================================================================================ Centralized and secured remote logging solution with Prelude-Lml on Debian : How to securely install and set up the Prelude-Lml engine Simon Castro - v0.1.8 - 20/05/2003 http://www.entreelibre.com/scastro/prelude/ ================================================================================ ================ GENERAL OVERVIEW ================ This document presents a "Centralized and secured remote logging solution" based on the Prelude-LML log monitor engine of the Prelude suite. It describes how to install and set up the Prelude library and the Prelude-Lml engine and how to secure this installation on a GNU/Linux Debian 3.0 stable server. The Prelude suite is available on http://www.prelude-ids.org Note : This document is not intended to describe how to install nor set up the Prelude manager. Then, I suppose this one is already ready to be used. This document also doesn't present how to set the Prelude-Lml monitoring configuration files. Note : A few Debian packages should be installed before building/installing the Prelude-Lml monitor : 'libssl-dev' for the SSL support, 'libltdl3-dev' for the libraries management and 'libpcre3-dev' for the PCRE support in Prelude-Lml. A special thank to the Prelude developement team for their fabulous work... ======= SUMMARY ======= GENERAL OVERVIEW SUMMARY LICENSE I. INSTALLATION GOAL II. INSTALLATION II.1. Users creation II.2. Building and installing the LibPrelude II.3. Building and installing the Prelude-Lml engine II.4. Setting correct permissions to installed files II.5. Setting Firewall rules II.6. Recording the Prelude-Lml monitor and first check III. INITIALIZATION SCRIPT IV. LAST CHECK V. LAST THING BEFORE YOUR CONFIGURATION ANNEX 1 - Prelude-Lml Stop/Start Script ======= LICENSE ======= Copyright (c) 2003 Simon Castro, scastro [ at ] entreelibre.com. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST. You must have received a copy of the license with this document and it should be present in the fdl.txt file. If you did not receive this file or if you don't think this fdl.txt license is correct, have a look on the official http://www.fsf.org/licenses/fdl.txt licence file. ==================== I. INSTALLATION GOAL ==================== Our installation goal : * The Prelude-Lml monitor runs under the 'preludelml:prelude' identity. * System users can not access the Prelude directories structure if they are not in the 'prelude' group. * The 'prelude' group users can be configured (using the 'sudo' configuration file) to get the 'prelude' identity to manage the Prelude-Lml configuration. => The directory hierarchy permissions of the Prelude-Lml will be : 1750 - root:prelude - /home/prelude 3750 - prelude:prelude for the directories under /home/prelude. 640 ou 750 - prelude:prelude for the files under /home/prelude. => Unfortunately, this goal cannot be achieved at the present time (look at 'II.4. Setting correct permissions to installed files' for further infos). ================ II. INSTALLATION ================ II.1. Users creation -------------------- We first add a restricted user : groupadd prelude adduser --disabled-password --quiet --ingroup prelude prelude Full Name []: Prelude user for Prelude-lml Other []: Restricted user passwd -l prelude && chsh -s /bin/false prelude find /home/prelude/ -type f -exec rm \{\} \; We then add another restricted user which will be used to run the Prelude-Lml monitor under the 'preludelml:prelude' identity. adduser --no-create-home --disabled-password --quiet --ingroup prelude\ --home /home/prelude preludelml Full Name []: Prelude Lml User Other []: Utilisateur restreint passwd -l preludelml && chsh -s /bin/false preludelml II.2. Building and installing the LibPrelude -------------------------------------------- mkdir /home/system/applis/prelude && cd /home/system/applis/prelude ls -l /home/system/applis drwxr-x--- 3 root root 1024 Mar 21 13:31 prelude md5sum /home/system/download/libprelude-0.8.5.tar.gz 058a375229af13e30761c45f0d76adbe /home/system/download/libprelude-0.8.5.tar.gz tar zxvf /home/system/download/libprelude-0.8.5.tar.gz chown root:root libprelude-0.8.5/ && chmod 750 libprelude-0.8.5/ cd libprelude-0.8.5/ find . -type f -perm -002000 -o -perm -004000 NDR : Just in case of... Note : A building problem may exist here, if you encounter one, have a look