LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-27-2007, 06:04 PM   #1
ElvisImprsntr
Member
 
Registered: Aug 2007
Location: Florida
Posts: 33

Rep: Reputation: 19
Linux-Windows Security: ClamAV and Event Viewer


BACKGROUND

I have 2 Linux and 2 Windows systems, plus a NAS connect together on a local LAN. One of the Linux (Debian) machines NSF mounts the other, and the same Linux machine smbfs mounts the 2 Windows machines, as well as the NAS. The same Linux machine runs a cron.daily to perform daily incremental, weekly full, and monthly full file system backups of the Linux and Windows systems. It all works nicely and I spent a lot of time making sure the file, mount, and share permissions were appropriate to keep user from obtaining access to backups. (See other question and solution posts from me on this forum if you are interested)

NEW CHALLANGES

QUESTION 1 - CLAMSCAN
I do not run real-time file access VS (ClamAV and ClamWin) as this will has an adverse affect on the real time high speed data acquisition capabilities the system is specifically designed to perform. I would like to be able to schedule a weekly (Sundays) complete VS using ClamAV clamscan of both the Linux and mounted Windows systems. Is it possible to use clamscan on the Linux machine to scan the other Linux and Windows machines and generate at least a report? (I am assuming that clamscan would not be able to quarantine mounted file systems.)

QUESTION 2 – EVENT LOGS
Because of the nature of this system, I am required to perform weekly security audits of ALL the systems. I have SNARE installed on the Linux machine to audit Security Relevant Objects (SROs) on the Linux side. I am relying on the built-in Windows Event Viewer Security Log to record logins/outs and access to SROs as well. I am hoping that I can create an automated weekly audit script on the one Linux machine to generate a weekly report of both the various Linux (audit.log, auth.log, lastlog, etc.) as well as the Windows (SecEvent.evt, etc.) logs to generate an HTML report or equivalent. The SecEvent.evt file does not appear to be text readable when accessed from the Linux machine. I think I can manage the Linux side, but how can I use Linux to read/parse out the Windows logs? Or do I copy the SecEvent.evt, perform a dos2unix command, to make the file text readable? Or is there a tool that will digest/convert the Windows logs?


Thanks in advance for your time,

Elvis

Last edited by ElvisImprsntr; 09-29-2007 at 07:55 AM.
 
Old 09-28-2007, 11:31 AM   #2
ElvisImprsntr
Member
 
Registered: Aug 2007
Location: Florida
Posts: 33

Original Poster
Rep: Reputation: 19
SOLUTION 1 - CLAMSCAN

OK, I plowed through the ClamAV manual, coupled with my previous experience setting up a cron.daily file backups, and figured out how to implement a cron.daily process that will perform a nightly full system scan of both my Linux machines (one nfs mounted to the other), and the Windows smbfs mount points, as well as the Terastation smbfs mounted user share mount point. I intentionally excluded my Terastation protected backup share, since that directory contains large backup files and large bare metal disk images.

I downloaded the eicar.txt test signature file (http://www.eicar.org/anti_virus_test_file.htm) and confirmed that the Linux clamscan will detect the test signature file on a Windows smbfs mounted path. The eicar.txt signature is just that, a plain ASCII file. I do not know for sure if it would detect a binary file or not. Perhaps someone else would know.

QUESTION 2 - EVENT LOGS

Still looking for a recommendation how to get Linux to pull the Windows SecEvent.evt event log and figure out how to automatically convert the file to an ASCII file that I can easily parse down to only the significant events and/or use Linux tools to process/interpret.


EDIT: FYI, If you are manually downloading ClamAV signature files and burn them to a CD using a Windows PC, make sure to ZIP the files beforehand, otherwise some file information will be lost and the signature files will not work on a Linux machine. You can thank Bill Gates for that one.

Last edited by ElvisImprsntr; 09-29-2007 at 07:57 AM.
 
Old 09-29-2007, 03:11 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by ElvisImprsntr View Post
Still looking for a recommendation how to get Linux to pull the Windows SecEvent.evt event log and figure out how to automatically convert the file to an ASCII file that I can easily parse down to only the significant events and/or use Linux tools to process/interpret.
Maybe use http://ntsyslog.sourceforge.net/ since that would skip conversion. You have to come up with rules for parsing since I don't think there's a GNU/Linux syslog parser that will (and that wouldn't be a question for this forum as it deals with only Linux Security questions). Else find an application that generates alerts on the non-GNU/Linux side, but that involves paying for it or a slightly more amateuristic approach (not realtime, minor scripting). This particular vendor that was founded to develop and sell BASIC interpreters for the Altair 8800 has a freebie called "logparser" with which you can query event logs and select output destination and formats IIRC. Set up an at-compatible job to run it and send the results over. Also (formerly) Sysinternals has 'psloglist' with which you can achieve nearly the same. As far as I know there is only one GNU/Linux tool that can (pre)view forementioned vendors proprietary logs and it ain't freeware so I don't feel compelled to promote it.

Maybe check our loganalysis.org for more.
 
Old 09-29-2007, 08:23 AM   #4
ElvisImprsntr
Member
 
Registered: Aug 2007
Location: Florida
Posts: 33

Original Poster
Rep: Reputation: 19
unSpawn,

Thanks for your guidance and leads. I also stumbled across the aforementioned vendors logparser late yesterday. Based on my understanding of it's capabilities, I think I can create and query to export 1 weeks worth (or since the last query) of event log records to an output format of choice, then use the Linux side to collect all the relevant events into some number of reports, and archive them. While this implementation is not ideal for a large enterprise, the system is isolated stand alone, that I am required to treat as if it were on a large LAN for various undisclosed reasons.

loganalysis.org seems to be a good resource as well.

Thanks again.

Elvis

UPDATE: psloglist seems to do the trick at little easier than logparser

Last edited by ElvisImprsntr; 09-30-2007 at 07:45 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
collecting windows event logs on a linux server kav Linux - Software 1 06-22-2007 03:28 PM
Anything Like "Event Viewer" for Linux or KDE Cara25 Linux - Desktop 2 11-21-2006 08:47 PM
Is there something like event viewer in Linux? ArchW Linux - Newbie 4 03-13-2006 07:11 PM
Monitoring Windows Servers from Linux (CPU, Perfmon, Event log) big_linux_geek Linux - Enterprise 5 02-16-2005 01:20 PM


All times are GMT -5. The time now is 06:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration