question archive This unit's homework is designed to solidify the following concepts and tools: Create a tar archive that excludes a directory using the --exclude= command option
Subject:Computer SciencePrice: Bought3
This unit's homework is designed to solidify the following concepts and tools:
tar
archive that excludes a directory using the --exclude=
command option.journalctl
.logrotate
.auditd
.Please refer to the student guides and slides from this unit's lessons as you work through the assignment. If you get stuck, remember you can use Google and man pages for more information.
For this assignment, you will play the role of a security analyst for Credico Inc., a financial institution that offers checking, savings, and investment banking services.
In an effort to mitigate network attacks and meet federal compliance, Credico Inc. developed an efficient log management program that performs:
logrotate
.auditd
to track events, record the events, detect abuse or unauthorized activity, and create custom reports.These tools, in addition to archives, backups, scripting, and task automation, contribute to a fully comprehensive log management system.
You will expand and enhance this log management system by learning new tools, adding advanced features, and researching additional concepts.
To set up your lab environment with the necessary files, complete the following steps.
sysadmin
cybersecurity
Projects
in your /home/sysadmin/
directory.~/Projects
directory before you get started:
As you solve each step below, please fill out the Submission File. This will be your homework deliverable.
In each of the following sections, you will use and build on your system administration tools and knowledge. Make sure to read the instructions carefully.
Creating tar
archives is something you must do everyday in your role at Credico Inc. In this section, you will extract and exclude specific files and directories to help speed up your workflow.
To get started, navigate to the ~/Projects
directory where your downloaded TarDocs.tar
archive file should be.
TarDocs.tar
archive file into the current directory (~/Projects
). Afterwards, list the directory's contents with ls
to verify that you have extracted the archive properly.
ls
you should see a new ~/Projects/TarDocs
directory with five new subdirectories under TarDocs/
.Verify that there is a Java
subdirectory in the TarDocs/Documents
folder by running: ls -l ~/Projects/TarDocs/Documents/
.
tar
archive called Javaless_Docs.tar
that excludes the Java
directory from the newly extracted TarDocs/Document/
directory.
Javaless_Docs.tar
archive in the ~/Projects
folder.Javaless_Docs.tar
archive does not contain the Java
subdirectory by using tar
to list the contents of Javaless_Docs.tar
and then piping grep
to search for Java
.Bonus
logs_backup.tar.gz
that contains only changed files by examining the snapshot.file
for the /var/log
directory. You will need sudo
for this command.In response to a ransomware attack, you have been tasked with creating an archiving and backup scheme to mitigate against CryptoLocker malware. This attack would encrypt the entire server’s hard disk and can only be unlocked using a 256-bit digital key after a Bitcoin payment is delivered.
For this task, you'll need to create an archiving cron job using the following specifications:
/var/log/auth.log
./auth_backup.tgz
.gzip
.crontab -e
. Make sure that your cron job line includes the following:
tar
) command with three options.Portions of the Gramm-Leach-Bliley Act require organizations to maintain a regular backup regimen for the safe and secure storage of financial data.
You'll first need to set up multiple backup directories. Each directory will be dedicated to housing text files that you will create with different kinds of system information.
For example, the directory freemem
will be used to store free memory system information files.
~/backups/freemem
~/backups/diskuse
~/backups/openlist
~/backups/freedisk
~/exampledirectory/{subdirectory1,subdirectory2,etc}
Now you will create a script that will execute various Linux tools to parse information about the system. Each of these tools should output results to a text file inside its respective system information directory.
cpu_usage_tool > ~/backups/cpuuse/cpu_usage.txt
In the above example, the cpu_usage_tool
command will output CPU usage information into a cpu_usage.txt
file.
To get started with setting up your script up in your home
directory, do the following:
home
directory by running: cd ~/
nano system.sh
to open a new Nano window.Note: If you're unsure how to get started, we included a system.sh
starter file. Use that as a guide.
system.sh
script file so that it that does the following:
~/backups/freemem/free_mem.txt
.~/backups/diskuse/disk_usage.txt
.~/backups/openlist/open_list.txt
.~/backups/freedisk/free_disk.txt
.-h
option to make the output human-readable.system.sh
file permissions so that it is executable.You should now have an executable system.sh
file within your home ~/
directory.
sudo ./system.sh
.lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1001/gvfs Output information may be incomplete.
Optional
~/backup/
directory and using cat <filename>
to view the contents of the backup files.Bonus
system.sh
by adding it to the weekly
system-wide cron directory.You realize that the spam messages are making the size of the log files unmanageable.
You’ve decided to implement log rotation in order to preserve log entries and keep log file sizes more manageable. You’ve also chosen to compress logs during rotation to preserve disk space and lower costs.
sudo nano /etc/logrotate.conf
to edit the logrotate
config file. You don't need to work out of any specific directory as you are using the full configuration file path./var/log/auth.log
directory using the following settings:
{}
.In an effort to help mitigate against future attacks, you have decided to create an event monitoring system that specifically generates reports whenever new accounts are created or modified, and when any modifications are made to authorization logs.
auditd
service is active using the systemctl
command.sudo nano /etc/audit/auditd.conf
to edit the auditd
config file using the following parameters. You can run this command from anywhere using the terminal.
sudo nano /etc/audit/rules.d/audit.rules
to edit the rules for auditd
. Create rules that watch the following paths:
/etc/shadow
, set wra
for the permissions to monitor and set the keyname
for this rule to hashpass_audit
./etc/passwd
, set wra
for the permissions to monitor and set the keyname
for this rule to userpass_audit
./var/log/auth.log
, set wra
for the permissions to monitor and set the keyname
for this rule to authlog_audit
.auditd
daemon.auditd
rules.
auditd
section within the 5.3 Student Guide.sudo
, produce an audit report that returns results for all user authentications.
sudo useradd attacker
and produce an audit report that lists account modifications.auditctl
to add another rule that watches the /var/log/cron
directory.auditd
rules took affect.There was a suspicious login from a host on the network during the early morning hours when the office was closed. The senior security manager tasked you with filtering through log files to determine if a system breach occurred.
For the bonus, write the journactl
commands, for each use case below.
Hint: Remember that journal
tracks each log relative to each system boot. Also, keep in mind that you can sort messages by priority, relative boot, and specific units.
journalctl
command that performs a log search that returns all messages, with priorities from emergency to error, since the current system boot.journalctl
command that checks the disk usage of the system journal unit since the most recent boot. You will likely have to pipe this output to less
if it doesn't fit on the screen.
systemd-journald
.journalctl
command that removes all archived journal files except the most recent two.journalctl
command that filters all log messages with priority levels between zero and two, and save the results to a file named Priority_High.txt
in /home/student/
directory.