php-syslog-ng/Logzilla on CentOS 5.3

Download the latest version of Logzilla to /var/www folder

1. cd /var/www/

2. tar xzvf logzilla_v2.9.9g.tgz

3. mv php-syslog-ng logzilla

4. mkdir -p /var/log/logzilla

5. Edit /opt/syslog-ng/etc/syslog-ng.conf

That is my config. You just have to look for destination d_logzilla in the end according to your settings.

options {

# Number of syslog lines stored in memory before being written to files

flush_lines (0);

log_fifo_size (2048);

create_dirs (yes);

perm (0640);

dir_perm (0750);

};

source s_network_2 {udp(ip(Ip address) port(514));};

destination d_network_2 {

file("/var/log/syslog-ng/network/$YEAR.$MONTH.$DAY/$HOST/$FACILITY.log");

};

# Define the destination "d_network_2B" log directory

destination d_network_2B {

file ("/var/log/syslog-ng/network/all/network.log");

};

log { source(s_network_2);

destination(d_network_2);

};

log { source(s_network_2);

destination(d_network_2B);

};

destination d_logzilla {

program("/var/www/logzilla/scripts/db_insert.pl"

template("$HOST\t$FACILITY\t$PRIORITY\t$LEVEL\t$TAG\t$YEAR-$MONTH-$DAY\t$HOUR:$MIN:$SEC\t$PROGRAM\t$MSG\n")

);

};

log {

source(s_network_2);

destination(d_logzilla);

};

6. gedit /etc/httpd/conf/httpd.conf

alias /loge "/var/www/logzilla/html"

You can choose any alias you want.

7. gedit /etc/php.ini

I changes value to

memory_limit = 128M

max_execution_time = 300

8. /etc/init.d/httpd restart

9. chown -R apache:apache /var/www/logzilla/html

10. http://localhost/loge

Everything should be green on web install page.

Please visit

http://nms.gdd.net/index.php/LogZilla_Installation_Guide#Web-based_Install

for webinstall guide

After finishing with the webinstall

cd /var/www/logzilla/scripts

./fixpaths.sh

This will automatically fix the path.

11.cp /var/www/logzilla/scripts/contrib/system_configs/logrotate.d /etc/logrotate.d/logzilla

12. Crontab -e

# http://nms.gdd.net/index.php/LogZilla_Installation_Guide#Cron

# LogZilla

@daily php /var/www/logzilla/scripts/logrotate.php >> /var/log/logzilla/logrotate.log

@daily find /var/www/logzilla/html/jpcache/ -atime 1 -exec rm -f '{}' ';'

0,5,10,15,20,25,30,35,40,45,50,55 * * * * php /var/www/logzilla/scripts/reloadcache.php >> /var/log/logzilla/reloadcache.log

13. /etc/init.d/syslog-ng restart

http://localhost/loge

You will see the login page.

If you get error "The requested URL /login.php was not found on this server

Apache/2.2.3 (Red Hat) Server at localhost Port 80 "

14. Modify config.php and set:

define('SITEURL', '/loge/');

Browse again and you will see the login/password page.

Main Source:

http://code.google.com/p/php-syslog-ng/

Reference monitor with AppArmor

AppArmor ("Application Armor") is security software for Linux, released under the GNU General Public License. From 2005 through September 2007, AppArmor was maintained by Novell. AppArmor allows the system administrator to associate with each program a security profile which restricts the capabilities of that program. It supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC).

In addition to manually specifying profiles, AppArmor includes a learning mode, in which violations of the profile are logged, but not prevented. This log can then be turned into a profile, based on the program's typical behavior.

We created a AppArmor profile for thttpd (tinylittlewebserver :http://www.acme.com/software/thttpd/). By using this profile the thttpd only allow to websites containing extension .html.

Following are the steps we performed to create of AppArmor Profile.

1. We use Ubuntu 7.10 platform for our AppArmor Profile creation.

2. First we installed thttpd webserver on it. Then we create different html files like index.html,first.html, and place these files in /var/www which is the default folder for serving the webpages with default port which is port 80.

3. As we are using thttpd webserver and its purpose is to only allow *.html files and no other files so for this purpose we create a AppArmor Profile for thttpd server using the command aa-genprof on the terminal. Before creating AppArmor profile for any application that application must be stopso we first stop the thttpd server with command

~:# /etc/init.d/thttpd stop and also for double check we use the command ~:# killall thttpd to make sure that all processes of thttpd has been killed.

4. Now we run the command on terminal ~:# aa-genprof thttpd

The above command will put the profile for thttpd into learning or complain mode so that profile violations can be logged.

5. When prompted by the tool, we started the application i.e /etc/init.d/thttpd start in another terminal window and then we performed as many of this application functions so that learning mode can log the files and directories to which the program requires access in order to function properly.

6. After that we proceed to previous terminal window where we ran the command aa-genprof and we started scanning our log files with (S) option.

7. As our assignment is that only .html files are allowed so we allow only *.html files using the option (E)xt. By this option all files containing

extension .html will be allowed.

8. This profile is in complain mode which means that it will only log the violation. Now to restrict this profile not to run any file other then extension

.html we change this profile mode to enforce mode with command

~:# aa-enforce thttpd

9. Now we create a file test.txt and place it in /var/www and try to run from the browser but it will not execute this file and give us server error 500.

10.So we have restrict our application through AppArmor that only static pages with extension with .html will be serve from our webserver.

Intrusion Detection - Web Server

An intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet. The manipulations may take the form of attacks by crackers.

We have scan a apache log for different kinds of attack on web applications. We have created our programme in java that uses the regular expression matching technique. We have created regular expressions for different types of attacks like XSS , Injection Flaws , Malicious File Execution etc.