Week 5 Homework Submission File: Archiving and Logging Data

Recommendations on Viewing this File

I would definitely recommend viewing this file in "HackMD". Here's the link to my submission there: https://hackmd.io/@BizTheDad/SJ53iPurY

Step 1: Create, Extract, Compress, and Manage tar Backup Archives

1. Command to extract the TarDocs.tar archive to the current directory:
   tar -xf TarDocs.tar

2. Command to create the Javaless_Doc.tar archive from the TarDocs/ directory, while excluding the TarDocs/Documents/Java directory:
   tar --exclude='TarDocs/Documents/Java' -cf Javaless_Doc.tar TarDocs/
   I was a bit surprised by this in my testing. I would have thought that I should have excluded the "TarDocs" from the pattern.

3. Command to ensure Java/ is not in the new Javaless_Docs.tar archive:
   tar -tf Javaless_Docs.tar 'TarDocs/Documents/Java/'
   or
   tar -tf Javaless_Docs.tar --wildcards '*/Java/'
   I did the following just to make sure
   tar -tf Javaless_Docs.tar 'TarDocs/Documents/'

Bonus

• Command to create an incremental archive called logs_backup_tar.gz with only changed files to snapshot.file for the /var/log directory:
  • sudo tar cvvg var_log.snar -f logs_backup-2.tar.gz -z /var/log
    • I spaced the options like I did because man, calling tar with options is finicky.

Critical Analysis Question

• Why wouldn't you use the options -x and -c at the same time with tar?
  • We use 'x' option to extract from a given archive and we use the '-c' option to create a given archive.

Step 2: Create, Manage, and Automate Cron Jobs

1. Cron job for backing up the /var/log/auth.log file:
   0 6 * * 3 tar czf /auth_backup.tgz /var/log/auth.log >> /dev/null 2>&1
   So, the above command specifies the "/" directory for the backup. I put that in the above command because that's what the README's instructions specified. I think that's wrong in this case as my user doesn't have access to write to "/". I think the following is a better solution given I'm writing to a directory I have write permissions on.
   0 6 * * 3 tar czf ~/backups/auth/auth_backup.tgz /var/log/auth.log >> /dev/null 2>&1
   Both commands will redirect standard out to "/dev/null" which discards the output. The "2>&1" essentially merges standard out and standard error. This effectively discards standard error as well.

Step 3: Write Basic Bash Scripts

1. Brace expansion command to create the four subdirectories:
   After creating the ~/backups directory, I ran the following command:
   mkdir backups/{freemem,diskuse,openlist,freedisk}

2. Paste your system.sh script edits below:

   ​​​​#!/usr/bin/env bash
   ​​​​#
   ​​​​# The following prints the free memory to the specified file.
   ​​​​#
   ​​​​free -m | grep Mem | awk -v timestamp="$(date)" '{print timestamp,"-->",$4,"MB"}' >> ~/backups/freemem/free_mem.txt
   ​​​​
   ​​​​#
   ​​​​# The following logs the average of five reports of the "mpstat" command
   ​​​​# with one second intervals between reports
   ​​​​#
   ​​​​mpstat 1 5 | awk -v timestamp="$(date)" 'END{print timestamp,"-->",100-$NF"%"}' >> ~/backups/diskuse/disk_usage.txt
   
   ​​​​#
   ​​​​# The following logs both the number of open files and the open files. I
   ​​​​# that was more interesting than simply all the open files.
   ​​​​#
   ​​​​echo "$(date) --> $(lsof | wc -l)" >> ~/backups/openlist/open_list_count.txt
   ​​​​echo "$(date) --> all open files:" >> ~/backups/openlist/open_list.txt
   ​​​​lsof >> ~/backups/openlist/open_list.txt
   ​​​​
   ​​​​#
   ​​​​# The following logs the disk statistics for the disk mounted on "/".
   ​​​​#
   ​​​​echo "$(date) --> disk stats for filesystem mounted on '/':" >> ~/backups/freedisk/free_disk.txt
   ​​​​df -h / >> ~/backups/freedisk/free_disk.txt
   

3. Command to make the system.sh script executable:
   chmod u+x system.sh

Optional

• Commands to test the script and confirm its execution:
  • I used ./system.sh to run the script.
  • I used find ~/backups -name *.txt -type f | xargs cat to check the output.

