The
Logging System
117
/var/log/auth.log.2
/var/log/auth.log.3
/var/log/auth.log.4
For more details on the many ways to customize and use the
logrotate
utility, see the
man logrotate
page. This is an excellent resource to learn
about the functions you can use and the variables you can change to cus
tomize how your logs are handled. Once you become more familiar with
Linux, you’ll get a better sense of how often
you need to log and what
options you prefer, so it’s worth revisiting the
logrotate.conf file.
Remaining Stealthy
Once you’ve compromised a Linux system, it’s useful to disable logging and
remove any evidence of your intrusion in the log
files to reduce the chances
of detection. There are many ways to do this, and each carries its own risks
and level of reliability.
Removing Evidence
First, you’ll want to remove any logs of your activity. You could simply open
the log files and precisely remove any logs detailing your activity,
line by
line, using the file deletion techniques you learned in Chapter 2. However,
this could be timeconsuming and leave time gaps in the log files, which
would look suspicious. Also, deleted files can generally be recovered by a
skilled forensic investigator.
A better and more secure solution is to shred the log files. With other
file
deletion systems, a skilled investigator is still able to recover the deleted
files (deleted files are simply made available to be overwritten by the file
system; they still exist until they are overwritten), but suppose there was a
way to delete the file and overwrite it several times, making it much harder
to recover. Lucky for us, Linux has a builtin command, appropriately
named
shred
, for just this purpose.
To
understand how the
shred
command works, take a quick look at the
help screen by entering the following command:
kali >
shred --help
Usage: shred [OPTION]...FILE...
Overwrite the specified FILE(s) repeatedly in order to make it harder
for even very expensive hardware probing to recover data
--
snip
--
As you can see from the full output on your screen, the
shred
command
has many options.
In its most basic form, the syntax is simple:
shred
118
Chapter 11
On its own,
shred
will delete the file and overwrite it several times—
by default,
shred
overwrites four times. Generally, the more times the file is
overwritten, the harder it is to recover, but keep in mind that each overwrite
takes time,
so for very large files, shredding may become timeconsuming.
Two useful options to include are the
-f
option, which changes the per
missions on the files to allow overwriting if a permission change is neces
sary, and the
–n
option, which lets you choose how many times to overwrite
the files. As an example, we’ll
shred the log files in /var/log/auth.log 10 times
using the following command:
kali >