at the Prelude User mailing-list for the post reccomanding to use : libtoolize -c --force --ltdl --automake automake && autoconf ./configure --enable-ssl --prefix=/home/prelude --enable-shared=no make && make install II.3. Building and installing the Prelude-Lml engine ---------------------------------------------------- cd /home/system/applis/prelude md5sum /home/system/download/prelude-lml-0.8.3.tar.gz 2dd22a105da2c93a529202d2621e9c1c /home/system/download/prelude-lml-0.8.3.tar.gz tar zxvf /home/system/download/prelude-lml-0.8.3.tar.gz chown root:root prelude-lml-0.8.3 && chmod 750 prelude-lml-0.8.3 cd prelude-lml-0.8.3 find . -type f -perm -002000 -o -perm -004000 NDR : Just in case of... ./configure --prefix=/home/prelude --with-libprelude-prefix=/home/prelude make && make install II.4. Setting correct permissions to installed files ---------------------------------------------------- chown root:prelude /home/prelude chmod 1750 /home/prelude cd /home/prelude find . -type f -perm -000005 -exec chmod 750 {} \; find . -type f -perm -000004 -exec chmod 640 {} \; find . -type d -exec chmod 3750 {} \; chown -R prelude:prelude * => At this time, we have an installation related to our installation goal. We now update this installation to allow the Prelude monitor to run. It seems that the Prelude-Lml monitor tries to access the {install_root}/etc/\ prelude-lml/plugins.rules after dropping its priviledges to the restricted identity. We now have our first problem : the requested access to this file should be allowed because of the Prelude-Lml 'prelude' gid, but as it seems the Prelude monitor cannot access it, we open the path to this file to the 'world' : chmod 1755 /home/prelude chmod 3755 /home/prelude/etc /home/prelude/etc/prelude-lml chmod 1644 /home/prelude/etc/prelude-lml/plugins.rules Our second problem is that when the Prelude-Lml monitor receives a SIGHUP signal, it tries to re-run itself again and again. Setting what's next, it only kills itself : chmod 1755 /home/prelude/bin/ chown preludelml:prelude /home/prelude/bin/prelude-lml II.5. Setting Firewall rules ---------------------------- If the Prelude-Lml monitor station is firewalled, we now set the firewall to allow data flows between the monitor and the Prelude Manager. Use that kind of rules for an IpChains firewall : IPCH=/sbin/ipchains PRELUDE="IP_ADDRESS_OF_THE_PRELUDE_MANAGER" $IPCH -A output -p tcp --sport 1024: -d $PRELUDE 5553:5554 -j ACCEPT $IPCH -A input -p tcp -s $PRELUDE 5553:5554 -y -j DENY $IPCH -A input -p tcp -s $PRELUDE 5553:5554 --dport 1024: -j ACCEPT Use that kind of rules for a NetFilter firewall : INT="YOUR_NETWORK_INTERFACE" IPT=/sbin/iptables PRELUDE="IP_ADDRESS_OF_THE_PRELUDE_MANAGER" $IPT -A OUTPUT -o $INT -p tcp --sport 1024: -d $PRELUDE --dport 5553:5554 -m\ state --state NEW,ESTABLISHED -j ACCEPT $IPT -A INPUT -i $INT -p tcp -s $PRELUDE --sport 5553:5554 --dport 1024: -m\ state --state ESTABLISHED -j ACCEPT II.6. Recording the Prelude-Lml monitor and first check ------------------------------------------------------- We now record our Prelude-Lml monitor in the Prelude Manager. Run 'manager-adduser' on the manager and get the one time password. mkdir /home/system/scripts/prelude-lml cd /home/system/scripts/prelude-lml ln -s /home/prelude/bin/sensor-adduser sensor-adduser ./sensor-adduser -s prelude-lml -u `/usr/bin/id -u preludelml` -m MANAGER:5553 => MANAGER is the IP address of the Prelude Manager. => Use the default values for the client certificate creation. We then check our Prelude-Lml monitor is able to connect to the manager : cd /home/prelude/bin ./prelude-lml -u preludelml --manager-addr MANAGER:5554 ^C ========================== III. INITIALIZATION SCRIPT ========================== If you don't have a Prelude-Lml initialization script nor have the time/will to create one, you can use the script present in 'ANNEX 1 - Prelude-Lml Stop/Start Script'. => Don't forget to update the script with your own values. We configure the system to start the Prelude-Lml monitor on boot startup : chmod 750 /etc/init.d/preludelogmonitor.sh update-rc.d preludelogmonitor.sh defaults We check the script works : /etc/init.d/preludelogmonitor.sh start /etc/init.d/preludelogmonitor.sh stop ============== IV. LAST CHECK ============== Before you set up your own configuration files, take a look at the following steps. cd /home/prelude Which added files doesn't