================================================================================ Centralized and secured remote logging solution with Prelude-Lml on Debian : How to securely install and set up the Prelude-Lml engine Simon Castro - v0.2.0 - 12/10/2003 http://www.entreelibre.com/scastro/prelude/ ================================================================================ ========= CHANGELOG ========= o v0.2.0 - 12/10/2003 : Update the howto to use the stable version of the Prelude suite available the 06/10/2003 (libprelude 0.8.7 and prelude-lml 0.8.5). A new flag for the prelude-lml engine (-g) allows setting the gid when the engine is executed with a restricted user. This new flag solves the problems we were facing when we had to manually set permissions for some directories and files in the previous howto. o v0.1.8 - 20/05/2003 : Initial publication. ================ GENERAL OVERVIEW ================ This document presents a "Centralized and secured remote logging solution" based on the Prelude-LML log monitor engine of the Prelude suite. It describes how to install and set up the Prelude library and the Prelude-Lml engine and how to secure this installation on a GNU/Linux Debian 3.0 stable server. The Prelude suite is available on http://www.prelude-ids.org Note : This document is not intended to describe how to install nor set up the Prelude manager. Then, I suppose this one is already ready to be used. This document also doesn't present how to set the Prelude-Lml monitoring configuration files. Note : A few Debian packages should be installed before building/installing the Prelude-Lml monitor : 'libssl-dev' for the SSL support, 'libltdl3-dev' for the libraries management and 'libpcre3-dev' for the PCRE support in Prelude-Lml. A special thank to the Prelude developement team for their fabulous work... ======= SUMMARY ======= GENERAL OVERVIEW SUMMARY LICENSE I. INSTALLATION GOAL II. INSTALLATION II.1. Users creation II.2. Building and installing the LibPrelude II.3. Building and installing the Prelude-Lml engine II.4. Setting correct permissions to installed files II.5. Setting Firewall rules II.6. Recording the Prelude-Lml monitor and first check III. INITIALIZATION SCRIPT IV. LAST THING BEFORE YOUR CONFIGURATION ANNEX 1 - Prelude-Lml Stop/Start Script ======= LICENSE ======= Copyright (c) 2003 Simon Castro, scastro [ at ] entreelibre.com. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST. You must have received a copy of the license with this document and it should be present in the fdl.txt file. If you did not receive this file or if you don't think this fdl.txt license is correct, have a look on the official http://www.fsf.org/licenses/fdl.txt licence file. ==================== I. INSTALLATION GOAL ==================== Our installation goal : * The Prelude-Lml monitor runs under the 'preludelml:prelude' identity. * System users can not access the Prelude directories structure if they are not in the 'prelude' group. * The 'prelude' group users can be configured (using the 'sudo' configuration file) to get the 'prelude' identity to manage the Prelude-Lml configuration. => The directory hierarchy permissions of the Prelude-Lml will be : 3750 - root:prelude - /home/prelude 3750 - prelude:prelude for the directories under /home/prelude. 640 ou 750 - prelude:prelude for the files under /home/prelude. ================ II. INSTALLATION ================ II.1. Users creation -------------------- We first add a restricted user : groupadd prelude adduser --disabled-password --quiet --ingroup prelude prelude Full Name []: Prelude user for Prelude-lml Other []: Restricted user passwd -l prelude && chsh -s /bin/false prelude find /home/prelude/ -type f -exec rm \{\} \; We then add another restricted user which will be used to run the Prelude-Lml monitor under the 'preludelml:prelude' identity. adduser --no-create-home --disabled-password --quiet --ingroup prelude\ --home /home/prelude preludelml Full Name []: Prelude Lml User Other []: Utilisateur restreint passwd -l preludelml && chsh -s /bin/false preludelml II.2. Building and installing the LibPrelude -------------------------------------------- mkdir /home/system/applis/prelude && cd /home/system/applis/prelude ls -l /home/system/applis drwxr-x--- 3 root root 1024 Mar 21 13:31 prelude md5sum /home/system/download/libprelude-0.8.7.tar.gz 914b63fcb6000142ada676398e82a4d4 /home/system/download/libprelude-0.8.7.tar.gz tar zxvf /home/system/download/libprelude-0.8.7.tar.gz chown root:root libprelude-0.8.7/ && chmod 750 libprelude-0.8.7/ cd libprelude-0.8.7/ find . -type f -perm -002000 -o -perm -004000 NDR : Just in case