Linux

Monitor your system for threats with rsec alerts

Vincent Danen gives an overview of the monitoring and reporting tool rsec, which can help you keep a close eye on your system's security without having to pore over log files.

Mandriva has long had their security tool called msec. Love it or hate it, it has been an integral part of all Mandriva Linux versions for years. While many people liked using it, an equal number hated it because it was difficult to configure, and it did things behind your back. For instance, if you tried to tighten system permissions but did not update the msec security level, it would relax those permissions on its next run without any indication whatsoever.

Granted, it has gotten better in the last few months, but what is most interesting about msec, in my opinion, is the reports. Msec generates daily reports on what is happening on the system: ports that are open, ports that changed state (open or closed), unowned files, world-writable files, files owned by users that shouldn't own them, checks on suid files, and more. These reports are relatively small and are executed daily, so it is a simple thing to look at quickly in the morning to determine if anything has changed.

In light of that, rsec was forked from msec and stripped everything from msec beyond the reporting capabilities. Rsec was first introduced in the Annvix distribution and is available for any Linux system; packages for CentOS and Red Hat Enterprise Linux are available from the Annvix RHEL YUM Repository.

When you install the rsec package, it creates the /etc/security/rsec.conf configuration file where you can enable and disable any checks that you want. The file is heavily commented so configuration is simple. Rsec can also use rkhunter (scans for rootkits) in its reporting by enabling the CHECK_RKHUNTER test; this runs rkhunter and includes its output in the reports.

Rsec will log its activity to /var/log/security.log so you can opt to not receive emails; it can also print warnings to any tty that root is logged into.

Using a combination of AIDE (intrusion detection), rsec, and rkhunter you really get a good heads-up if anything changes on your system without having to manually scrutinize log files. There is also a configuration option to exclude files from the various reports as well, so you can ensure you only see things that are of importance.

For instance, because rsec will report on world-writable files, you may have files in your Web directories that require being world-writable (i.e., files owned by a regular user but Apache needs to be able to write to certain directories for a Web application). You can exclude those known world-writable files and directories using the EXCLUDE_REGEXP option in rsec.conf, which is an escaped regular expression, such as:

EXCLUDE_REGEXP="^/srv/www/\(myblog\|otherblog\)/html/wp-content/\(f\)\?uploads\|^/srv/www/wiki/html/mediawiki_cache"

Rsec is nothing more than a collection of shell scripts executed by cron on a daily basis. Beyond general reporting, it can also update yum caches and urpmi or apt metadata to alert you daily if there are new packages that require installing.

Get the PDF version of this tip here.

Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

8 comments
Photogenic Memory
Photogenic Memory

Got the program installed finally. This is my system: # cat /etc/redhat-release CentOS release 5.3 (Final) Running this kernal: # uname -a Linux Spookers 2.6.18-128.7.1.el5 #1 SMP Mon Aug 24 08:20:55 EDT 2009 i686 athlon i386 GNU/Linux Here's how I did it since it failed it's initial installation because it asked for Rkhunter as a dependency?: # rpm -ivh --nodeps rsec-0.72.1-1.el5.avx.i386.rpm warning: rsec-0.72.1-1.el5.avx.i386.rpm: Header V3 DSA signature: NOKEY, key ID 65d5605c Preparing... ########################################### [100%] 1:rsec ########################################### [100%] I wanted to verify it was installed in the system: # rpm -q rsec rsec-0.72.1-1.el5.avx and it is. Yippee! Since the article is lame on details( and so are the program's manpages ); I had to consult an online resource for msec on how to make a call to the program. Just doing "rsec" or "rsec --help" on the command line wouldn't invoke the program? I think it kind of unfinished or broken. So I searched for where it can be run from the absolute path( see where the Linux headache comes into play here, hmmm? ). I found it here in: #cd /usr/share/rsec Still no execution. Yep. It's broke. In this directory I found these shell scripts associated with the program: # ls apt_cleancache.sh pkgcheck.sh security_check.sh diff_check.sh promisc_check.sh security.sh Perhaps running them directly here would produce a sample report? I ran this first out of curiosity: ./security_check.sh It continued to run without without any readable out put even when I attempted to use the "watch" command. However, I spawned another shell with screen and ran "top" to see how much load it was pulling on my box. It was meager as seen here: load average: 1.62 I have 1.5 gigs of ram on a AMD Sempron(tm) Processor 3400+ clocking at 1.8 ghrz. Anyways, the program kept going and going and going and going. CTRL +C put an end to that. Since I had no idea where the logging might be; I re-consulted the MSEC documentation ( here:http://wiki.mandriva.com/en/MSEC ) and saw it files it's reports under here: /var/log/security If you go into the directory; you'll find this: # ls firewall.diff sgid.diff unowned_group.diff firewall.today sgid.today unowned_group.today firewall.yesterday sgid.yesterday unowned_group.yesterday open_port.diff suid_root.diff unowned_user.diff open_port.today suid_root.today unowned_user.today open_port.yesterday suid_root.yesterday unowned_user.yesterday rpm-qa.diff suid_sha1.diff writable.diff rpm-qa.today suid_sha1.today writable.today rpm-qa.yesterday suid_sha1.yesterday writable.yesterday These are all the different logs it was writing to. Cool but annoying to sift through. Here's a sample report. it's pretty extensive but hard to read at first: # cat suid_root.yesterday /bin/mount /bin/ping /bin/ping6 /bin/su /bin/umount /lib/dbus-1/dbus-daemon-launch-helper /opt/grisoft/avggui/bin/pamwrap /sbin/mount.nfs /sbin/mount.nfs4 /sbin/pam_timestamp_check /sbin/umount.nfs /sbin/umount.nfs4 /sbin/unix_chkpwd /usr/bin/at /usr/bin/chage /usr/bin/chfn /usr/bin/chsh /usr/bin/crontab /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/passwd /usr/bin/rcp /usr/bin/rlogin /usr/bin/rsh /usr/bin/sudo /usr/bin/sudoedit /usr/bin/Xorg /usr/kerberos/bin/ksu /usr/libexec/openssh/ssh-keysign /usr/lib/news/bin/inndstart /usr/lib/news/bin/startinnfeed /usr/lib/squid/ncsa_auth /usr/lib/squid/pam_auth /usr/sbin/ccreds_validate /usr/sbin/suexec /usr/sbin/userhelper /usr/sbin/userisdnctl /usr/sbin/usernetctl Aparrently this is what root/other users were talking to yesterday. Looks normal to me so far? Here a small sample of the ports I have: #cat open_port.yesterday Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:irdmi *:* LISTEN 16785/nxagent tcp 0 0 *:terabase *:* LISTEN 16785/nxagent tcp 0 0 localhost:2208 *:* LISTEN 2352/hpiod tcp 0 0 localhost:55555 *:* LISTEN 2449/avgscan tcp 0 0 *:swat *:* LISTEN 2395/xinetd tcp 0 0 *:busboy *:* LISTEN 2088/rpc.statd tcp 0 0 *:netbios-ssn *:* LISTEN 2648/smbd tcp 0 0 *:sunrpc *:* LISTEN 2055/portmap tcp 0 0 localhost:smtp *:* LISTEN 2470/sendmail: acce tcp 0 0 *:microsoft-ds *:* LISTEN 2648/smbd tcp 0 0 localhost:2207 *:* LISTEN 2357/python tcp 0 0 *:ssh *:* LISTEN 2372/sshd tcp 0 0 localhost.localdomain:ipp *:* LISTEN 2383/cupsd udp 0 0 dllsdsst01.r:netbios-ns *:* 2652/nmbd udp 0 0 *:netbios-ns *:* 2652/nmbd udp 0 0 dllsdsst01.:netbios-dgm *:* 2652/nmbd udp 0 0 *:netbios-dgm *:* 2652/nmbd udp 0 0 *:54060 *:* 2706/avahi-daemon: udp 0 0 *:bootpc *:* 1952/dhclient udp 0 0 *:telnets *:* 2088/rpc.statd udp 0 0 *:pop3s *:* 2088/rpc.statd udp 0 0 *:mdns *:* 2706/avahi-daemon: udp 0 0 *:sunrpc *:* 2055/portmap udp 0 0 *:ipp *:* 2383/cupsd udp 0 0 *:47663 *:* 2706/avahi-daemon: udp 0 0 *:mdns *:* 2706/avahi-daemon: I can see why people wouldn't want to publish reports like this on the net. Too much info. But my box isn't a production system( thank god! ) and just a home PC experimental whatever. Good stuff. I'm sure there's more I might be able to get rsec's scripts to report. I still haven't experimented with getting Rkhunter to work with it since I bypassed it as a dependency. And ther version I have is the latest version 1.3.4 instead of the required 1.3.0. I hope this info helps someone because the article was way to skimpy. Perhaps the best value can come out of running the scripts individually. Oh well, thanks for submitting the rehashed article. Next time, please give interested people more info or throw someone a bone, Vincent? Security is a real interest for IT Professionals these days. The more people collaborating; the better.

Photogenic Memory
Photogenic Memory

I downloaded rsec from this site: http://repo.annvix.org/media/EL5/i386/ I retrieved the file like so: wget http://repo.annvix.org/media/EL5/i386/rsec-0.72.1-1.el5.avx.i386.rpm When I attempt to install the file with rpm; I get this error: rpm -ivh rsec-0.72.1-1.el5.avx.i386.rpm warning: rsec-0.72.1-1.el5.avx.i386.rpm: Header V3 DSA signature: NOKEY, key ID error: Failed dependencies: rkhunter >= 1.3.0 is needed by rsec-0.72.1-1.el5.avx.i386 The current version of Rkhunter I use is: rkhunter --version Rootkit Hunter 1.3.2 If rsec is asking for an older version of Rkhunter; then it can't be too reliable in detecting the latest rootkits, trojans, worms, etc. Can anyone please point me in an alternative. Thank you.

eclypse
eclypse

This sounds pretty cool - I would like to have seen a sample report and a link to the project's home page included. That usually gives me a really good idea if it's what I'm looking for and worth following up on. I would also think from this blurb I found on distrorankings.com "Annvix is a free secure Linux-based operating system produced by the Annvix development team and Danen Consulting Services," that would have been easy to do. =)

rpislacker
rpislacker

Hi all, I'm having trouble finding rsec! I've checked the ubuntu package repository search, sourceforge, and google, and can't find rsec! Can somebody please post a link?

Photogenic Memory
Photogenic Memory

Must be from all the twinkies while I sit and type, LOL! I'm just jumping on the bad spelling band wagon here. This application sounds really fun to use. I wonder if it's easier to deal with than tripwire? Anyways I better head to the head and deflecate some waist.

vacuole
vacuole

...without having to pore over what? It's 'pour'. I'm surprised your MS dumbed-down document writing software didn't flag that for you.

bialocur
bialocur

"pore over": to read or look at something very carefully for a long time "pour": to make a liquid flow out or into a container stick to the whiskey for pouring...