Linux-Windows Security: ClamAV and Event Viewer
 

BACKGROUND

I have 2 Linux and 2 Windows systems, plus a NAS connect together on a local LAN. One of the Linux (Debian) machines NSF mounts the other, and the same Linux machine smbfs mounts the 2 Windows machines, as well as the NAS. The same Linux machine runs a cron.daily to perform daily incremental, weekly full, and monthly full file system backups of the Linux and Windows systems. It all works nicely and I spent a lot of time making sure the file, mount, and share permissions were appropriate to keep user from obtaining access to backups. (See other question and solution posts from me on this forum if you are interested)

NEW CHALLANGES

QUESTION 1 - CLAMSCAN
I do not run real-time file access VS (ClamAV and ClamWin) as this will has an adverse affect on the real time high speed data acquisition capabilities the system is specifically designed to perform. I would like to be able to schedule a weekly (Sundays) complete VS using ClamAV clamscan of both the Linux and mounted Windows systems. Is it possible to use clamscan on the Linux machine to scan the other Linux and Windows machines and generate at least a report? (I am assuming that clamscan would not be able to quarantine mounted file systems.)

QUESTION 2 – EVENT LOGS
Because of the nature of this system, I am required to perform weekly security audits of ALL the systems. I have SNARE installed on the Linux machine to audit Security Relevant Objects (SROs) on the Linux side. I am relying on the built-in Windows Event Viewer Security Log to record logins/outs and access to SROs as well. I am hoping that I can create an automated weekly audit script on the one Linux machine to generate a weekly report of both the various Linux (audit.log, auth.log, lastlog, etc.) as well as the Windows (SecEvent.evt, etc.) logs to generate an HTML report or equivalent. The SecEvent.evt file does not appear to be text readable when accessed from the Linux machine. I think I can manage the Linux side, but how can I use Linux to read/parse out the Windows logs? Or do I copy the SecEvent.evt, perform a dos2unix command, to make the file text readable? Or is there a tool that will digest/convert the Windows logs?


Thanks in advance for your time,

Elvis

SOLUTION 1 - CLAMSCAN

OK, I plowed through the ClamAV manual, coupled with my previous experience setting up a cron.daily file backups, and figured out how to implement a cron.daily process that will perform a nightly full system scan of both my Linux machines (one nfs mounted to the other), and the Windows smbfs mount points, as well as the Terastation smbfs mounted user share mount point. I intentionally excluded my Terastation protected backup share, since that directory contains large backup files and large bare metal disk images.

I downloaded the eicar.txt test signature file (http://www.eicar.org/anti_virus_test_file.htm) and confirmed that the Linux clamscan will detect the test signature file on a Windows smbfs mounted path. The eicar.txt signature is just that, a plain ASCII file. I do not know for sure if it would detect a binary file or not. Perhaps someone else would know.

QUESTION 2 - EVENT LOGS

Still looking for a recommendation how to get Linux to pull the Windows SecEvent.evt event log and figure out how to automatically convert the file to an ASCII file that I can easily parse down to only the significant events and/or use Linux tools to process/interpret.


EDIT: FYI, If you are manually downloading ClamAV signature files and burn them to a CD using a Windows PC, make sure to ZIP the files beforehand, otherwise some file information will be lost and the signature files will not work on a Linux machine. You can thank Bill Gates for that one.

Maybe use http://ntsyslog.sourceforge.net/ since that would skip conversion. You have to come up with rules for parsing since I don't think there's a GNU/Linux syslog parser that will (and that wouldn't be a question for this forum as it deals with only Linux Security questions). Else find an application that generates alerts on the non-GNU/Linux side, but that involves paying for it or a slightly more amateuristic approach (not realtime, minor scripting). This particular vendor that was founded to develop and sell BASIC interpreters for the Altair 8800 has a freebie called "logparser" with which you can query event logs and select output destination and formats IIRC. Set up an at-compatible job to run it and send the results over. Also (formerly) Sysinternals has 'psloglist' with which you can achieve nearly the same. As far as I know there is only one GNU/Linux tool that can (pre)view forementioned vendors proprietary logs and it ain't freeware so I don't feel compelled to promote it.

Maybe check our loganalysis.org for more.

unSpawn,

Thanks for your guidance and leads. I also stumbled across the aforementioned vendors logparser late yesterday. Based on my understanding of it's capabilities, I think I can create and query to export 1 weeks worth (or since the last query) of event log records to an output format of choice, then use the Linux side to collect all the relevant events into some number of reports, and archive them. While this implementation is not ideal for a large enterprise, the system is isolated stand alone, that I am required to treat as if it were on a large LAN for various undisclosed reasons.

loganalysis.org seems to be a good resource as well.

Thanks again.

Elvis

UPDATE: psloglist seems to do the trick at little easier than logparser