of... Note : A building problem was encountered here for the previous howto, if you do find one, have a look at the Prelude User mailing-list for the post reccomanding to use : libtoolize -c --force --ltdl --automake automake && autoconf ./configure --enable-ssl --prefix=/home/prelude --enable-shared=no make && make install II.3. Building and installing the Prelude-Lml engine ---------------------------------------------------- cd /home/system/applis/prelude md5sum /home/system/download/prelude-lml-0.8.5.tar.gz 7a37b9c64a14bda2a69726f3e0fbe501 /home/system/download/prelude-lml-0.8.5.tar.gz tar zxvf /home/system/download/prelude-lml-0.8.5.tar.gz chown root:root prelude-lml-0.8.5 && chmod 750 prelude-lml-0.8.5 cd prelude-lml-0.8.5 find . -type f -perm -002000 -o -perm -004000 NDR : Just in case of... ./configure --prefix=/home/prelude --with-libprelude-prefix=/home/prelude make && make install II.4. Setting correct permissions to installed files ---------------------------------------------------- cd /home/prelude find . -type f -perm -000005 -exec chmod 750 {} \; find . -type f -perm -000004 -exec chmod 640 {} \; find . -type d -exec chmod 3750 {} \; chown -R prelude:prelude * chown root:prelude /home/prelude chmod 3750 /home/prelude => It seems that we should have at this time an installation related to our installation goal. => But we have to set correct permissions to two more files : chmod 640 /home/prelude/etc/prelude-lml/plugins.rules chmod 640 /home/prelude/etc/prelude-lml/prelude-lml.conf II.5. Setting Firewall rules ---------------------------- If the Prelude-Lml monitor station is firewalled, we now set the firewall to allow data flows between the monitor and the Prelude Manager. Use that kind of rules for an IpChains firewall : IPCH=/sbin/ipchains PRELUDE="IP_ADDRESS_OF_THE_PRELUDE_MANAGER" $IPCH -A output -p tcp --sport 1024: -d $PRELUDE 5553:5554 -j ACCEPT $IPCH -A input -p tcp -s $PRELUDE 5553:5554 -y -j DENY $IPCH -A input -p tcp -s $PRELUDE 5553:5554 --dport 1024: -j ACCEPT Use that kind of rules for a NetFilter firewall : INT="YOUR_NETWORK_INTERFACE" IPT=/sbin/iptables PRELUDE="IP_ADDRESS_OF_THE_PRELUDE_MANAGER" $IPT -A OUTPUT -o $INT -p tcp --sport 1024: -d $PRELUDE --dport 5553:5554 -m\ state --state NEW,ESTABLISHED -j ACCEPT $IPT -A INPUT -i $INT -p tcp -s $PRELUDE --sport 5553:5554 --dport 1024: -m\ state --state ESTABLISHED -j ACCEPT II.6. Recording the Prelude-Lml monitor and first check ------------------------------------------------------- We now record our Prelude-Lml monitor in the Prelude Manager. Run 'manager-adduser' on the manager and get the one time password. mkdir /home/system/scripts/prelude-lml cd /home/system/scripts/prelude-lml ln -s /home/prelude/bin/sensor-adduser sensor-adduser ./sensor-adduser -s prelude-lml -u `/usr/bin/id -u preludelml` -m MANAGER:5553 => MANAGER is the IP address of the Prelude Manager. => Use the default values for the client certificate creation. We then check our Prelude-Lml monitor is able to connect to the manager : cd /home/prelude/bin ./prelude-lml -u preludelml -g prelude --manager-addr MANAGER:5554 ^C As we just executed prelude-lml for the first time, the engine created few files we have to check ... so : cd /home/prelude Which newly added files doesn't belong to the 'prelude' group ? => find . ! -group prelude And if you want to update this : => find . ! -group prelude -exec chown :prelude \{\} \; Which newly added files are not stored with a correct identity ? => find . ! \( -user prelude -o -user preludelml \) I have some files I don't like the identity on my OWN installation, so : => chown prelude:prelude etc/prelude-sensors/sensors.ident => chmod 640 etc/prelude-sensors/sensors.ident => chown preludelml:prelude etc/prelude-lml/metadata/* => chmod 640 etc/prelude-lml/metadata/* Note : For the metadata directory, don't forget that each time you will add a new file to monitor in the configuration file, a new metadata file will be added with the root:prelude identity. !!! Take care of this because if you're planning to restart prelude-lml if it is started as a daemon, it won't be able to open the related metadata lockfile with an error message such as : prelude-lml: file-server.c:file_metadata_open:387 :\ (errno=Permission denied) : error creating\ /home/prelude/etc/prelude-lml/metadata/xxx. !!! Did we miss some file ? => find . -perm -000004 -o -perm -000005 ========================== III. INITIALIZATION SCRIPT ========================== If you don't have a Prelude-Lml initialization script nor have the time/will to create one, you can use the script present in 'ANNEX 1 - Prelude-Lml Stop/Start