PoiNtEr->: Hacker’s Diary “10”

                             Difference between a dream and an aim. A dream requires soundless sleep, whereas an aim requires sleepless efforts.

Search This Blog

Wednesday, November 23, 2011

Hacker’s Diary “10”


Hack 5 Protect Your Logs from Tampering

So Welcome guys to second section of hacker’s diary .So today we see how we can protect our log files.

By the time you must be thinking why it is important to protect log file ??

well an attacker more likely leave telltale sign of his action in various logs.This is a very valuable audit that should be protect so that it can help us to figure out how the attacker got in

,or where the attack came from .

So the big question is if Attacker gains ROOT privileges then how to stop him from removing the  traces of his misbehavior?

One useful attribute for protecting log files is append-only. When this attribute is set, the file cannot be deleted, and writes are only allowed to append to the end of the file.

To set the append-only flag under Linux, run this command:

# chattr +a filename

Obviously, an intruder who has gained root privileges could realize that file attributes are being used and just remove the append-only flag

from our logs by running chattr -a. To prevent this, we need to disable the ability to remove the append-only attribute. To accomplish this

under Linux, use its capabilities mechanism.


The Linux capabilities model divides up the privileges given to the all-powerful root account and allows you to selectively disable them. In order to prevent a user from removing the append-only attribute from a file, we need to remove the CAP_LINUX_IMMUTABLE capability. When present in the running system, this capability allows the append-only attribute to be modified. To modify the set of capabilities available to the system, we will use a simple utility called lcap (http://packetstormsecurity.org/linux/admin/lcap-0.0.3.tar.bz2).

To unpack and compile the tool, run this command:

# tar xvfj lcap-0.0.3.tar.bz2 && cd lcap-0.0.3 && make

Then, to disallow modification of the append-only flag, run:


# ./lcap CAP_SYS_RAWIO

The first command removes the ability to change the append-only flag, and the second command removes the ability to do raw I/O. This is needed so that the protected files cannot be modified by accessing the block device they reside on. It also prevents access to /dev/mem and /dev/kmem, which would provide a loophole for an intruder to reinstate the CAP_LINUX_IMMUTABLE capability. To remove these capabilities at boot, add the previous two commands to your system startup scripts (e.g., /etc/rc.local). You should ensure that capabilities are removed late in the boot order, to prevent problems with other startup scripts. Once lcap has removed kernel capabilities, they can be reinstated only by rebooting the system.

Note:lcap only work for linux kernel version <2.6.But I am still trying to figure out a way through which I can make it work for new kernel versions also.If you have any idea please share here.

No comments:

Post a Comment