Lab 2.2 Syslog Organization on log01 - savannahc502/SavC-TechJournal-SEC350 GitHub Wiki

Lab Goals & Overview

Going forward, the goal will be to implement security controls on the enterprise and setup means to monitor the controls. This requires an understanding the architecture and functioning of logging for continuous monitoring.

This lab will utilize the mgmt01-savannah machine to do remote management. Additionally, log01 will be set up to better organize remote logs, and web01/fw01 will be modified to that authentication events are forwarded to the log server.

Set up mgmt01-savannah

mgmt01 is an xubuntu system that will be used to simplify remote management, giving the ability to copy paste to internal systems to include vyos.

  • Ensure Network Adapter is on the LAN
  • Change Default password
  • Add a new sudo user savannah
  • Set your hostname
passwd 
sudo adduser savannah
sudo usermod -aG sudo savannah
sudo hostnamectl set-hostname mgmt01-savannah

Configure the IP addresses with nmtui interface or with commands

  • Edit a Connection > Wired Connection > Manual IPv4 Configuration
  • Default Gateway and DNS: 172.16.150.2/24 (Firewall LAN)
  • Address 172.16.150.10/24
  • Restart the box reboot

fw01-savannah LAN NAT rule

Set the NAT source rule for DMZ. Also, make sure to add additional DNS forwarding entries to take in account the new listening address as well as the allowed ip addresses for the LAN.

configure
set nat source rule 20 description "NAT FROM DMZ to LAN"
set nat source rule 20 outbound-interface eth0
set nat source rule 20 source address 172.16.150.0/24 [note: ip address of LAN network]
set nat source rule 20 translation address masquerade
set service dns forwarding listen-address 172.16.150.2 [note: sets DNS to listen to the LANS default gateway]
set service dns forwarding allow-from 172.16.150.0/24
set service dns forwarding system
commit 
save

Here are the screenshots of the previous and new NAT source rules for comparison:

image

Note: this was changed to DMZ TO LAN later

Install Chrome Remote Desktop on mgmt01-savannah

Following this private Google Drive tutorial

Once configured, from my own browswer logged into my school email I should be able to access mgmt01-savannah and bypass vcenter:

  • Go to Chrome remote desktop on my computer's browser
  • Select mgmt01-savannah and the default session

image

Configure SSH Key Authentication on mgmt01-savannah to log01-savannah

Generating remote keygen:

ssh-keygen 
ssh-copy-id [email protected] [note: the ip address of log01-savannah]

Deliverable 1

Using a chrome remote desktop session on mgmt01, ssh into your log01's named user account:

image

Log Organization

[!NOTE] Having all of our remote logs stuffed into log01's /var/log/messages or /var/log/secure is not helpful. Remote logs should be segregated and ideally stored on reliable and redundant storage in a manner that supports dealing with discrete event types. We are going to store logs in a directory hierarchy in order to provide this organization.

On log01-savfannah

  • sudo nano /etc/rsyslog.conf

Comment out the below lines:

image

Custom rsyslog drop in file

cd /etc/rsyslog.d/
sudo wget://raw.githubusercontent.com/gmcyber/sec350-share/main/03-sec350.conf
systemctl restart rsyslog

image

[!WARNING] The config file should be saved to /etc/rsyslog.d

This configuration file (03-sec350.conf) will dynamically create and name files based upon hostname, date and process name. Input over udp 514 is associated with the RemoteDevice ruleset which in turn uses the dynamic template configuration called “DynFile”.

Deliverable 2: Testing the Configuration

On web01-savannah:

logger -t SEC350 Testing web01->log01 custom rsyslog config ciak

On log01-savannah:

ls -lR --color /var/log/remote-syslog/
cat /var/log/remote-syslog/web01-savannah/[log file name]

image

Web01: Logging Authorization Events

On web01-savannah

cd /etc/rsyslog.d
ls

Note which client configuration file you have. Open it up in nano and add the authpriv line

nano sec350.client

image

  • Restart the rsyslog service on web01

rw01->ssh->web01

SSH into web01 (172.16.50.3) from rw01, make sure you type the wrong password at least once, if you've enabled keybased authentication, passwords aren't really an issue so use an invalid user instead.

image

Deliverable 3

Login to log01 via mgmt01, take a screenshot showing the failed login from your mgmt01 linux system.

image

fw01: Logging Authorization Events

Adjust the vyos configuration to send authentication messages from fw01 to log01

[!NOTE] vyos does produce a ton of useless authentication messages which we are going to have to deal with at some point.

configure
set system syslog host 172.16.50.5 facility authpriv level info
commit
save

Create failed login attempts:

  • Exit out of vyos
  • Login again
  • Make a mistake on one of the logins

Install Tree on log01-savannah (Fixing Error)

I want to show an organized file structure with the tree system. This has to be installed on log01-savannah.

[!CAUTION] On my machine I got an error when attempting to download tree using yum install tree. The error reads "Cannot find a valid baseurl for repo." There's a few ways to fix this, this is how I did it:

repo_file=/etc/yum.repos.d/CentOS-Base.repo
cp ${repo_file} ~/CentOS-Base.repo.backup
sudo sed -i s/#baseurl/baseurl/ ${repo_file}
sudo sed -i s/[mirrorlist.centos.org/vault.centos.org/](http://mirrorlist.centos.org/vault.centos.org/) ${repo_file}
sudo sed -i s/[mirror.centos.org/vault.centos.org/](http://mirror.centos.org/vault.centos.org/) ${repo_file}
sudo yum clean all

Now I can install tree using sudo yum install tree

Deliverable 4

image