Bonus

• Command to copy system to system-wide weekly cron directory:
  • sudo cp ~/system.sh /etc/cron.weekly/

Step 4. Manage Log File Sizes

1. Run sudo nano /etc/logrotate.conf to edit the logrotate configuration file.

   Configure a log rotation scheme that backs up authentication messages to the /var/log/auth.log.

   • Add your config file edits below:
   ​​​​/var/log/auth.log {
   ​​​​    weekly
   ​​​​    rotate 7
   ​​​​    notifempty
   ​​​​    compress
   ​​​​    delaycompress
   ​​​​    missingok
   ​​​​}
   

Bonus: Check for Policy and File Violations

1. Command to verify auditd is active:
   systemctl status auditd

2. Command to set number of retained logs and maximum log file size:

   • Add the edits made to the configuration file below:
   ​​​​num_logs = 7
   ​​​​...
   ​​​​max_log_file = 35
   ​​​​
   

3. Command using auditd to set rules for /etc/shadow, /etc/passwd and /var/log/auth.log:

   • Add the edits made to the rules file below:
   ​​​​-w /etc/shadow -p wra -k hashpass_audit
   ​​​​-w /etc/passwd -p wra -k userpass_audit
   ​​​​-w /var/log/auth.log -p wra -k authlog_audit
   

4. Command to restart auditd:
   sudo systemctl restart auditd

5. Command to list all auditd rules:
   sudo auditctl -l

6. Command to produce an audit report:
   sudo aureport -au

7. Create a user with sudo useradd attacker and produce an audit report that lists account modifications:
   sudo aureport -m
   The above command produces the following output:

   ​​​​Account Modifications Report
   ​​​​=================================================
   ​​​​# date time auid addr term exe acct success event
   ​​​​=================================================
   ​​​​1. 10/17/2021 13:39:45 -1 ? ? /usr/sbin/useradd vboxadd no 234
   ​​​​2. 10/17/2021 13:39:45 -1 ? ? /usr/sbin/useradd vboxadd no 235
   ​​​​3. 10/17/2021 13:39:45 -1 ? ? /usr/sbin/useradd vboxadd no 236
   ​​​​4. 10/17/2021 13:39:45 -1 ? ? /usr/sbin/useradd vboxadd no 237
   ​​​​5. 10/18/2021 01:15:29 1000 UbuntuDesktop pts/0 /usr/sbin/useradd attacker yes 9286
   ​​​​6. 10/18/2021 01:15:29 1000 UbuntuDesktop pts/0 /usr/sbin/useradd ? yes 9290
   

8. Command to use auditd to watch /var/log/cron:
   sudo auditctl -w /var/log/cron -p wra -k cron_log

9. Command to verify auditd rules:
   sudo auditctl -l

Bonus (Research Activity): Perform Various Log Filtering Techniques

1. Command to return journalctl messages with priorities from emergency to error:
   sudo journalctl -b 0 -p 0..7

2. Command to check the disk usage of the system journal unit since the most recent boot:
   sudo journalctl -b 0 --unit=systemd-journald

3. Command to remove all archived journal files except the most recent two:
   sudo journalctl --vacuum-files=2

4. Command to filter all log messages with priority levels between zero and two, and save output to /home/sysadmin/Priority_High.txt:
   sudo bash -c 'journalctl -p 0..2 > /home/student/Priority_High.txt'
   In order to get the file to write I needed superuser permissions. I used "sudo bash -c" here because that will run all commands under the superuser umbrella. Without that the redirect fails due to a permissions error.

5. Command to automate the last command in a daily cronjob. Add the edits made to the crontab file below:
   The following edits are made to the root user's crontab using "sudo crontab -e". We have to run the crontab as root because the commands inside the crontab file require a superuser. Also, the instructions didn't say whether to write over the file or append. So, I simply appended.

   ​​​​@daily journalctl -p 0..2 >> /home/student/Priority_High.txt 2> /dev/null
   

© 2020 Trilogy Education Services, a 2U, Inc. brand. All Rights Reserved.