Lab 1 System Monitoring
Goal: To build skills to better assess system resources, performance and security.
Sequence 1: Inspecting your system
Scenario: You are assigned responsibility for this system. You must learn how it is
configured.
Deliverable: Knowledge about your system.
System Setup: Before you use the system, inspect its configuration by answering the following questions with the command(s) you used to derive this answer. Throughout the class, you may need to install additional software packages on your system. Consult the Appendix for information and instruction for installing software.
Instructions:
1. What IP addresses are configured for the system?
Use /sbin/ifconfig or /sbin/ip addr to find your IP addresses. One of them should be 192.168.0.X.
2. How are these IP addresses configured?
Look in /etc/sysconfig/network-scripts/ifcfg-*
3. What runlevel is the system currently in?
runlevel or who -r
4. How was this configured?
head -20 /etc/inittab Compare the "id" record value to /proc/cmdline in the event that the current runlevel was set by the bootloader(GRUB). cat /proc/cmdline
5. Which services are currently running?
service --status-all
6. Which services are installed?
chkconfig --list (This will only display services that are controlled by a service initialization script or by xinetd. Services started by other means will not be displayed.)
7. How many "end user" accounts are there?
Use the command getent passwd | sort -t":" -k 3 -g. The end user accounts are those 500 or above. The command above merely sorts all
user accounts.
8. Which account are you now using?
whoami
9. Has anyone else logged into your system recently?
last will show who recently logged in.
Sequence 2: Monitoring TCP/IP ports
Scenario: You have done your best to understand which services you must offer, and to whom, and now must verify this configuration. This is a mere exercise in a long and on-going effort to manage your system within the definitions of your Security Policy.
If you are located in an Internet-enabled classroom, please do not attempt to use nmap to scan machines outside the example.com domain or outside the 192.168.0.0/24 subnet unless instructed to do so. Thank you for your cooperation.
Deliverable: Familiarity with utilities in an audit of system services..
Instructions:
1. Work with a lab partner, and monitor network ports on each of your systems. Which TCP ports are open, and which have a service listening at the other end? With respect to your system, which ports have a service listening, but are not open to your partner?
a. For purposes of this lab, instructions will refer to station X and stationY, where stationX is the "local" system and stationY, the "remote." In the listings below, data redirected to a file is suggested, but not required while gathering data about the systems.
# netstat -tpnl > $HOME/netstat-stationY.out
# nmap stationX | grep tcp > $HOME/nmap-stationX.out
2. Determine which hosts are on your subnet.
a. Again, the nmap utility may be used to more broadly scan your system networking subnet. As we are using a IPV4 class C address range, the argument provided nmap is in the form "N.N.N.*", where "N" is replaced by the 3 octets of your IP network address.
# nmap -sP Your IP Network Address
3. Determine which programs, utilities or services are configured to run at system boot time. Which of these was configured during package installation, and which were configured by the system administrator?
a. Run chkconfig to audit your system, based on the current runlevel.
# chkconfig --list | grep $(runlevel | cut -d" " -f2):on
b. Each system initialization script contains lines used by chkconfig which describe how and when the script is to be run. Note that the example below uses regular expression classes to ensure, for example, a "space" and a "tab" are both matched.
To determine which scripts are default installed to run at system boot:
# grep '^#[[:space:]]chkconfig:[[:space:]][[:digit:]]\+' /etc/init.d/*
To determine which scripts are default installed not to run at system boot:
# grep '^#[[:space:]]chkconfig:[[:space:]]-' /etc/init.d/*
Sequence 3: Logging to a centralized loghost
Scenario: Your boss thinks it is a great idea to have one central logging host. Work together with your neighbor to configure your machine as a logging host.
Deliverable: A central logging host
Instructions:
1. Set up syslogd to accept remote messages.
a. Edit /etc/sysconfig/syslog, and add the -r option as below:
SYSLOGD_OPTIONS="-r -m 0"
2. Restart syslogd.
a. # service syslog restart
Now your machine will accept logging messages from other machines.
3. Set up syslogd to send some messages to another machine.
a. Append /etc/syslog.conf with the following line:
user.* @192.168.0.Y
Where 192.168.0.Y is your neighbor's IP address.
b. If you have SELinux problems, you may need to restore the context on all files in /etc/
# restorecon -R /etc/
4. Restart syslogd.
a. # service syslog restart
Now your machine sends messages from user programs to your neighbor's machine.
5. Test the new setup by using logger to generate a syslog message:
# logger -i -t yourname "This is a test"
Does the message appear in your neighbor's /var/log/messages?
6. Challenge questions:
Why does this message also appear in your own /var/log/messages?
How can you prevent it?
The message appears in /var/log/messages because the syslog.conf file has an entry that sends all user messages to /var/log/messages:
*.info;mail.none... /var/log/messages
To prevent this, add a user.none entry like the others:
*.info;user.none,mail.none... /var/log/messages
