kali@attacker01:~$ sudo ansible soc200 -m ping -u offsec  --key-file=/home/kali/.ssh/ansible_rsa
192.168.51.12 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": false,
    "ping": "pong"
}
192.168.51.13 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}

Running the Ansible Playbook

kali@attacker01:~/SOC-200/Linux_Endpoint_Introduction$ ansible-playbook ./log_parser.yml -u offsec  --key-file='/home/kali/.ssh/ansible_rsa' -K
BECOME password:

PLAY [logparser] *************************************************************************************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************************************************************************************
ok: [192.168.51.12]
ok: [192.168.51.13]

TASK [list files in folder] **************************************************************************************************************************************************************************
changed: [192.168.51.12]
changed: [192.168.51.13]

TASK [debug] *****************************************************************************************************************************************************************************************
ok: [192.168.51.12] => {
    "output.stdout_lines": [
        "",
        "Jun 15 13:13:36 linux02 sshd[81613]: Failed password for offsec from 192.168.51.50 port 60040 ssh2",
        "Jun 16 09:11:28  linux02 sshd[84486]: Accepted password for offsec from 192.168.51.50 port 51741 ssh2"
    ]
}
ok: [192.168.51.13] => {
    "output.stdout_lines": [
        "",
        "Jun 16 09:16:11 linux01 sshd[47847]: Accepted password for offsec from 192.168.51.50 port 55660 ssh2",

    ]
}

PLAY RECAP *******************************************************************************************************************************************************************************************
192.168.51.12              : ok=3    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
192.168.51.13              : ok=3    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Ideally, we would parse distributed log files with a full-fledged SIEM solution. However, what we've practiced here can be useful as an initial proof-of-concept or a small-scaled log parsing alternative.

Hunting for Login Attempts

Walking through a "hunt".

PreviousModule 7: Windows PersistenceNextModule 9: Linux Server Side Attacks

Last updated