Anonymous
Not logged in
Talk
Contributions
Log in
Krupczak.org
Search
Editing
Example Cartographer Agent Configuration
(section)
From Krupczak.org
Namespaces
Page
Discussion
More
More
Page actions
Read
Edit
History
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Example Directives == === Database Connections === Assuming that mySQL and PostgreSQL are properly configured for sysloging, these entries will scan syslog files for database connections and create dependencies for the corresponding clients. Cartographer agents will also scan for database connections via the TCP connection table, however, Cartographer agents may miss very short lived TCP connections. <pre> <logfileDependency> <logfile>/var/log/mysqld.log</logfile> <dependType>dependDB</dependType> <addExpression>Connect *(.*)@(.*) on</addExpression> <removeExpression></removeExpression> <dependClient>$2</dependClient> <dependServer>mankato</dependServer> <dependArgs>application='mysqld' user='$1'</dependArgs> <scanInterval>120</scanInterval> <timeout>3600</timeout> </logfileDependency> <logfileDependency> <logfile>/var/log/messages</logfile> <dependType>dependDB</dependType> <addExpression>postgres.*connection received: host=(.*) </addExpression> <removeExpression></removeExpression> <dependClient>$1</dependClient> <dependServer>onms</dependServer> <dependArgs>application='postgres'</dependArgs> <scanInterval>120</scanInterval> <timeout>3600</timeout> </logfileDependency> </pre> === Search for DHCP Clients === The ISC DHCP daemon logs clients that it assigns addresses to. Snarfing these log entries allows Cartographer to determine DHCP clients. <pre> <logfileDependency> <logfile>/var/log/messages</logfile> <dependType>dependDHCP</dependType> <addExpression>DHCPACK on (.*) to (.*) via (.*)</addExpression> <removeExpression></removeExpression> <dependClient>$1</dependClient> <dependServer>127.0.0.1</dependServer> <dependArgs>interface='$3' macaddr='$2'</dependArgs> <scanInterval>120</scanInterval> <timeout>3600</timeout> </logfileDependency> </pre> === Search for IMAP Email User Dependencies === <pre> <logfileDependency> <logfile>/var/log/maillog</logfile> <dependType>dependEmail</dependType> <addExpression>imap-login.*user=(.*),.*rip=(.*), lip</addExpression> <removeExpression></removeExpression> <dependClient>$2</dependClient> <dependServer>uncasville</dependServer> <dependArgs>user='$1'</dependArgs> <scanInterval>120</scanInterval> <timeout>3600</timeout> </logfileDependency> </pre> === Search for VPN Dependencies === <pre> <logfileDependency> <logfile>/var/log/messages</logfile> <dependType>dependVPN</dependType> <addExpression>openvpn.*Peer Connection.*with (.*):(.*)</addExpression> <removeExpression></removeExpression> <dependClient>$1</dependClient> <dependServer>127.0.0.1</dependServer> <dependArgs>VPN</dependArgs> <scanInterval>120</scanInterval> <timeout>21600</timeout> </logfileDependency> </pre> === Search for DNS Slave Servers Performing Zone Transfers === Slave client transferring from server: <pre> <logfileDependency> <logfile>/var/log/named.log</logfile> <dependType>dependDNS</dependType> <addExpression>.*transfer of.*from (.*)#</addExpression> <removeExpression></removeExpression> <dependClient>127.0.0.1</dependClient> <dependServer>$1</dependServer> <dependArgs>zone xfer</dependArgs> <scanInterval>120</scanInterval> <timeout>21600</timeout> </logfileDependency> </pre> Server side log of client transfer will detect zone transfers to slaves: <pre> <logfileDependency> <logfile>/var/named/chroot/var/log/named.log</logfile> <dependType>dependDNS</dependType> <addExpression>client (.*)#.*transfer of (.*):.*</addExpression> <removeExpression></removeExpression> <dependClient>$1</dependClient> <dependServer>127.0.0.1</dependServer> <dependArgs>zone='$2' xfer</dependArgs> <scanInterval>120</scanInterval> <timeout>21600</timeout> </logfileDependency> </pre> === Logfile Monitor for Authentication Issues === Logins attempts on secure server machines may warrant additional scrutiny. <pre> <logfileMonitor> <logfile>/var/log/secure</logfile> <expression>Accepted password for .*</expression> <scanInterval>120</scanInterval> </logfileMonitor> <logfileMonitor> <logfile>/var/log/secure</logfile> <expression>Failed password for .*</expression> <scanInterval>120</scanInterval> </logfileMonitor> <logfileMonitor> <logfile>/var/log/maillog</logfile> <expression>postfix.*SASL LOGIN.*fail.*</expression> <scanInterval>120</scanInterval> </logfileMonitor> </pre> ''saslauthd'' has been known to fall over at times and this makes users unhappy. <pre> <logfileMonitor> <logfile>/var/log/messages</logfile> <expression>.*kernel.*saslauthd.*seg.*</expression> <scanInterval>120</scanInterval> </logfileMonitor> </pre> === Virtual Machine Guest/Host Static Dependency === <pre> <dependency> <dependClient>127.0.0.1</dependClient> <dependServer>vmhost</dependServer> <dependType>dependVM</dependType> <dependArgs></dependArgs> <dependReference>dependOutbound</dependReference> </dependency> </pre> === Security and Hacking Attempts === The Internet is full of despicable creatures out there attempting to break into our computers. Here are a few logfile monitoring entries to alert us to the more interesting attack avenues. Some of the expressions and logfiles are dependent on your local configuration. <pre> <logfileMonitor> <logfile>/var/log/httpd/ssl_error_log</logfile> <expression>phpMyAdmin.*</expression> <scanInterval>120</scanInterval> </logfileMonitor> <logfileMonitor> <logfile>/var/log/httpd/ssl_request_log</logfile> <expression>phpMyAdmin.*</expression> <scanInterval>120</scanInterval> </logfileMonitor> <logfileMonitor> <logfile>/var/log/httpd/access_log</logfile> <expression>phpMyAdmin.*</expression> <scanInterval>120</scanInterval> </logfileMonitor> <logfileMonitor> <logfile>/var/log/httpd/error_log</logfile> <expression>phpMyAdmin.*</expression> <scanInterval>120</scanInterval> </logfileMonitor> <logfileMonitor> <logfile>/var/log/maillog</logfile> <expression>Blocked.*SPAM.*</expression> <scanInterval>120</scanInterval> </logfileMonitor> <logfileMonitor> <logfile>/var/log/secure</logfile> <expression>Failed password for .*</expression> <scanInterval>120</scanInterval> </logfileMonitor> <logfileMonitor> <logfile>/var/log/messages</logfile> <expression>Illegal DNS output.*</expression> <scanInterval>120</scanInterval> </logfileMonitor> <logfileMonitor> <logfile>/var/log/messages</logfile> <expression>Illegal SMTP output.*</expression> <scanInterval>120</scanInterval> </logfileMonitor> </pre>
Summary:
Please note that all contributions to Krupczak.org may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Krupczak.org:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation
Navigation
Home
Contact Information
Recent changes
Family Name History
Source Code
SysAdmin Notes
News and Events
Help
Wiki tools
Wiki tools
Special pages
Page tools
Page tools
User page tools
More
What links here
Related changes
Page information
Page logs