Script'. => Don't forget to update the script with your own values. We configure the system to start the Prelude-Lml monitor on boot startup : chmod 750 /etc/init.d/preludelogmonitor.sh update-rc.d preludelogmonitor.sh defaults We check the script works : /etc/init.d/preludelogmonitor.sh start /etc/init.d/preludelogmonitor.sh stop ======================================== IV. LAST THING BEFORE YOUR CONFIGURATION ======================================== Before you begin to set up your own Prelude-Lml configuration files, there is a last thing to know. As you are using Prelude-LML to monitor logfiles, the prelude-lml engine must (it is obvious) have read permission on these logfiles. Take care of this because if the prelude-lml engine cannot open the planned to monitor logfiles it will loop on its initialisation stage with messages such as: file-server.c:monitor_open:574 : (errno=Permission denied) :\ couldn't open /var/log/xxx. The Prelude-LML engine, if run with a restricted uid/gid, must have read rights on the monitored logfiles with its restricted uid/gid (logfiles aren't open one time for all with super-user id before dropping privileges). So you have few ways to solve this problem : 1/ 755 root:root /var 755 root:root /var/log 644 root:root /var/log/logfiles_to_monitor 2/ Mirror the monitored logfiles to a specific location only the Prelude-LML can reach. 3/ find another comprise ... but remember that : The Prelude-LML gid is already set to prelude, so it is not possible to give prelude-lml access to a second group such as logadm... If you set gid permissions to logfiles to prelude, then it means that your administrators have to be in the prelude group to watch these logs... But if they are in this group, it also means that they can access and update (if you set the permissions so) the /home/prelude directories. You now can set up you own configuration files, then ... /etc/init.d/preludelogmonitor.sh start ======================================= ANNEX 1 - Prelude-Lml Stop/Start Script ======================================= /etc/init.d/preludelogmonitor.sh : #!/bin/sh # # Centralized and secured remote logging solution with Prelude-Lml on Debian : # How to securely install and set up the Prelude-Lml engine # ANNEX 1 - Prelude-Lml Stop/Start Script # v0.2.0 - 12/10/2003 # # Copyright (c) 2003 Simon Castro, scastro [ at ] entreelibre.com. # http://www.entreelibre.com/scastro/prelude/ # PRELUDE_LML_NAME=prelude-lml PRELUDE_LML_BIN=/home/prelude/bin/prelude-lml PRELUDE_LML_USER=preludelml PRELUDE_LML_GROUP=prelude PRELUDE_SRV_HOST="{MANAGER_IP_ADDRESS}:5554" PRELUDE_LML_LOCK=/var/run/prelude-lml.pid # Check we have required binaries and variables if [ ! $PRELUDE_LML_BIN ] || [ ! $PRELUDE_LML_USER ] || [ ! $PRELUDE_LML_GROUP ] || [ ! $PRELUDE_SRV_HOST ] || [ ! $PRELUDE_LML_LOCK ] || [ ! $PRELUDE_LML_NAME ] then echo "Script configuration error" exit 0 fi test -f $PRELUDE_LML_BIN || exit 0 test -f /usr/bin/killall || exit 0 case "$1" in start) if [ -f $PRELUDE_LML_LOCK ] && kill -0 `cat $PRELUDE_LML_LOCK` 2> /dev/null then echo $PRELUDE_LML_NAME" already started ..." exit 1 else if [ ! -f $PRELUDE_LML_LOCK ] && pidof $PRELUDE_LML_NAME > /dev/null then echo $PRELUDE_LML_NAME" already started but pidfile doesn't exist ..." exit 0 else if [ -f $PRELUDE_LML_LOCK ] then echo $PRELUDE_LML_NAME" pidfile exist without "$PRELUDE_LML_NAME" daemon..." echo "Deleting pidfile and starting "$PRELUDE_LML_NAME" daemon ..." rm -f $PRELUDE_LML_LOCK $PRELUDE_LML_BIN -u $PRELUDE_LML_USER -g $PRELUDE_LML_GROUP --manager-addr $PRELUDE_SRV_HOST -d -P $PRELUDE_LML_LOCK > /dev/null || echo "... Couldn't start Prelude-Lml daemon" && exit 0 exit 1 fi fi fi echo "Starting "$PRELUDE_LML_NAME" ..." $PRELUDE_LML_BIN -u $PRELUDE_LML_USER -g $PRELUDE_LML_GROUP --manager-addr $PRELUDE_SRV_HOST -d -P $PRELUDE_LML_LOCK > /dev/null || echo "... Couldn't start Prelude-Lml daemon" && exit 0 exit 1 ;; stop) if [ -f $PRELUDE_LML_LOCK ] && kill -0 `cat $PRELUDE_LML_LOCK` 2> /dev/null then echo "Stopping "$PRELUDE_LML_NAME" ..." kill -9 `cat $PRELUDE_LML_LOCK` > /dev/null rm -f $PRELUDE_LML_LOCK exit 1 else if [ ! -f $PRELUDE_LML_LOCK ] && pidof $PRELUDE_LML_NAME > /dev/null then echo $PRELUDE_LML_NAME" started but no pidfile ... stopping ..." killall $PRELUDE_LML_NAME 2> /dev/null exit 1 else if [ -f $PRELUDE_LML_LOCK ] then echo $PRELUDE_LML_NAME" pidfile exists but daemon not started ..." echo "Removing pidfile ..." rm -f $PRELUDE_LML_LOCK exit 1 fi fi fi echo $PRELUDE_LML_NAME" not started ..." ;; restart) $0 stop $0 start ;; *) echo "Usage: /etc/init.d/preludelogmonitor.sh {start|stop|restart}" exit 1 ;; esac exit 0