# Lab 10 --- Logging and auditing ## Question 1 One of possible solutions - Elastic Stack (Logstash, Elasticsearch, Kibana). Usual architecture while using ELK is the following:  _Source: <https://habr.com/ru/company/tssolution/blog/480570/>_ For our case I would like to use collect logs using syslog protocol in Logstash. These logs will be stored in Elasticsearch DB. If level of log entity is high enough, then Alert will be fired (i.e. send notificatio using email, etc.). After that logs are subject for analysis in Kibana interface. ## Question 2 /etc/rsyslog.d/auth-errors.conf ```bash security.emerg /var/log/auth-errors auth.emerg /var/log/auth-errors authpriv.emerg /var/log/auth-errors security.alert /var/log/auth-errors auth.alert /var/log/auth-errors authpriv.alert /var/log/auth-errors ``` Manually test the file ``` logger -p security.alert TEST_MESSAGE_FOR_SNA_alert ```  ``` journalctl SYSLOG_FACILITY=4 -p alert ```  ## Question 3 ### Install Apache > It's not required to show that Apache is really installed. However due to rAnDoMlY appearing requirements which are appears due to with of TA without any explicit written statement, I have to provide this totally useless piece of information and make this report longer than it should be ``` sudo apt install apache2 ```   ``` hostname -I ```  Open Apache2 demo page in browser  ### Answer the question itself /etc/logrotate.d/sna-apache ``` /var/log/apache2/access.log { compress size 1 rotate 1 postrotate systemctl restart apache2 endscript } ``` `crontab -e`  Logfile before logrotate  Apache status before logrotate  Manually run logrotate ``` logrotate /etc/logrotate.d/sna-apache ``` We see gz-archive with log appeared, access.log was erased  Also apache was restarted  ## Question 4 ### Script ```bash #!/bin/bash touch /var/log/alarm.log while : do LINES=$(journalctl SYSLOG_FACILITY=10 -p info --since="30sec ago" --grep="3 incorrect password attempts" | wc -l) if [ "$LINES" >= "3" ]; then echo "Three or more authentication failure in 30 seconds\n" >> /var/log/alarm.log echo "Alarm fired" else echo "Currently ${LINES} lines" fi sleep 1 done ``` ### Test Spam sudo with incorrect attempts  Script behavior  /var/log/alarm.log  ## Question 5 I will use tuned bashrc and usual rsyslog functionality. Unfortunately this functionality may be bypassed using different shell or tuned user's bashrc. But if we assume that usual user don't even understand what is bash_profile is, it's ok. 1. Tune global bash config file `/etc/bashrc` and add the following ``` export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local7.info "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" )"' ``` 2. Add rsyslog rule to `/etc/rsyslog.d/commands.conf` ``` local7.info /var/log/commands.log ``` 3. Reboot the device in order to forcibly apply this setting to all users That works