L in u X ba sics for h acke rs g e t t I n g s t a r t e d w I t h

The Logging System
117
/var/log/auth.log.2
/var/log/auth.log.3
/var/log/auth.log.4
For more details on the many ways to customize and use the 
logrotate
utility, see the 
man logrotate
page. This is an excellent resource to learn 
about the functions you can use and the variables you can change to cus­
tomize how your logs are handled. Once you become more familiar with 
Linux, you’ll get a better sense of how often you need to log and what 
options you prefer, so it’s worth revisiting the logrotate.conf file.
Remaining Stealthy
Once you’ve compromised a Linux system, it’s useful to disable logging and 
remove any evidence of your intrusion in the log files to reduce the chances 
of detection. There are many ways to do this, and each carries its own risks 
and level of reliability.
Removing Evidence
First, you’ll want to remove any logs of your activity. You could simply open 
the log files and precisely remove any logs detailing your activity, line by 
line, using the file deletion techniques you learned in Chapter 2. However, 
this could be time­consuming and leave time gaps in the log files, which 
would look suspicious. Also, deleted files can generally be recovered by a 
skilled forensic investigator.
A better and more secure solution is to shred the log files. With other 
file deletion systems, a skilled investigator is still able to recover the deleted 
files (deleted files are simply made available to be overwritten by the file­
system; they still exist until they are overwritten), but suppose there was a 
way to delete the file and overwrite it several times, making it much harder 
to recover. Lucky for us, Linux has a built­in command, appropriately 
named 
shred
, for just this purpose.
To understand how the 
shred
command works, take a quick look at the 
help screen by entering the following command:
kali >
shred --help
Usage: shred [OPTION]...FILE...
Overwrite the specified FILE(s) repeatedly in order to make it harder
for even very expensive hardware probing to recover data
--
snip
--
As you can see from the full output on your screen, the 
shred
command 
has many options. In its most basic form, the syntax is simple:
shred

118
Chapter 11
On its own, 
shred
will delete the file and overwrite it several times— 
by default, 
shred
overwrites four times. Generally, the more times the file is 
overwritten, the harder it is to recover, but keep in mind that each overwrite 
takes time, so for very large files, shredding may become time­consuming.
Two useful options to include are the 
-f
option, which changes the per­
missions on the files to allow overwriting if a permission change is neces­
sary, and the 
–n
option, which lets you choose how many times to overwrite 
the files. As an example, we’ll shred the log files in /var/log/auth.log 10 times 
using the following command:
kali >

Download 7,3 Mb.