Enter msyslog, the obvious solution to the problem of logs not helping in intrusion detection. Msyslog is a syslogd and klogd replacement that encrypts and hashes the log files. With msyslog, crackers will need a significantly more time to hide their tracks, time that they probably does not have. While a cracker can still delete the log file all together, that is a pretty big sign that the box has been broken into, something they don't want.
Configuration
First, get the software here. After unzipping and untarring it, read the README and INSTALL files. Then, edit the modules.conf file to something similar to this:UNIX=static BSD LINUX=static UDP CLASSIC=static PEO=static REGEX=static MYSQL PGSQL
UNIX refers to receiving input from /dev/log. BSD refers to receiving input from the special BSD logging device, /dev/klog. LINUX refers to receiving input from the special Linux logging device. UDP refers to receiving input from other systems on a specific port. CLASSIC refers to the outputting tasks the syslogd normally does. PEO refers to hashing the logs into the PEO-1 and L-PEO algorithms. REGEX refers to allowing output redirection based on a set of regular expressions. MYSQL refers to outputting the logs into a mysql database. PGSQL refers to outputting the logs into a postgresql database.
Now run:
./configure --prefix=/usr/local
Installation
For installation, run:make clean;make;make install
Setup
After installing msyslog, there will be directions given to edit /etc/rc.d/init.d/syslog. After editing and saving it, remove the klogd start up and shut down process since msyslog can log kernel messages. Now, move run this command:mv /usr/local/sbin/syslogd /sbin/syslogdAssuming everything worked correctly so far, /etc/syslog.conf must be edited. The changes to syslog.conf will be minimal if all that is needed is encryption and hashes of the log files. To do this, these two lines:
*.info;mail.none;authpriv.none /var/log/messages authpriv.* /var/log/securebecomes
*.info;mail.none;authpriv.none %peo -l -m md5 -k /var/syslog/.var.log.messages.key %classic /var/log/messages authpriv.* %peo -l -m md5 -k /var/syslog/.var.log.secure.key %classic /var/log/secureThe second set of files will be encrypted with the key in /var/syslog and an md5 hash of them made of them. Now, the keys to be used for encryption must be made. Make the keys for the above example like this:
/usr/local/sbin/peochk -g -f /var/log/messages -i messagekey0 -m md5 /usr/local/sbin/peochk -g -f /var/log/secure -i securekey0 -m md5The keys messagekey0 and securekey0 should be stored in a very safe place, like a CD.
Start
After this, kill both klogd and syslogd and start msyslog using the start up script. Start msyslog like this:/etc/rc.d/init.d/syslog start
Integrity Test
If there is a possibility that someone has been messing with the logs, run this to check their integrity:/usr/local/sbin/peochk -m md5 -i messagekey0 -f /var/log/messages /usr/local/sbin/peochk -m md5 -i securekey0 -f /var/log/secureIf something comes up, chances are much better than not that the logs have been doctored and the systems admin had a really big problem.
