LinuxQuestions.org - Taking a look at my log files. Any major problems?

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Taking a look at my log files. Any major problems? (https://www.linuxquestions.org/questions/linux-security-4/taking-a-look-at-my-log-files-any-major-problems-4175412080/)

Taking a look at my log files. Any major problems?

I'm pretty much a newb. Can you please take a look at the reports from rkhunter and tiger? Are there any programs that I can setup?

Tiger report:
http://paste.ubuntu.com/1047589/
Rkhunter report:
http://paste.ubuntu.com/1047592/

Thanks.

Welcome to LQ Security. There is nothing wrong with being new and inexperienced. Everyone here was when they began. What is a problem is running a security tool, posting the output asking strangers if there is anything wrong with it. If you are going to run these kinds of tools you need to learn how to use them properly or you will rapidly wind up in quicksand. The rkhunter program has excellent documentation and does explain very clearly how to tweak it for the specifics of your system to avoid false alarms. Be sure to read this documentation.

Now, to address your specific question(s): These tools will identify things that that are potentially suspect. These tools are designed to be conservative and warn judiciously. Pretty much every system will have normal aspects to it that will cause warnings. What you need to do is examine the output of these files, look for warnings, and then research what they mean. For example:

Code:

[09:27:45] Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text

Is this file legitimate on your system? If there is a question, verify the file date, time, md5sum and compare it against the one in the package repositories. The ubuntu package page has excellent search features and you should be able to easily locate which package this file is located in, download it, and compare these items.

Code:

[09:32:24]  Checking for hidden files and directories      [ Warning ]

[09:32:24] Warning: Hidden directory found: /etc/.java

[09:32:24] Warning: Hidden directory found: /dev/.udev

Again, Google is your friend. Google these warnings, read the descriptions, and make your own determination.

A word of experience might also be warranted here. In order to properly secure your system, which I assume is your goal, you need to first identify what it is you are trying to secure against and develop a plan accordingly. While root kit detection is an important aspect of a solid security process, one should not rely on it as a sole measure of whether or not their system is clean. If you aren't already, one of the first things you should be doing is auditing your log files regularly as signs of intrusion and problems will almost always appear there first.

Well, looks like the first entry was from tiger. The unhide file was a replaced dependency from rkhunter.

I installed ossec... I am having trouble interpreting all the log files I have been looking through. Not sure how to determine what logs are fishy... Trying to configure apparmor. Any other points?

https://wiki.ubuntu.com/BasicSecurity/DidIJustGetOwned

The tools that you are mentioning all fall into the category of HIDS, Host Intrusion Detection Systems. These types of programs are designed to be installed on a known clean system and then used to generate alerts when something is amiss. While potentially beneficial for home desktop / laptop use their primary function is in servers which expose services to a public facing internet. Apparmor is a little bit different in that it is a MAC, mandatory access control program that is designed to limit which services or process can have access to what areas. For example, it will do things like keep a web server from accessing the DNS configuration.

Here is an excellent introduction to Ubuntu Security for a new user, that discusses the Linux Security Mindset, compares it to Windows, and gives you a good overview of some of the common security aspects: http://ubuntuforums.org/showthread.php?t=510812/ While I wouldn't normally refer people to another forum, in your case I feel that this particular post could of value and targeted torwards your experience level.

Also, based upon your posts, I am getting the impression that you have had some sort of event that is leaving you concerned about being compromised. If this is the case, we here at LQ Security can most assuredly help you with this. However, we do use a unique approach by engaging in a fact finding, evidence gathering investigation. In such a situation, it is best to create as little disturbance to the system as possible. Installing and running security applications (after the fact) is very counter productive as it will likely destroy evidence of the intrusion. The log files are one key place that we look for such information.

If you would care to share what happened and your concerns, we would be in a much better position to help you evaluate the situation. Please be verbose in your explanation, giving us as much detail as possible: distribution, whether this is a server or desktop/laptop, what server applications you are running, what prompted you to become concerned, what have you done since, etc.