belong to the 'prelude' group ? => find . ! -group prelude And if you want to update this : => find . ! -group prelude -exec chown :prelude \{\} \; Which added files are not stored with a correct identity ? => find . ! \( -user prelude -o -user preludelml \) I have some files I don't like the identity on my OWN installation, so : => chown prelude:prelude etc/prelude-sensors/sensors.ident => chmod 640 etc/prelude-sensors/sensors.ident => chown prelude:prelude etc/prelude-lml/metadata/* => chmod 640 etc/prelude-lml/metadata/* Note : For the metadata directory, don't forget that each time you will add a new file to monitor in the configuration file, a new metadata file will be added with the root:prelude identity. Do we miss some file ? => find . -perm -000004 -o -perm -000005 You should only have the files you updated yourself while reading the 'II.4. Setting correct permissions to installed files'. ======================================= V. LAST THING BEFORE YOUR CONFIGURATION ======================================= Before you begin to set up your own Prelude-Lml configuration files, there is a last thing to know. With the Prelude-Lml version I use at the time I write this document, I have to pay a special attention to my monitored logfiles access permissions. I usually set the following permissions to my monitored logfiles : 755 root:root /var 755 root:root /var/log 640 root:adm /var/log/logfiles It seems that the Prelude-Lml monitor is no more able to open these logfiles after dropping its priviledges to the restricted user. So take your own 'risks' and chmod 644 these logfiles or mirror these logfiles in a specific location only the Prelude-Lml monitor can reach... You now can set up you own configuration files, then ... /etc/init.d/preludelogmonitor.sh start ======================================= ANNEX 1 - Prelude-Lml Stop/Start Script ======================================= /etc/init.d/preludelogmonitor.sh : #!/bin/sh # # Centralized and secured remote logging solution with Prelude-Lml on Debian : # How to securely install and set up the Prelude-Lml engine # ANNEX 1 - Prelude-Lml Stop/Start Script # v0.1.8 - 20/05/2003 # # Copyright (c) 2003 Simon Castro, scastro [ at ] entreelibre.com. # http://www.entreelibre.com/scastro/prelude/ # PRELUDE_LML_NAME=prelude-lml PRELUDE_LML_BIN=/home/prelude/bin/prelude-lml PRELUDE_LML_USER=preludelml PRELUDE_SRV_HOST="{MANAGER_IP_ADDRESS}:5554" PRELUDE_LML_LOCK=/var/run/prelude-lml.pid # Check we have required binaries and variables if [ ! $PRELUDE_LML_BIN ] || [ ! $PRELUDE_LML_USER ] || [ ! $PRELUDE_SRV_HOST ] || [ ! $PRELUDE_LML_LOCK ] || [ ! $PRELUDE_LML_NAME ] then echo "Script configuration error" exit 0 fi test -f $PRELUDE_LML_BIN || exit 0 test -f /usr/bin/killall || exit 0 case "$1" in start) if [ -f $PRELUDE_LML_LOCK ] && kill -0 `cat $PRELUDE_LML_LOCK` 2> /dev/null then echo $PRELUDE_LML_NAME" already started ..." exit 1 else if [ ! -f $PRELUDE_LML_LOCK ] && pidof $PRELUDE_LML_NAME > /dev/null then echo $PRELUDE_LML_NAME" already started but pidfile doesn't exist ..." exit 0 else if [ -f $PRELUDE_LML_LOCK ] then echo $PRELUDE_LML_NAME" pidfile exist without "$PRELUDE_LML_NAME" daemon..." echo "Deleting pidfile and starting "$PRELUDE_LML_NAME" daemon ..." rm -f $PRELUDE_LML_LOCK $PRELUDE_LML_BIN -u $PRELUDE_LML_USER --manager-addr $PRELUDE_SRV_HOST -d -P $PRELUDE_LML_LOCK > /dev/null || echo "... Couldn't start Prelude-Lml daemon" && exit 0 exit 1 fi fi fi echo "Starting "$PRELUDE_LML_NAME" ..." $PRELUDE_LML_BIN -u $PRELUDE_LML_USER --manager-addr $PRELUDE_SRV_HOST -d -P $PRELUDE_LML_LOCK > /dev/null || echo "... Couldn't start Prelude-Lml daemon" && exit 0 exit 1 ;; stop) if [ -f $PRELUDE_LML_LOCK ] && kill -0 `cat $PRELUDE_LML_LOCK` 2> /dev/null then echo "Stopping "$PRELUDE_LML_NAME" ..." kill -9 `cat $PRELUDE_LML_LOCK` > /dev/null rm -f $PRELUDE_LML_LOCK exit 1 else if [ ! -f $PRELUDE_LML_LOCK ] && pidof $PRELUDE_LML_NAME > /dev/null then echo $PRELUDE_LML_NAME" started but no pidfile ... stopping ..." killall $PRELUDE_LML_NAME 2> /dev/null exit 1 else if [ -f $PRELUDE_LML_LOCK ] then echo $PRELUDE_LML_NAME" pidfile exists but daemon not started ..." echo "Removing pidfile ..." rm -f $PRELUDE_LML_LOCK exit 1 fi fi fi echo $PRELUDE_LML_NAME" not started ..." ;; restart) $0 stop $0 start ;; *) echo "Usage: /etc/init.d/preludelogmonitor.sh {start|stop|restart}" exit 1 ;; esac exit 0