• Disabling Logging
    		•

    shred -f -n 10 /var/log/auth.log.*




    Download 7,3 Mb.
    Pdf ko'rish
    bet122/125
    Sana14.05.2024
    Hajmi7,3 Mb.
    #232858
    1   ...   117   118   119   120   121   122   123   124   125
    Bog'liq
    linuxbasicsforhackers

    shred -f -n 10 /var/log/auth.log.*
    We need the 
    –f
    option to give us permission to shred 
    auth
    files, and we 
    follow the 
    –n
    option with the desired number of times to overwrite. After 
    the path of the file we want to shred, we include the wildcard asterisk so 
    we’re shredding not just the auth.log file, but also any logs that have been 
    created with 
    logrotate
    , such as auth.log.1auth.log.2, and so on.
    Now try to open a log file:
    kali >
    leafpad /var/log/auth.log.1
    Once you’ve shredded a file, you’ll see that the contents are indecipher­
    able gibberish, as shown in Figure 11­1.
    Figure 11-1: A shredded log file
    Now if the security engineer or forensic investigator examines the log 
    files, they will find nothing of use because none of it is recoverable!
    Disabling Logging
    Another option for covering your tracks is to simply disable logging. When 
    a hacker takes control of a system, they could immediately disable logging 
    to prevent the system from keeping track of their activities. This, of course, 
    requires root privileges.
    To disable all logging, the hacker could simply stop the 
    rsyslog
    daemon. 
    Stopping any service in Linux uses the same syntax, shown here (you’ll see 
    more on this in Chapter 12):
    service 
    servicename
    start|stop|restart

    The Logging System
    119
    So, to stop the logging daemon, you could simply enter the following 
    command:
    kali >
    service rsyslog stop
    Now Linux will stop generating any log files until the service is 
    restarted, enabling you to operate without leaving behind any evidence 
    in the log files!
    Summary
    Log files track nearly everything that happens on your Linux system. They 
    can be an invaluable resource in trying to analyze what has occurred
    whether it be a malfunction or a hack. For the hacker, log files can be evi­
    dence of their activities and identity. However, an astute hacker can remove 
    and shred these files and disable logging entirely, thus leaving no evidence 
    behind.
    E XERCISES
    Before you move on to Chapter 12, try out the skills you learned from this chapter 
    by completing the following exercises:
    1. Use the 
    locate
    command to find all the 
    rsyslog
    files.
    2. Open the 
    rsyslog.conf
    file and change your log rotation to one week.
    3. Disable logging on your system. Investigate what is logged in the file
    /var/log/syslog
    when you disable logging.
    4. Use the 
    shred
    command to shred and delete all your 
    kern
    log files.


    Download 7,3 Mb.
    1   ...   117   118   119   120   121   122   123   124   125




    Download 7,3 Mb.
    Pdf ko'rish