強化Juniper SRX系統日誌檔(Harden syslog)

強化Juniper SRX系統日誌檔(Harden syslog)


在開始閱讀之前請先參考下列之網路連結:


系統日誌是用於在本地或指定的遠程服務器上記錄系統信息的行業標準方法。日誌記錄對於設備安全至關重要,因為它記錄了系統的大小活動,可幫助您識別配置錯誤,了解入侵,解決服務中斷以及對探測和掃描作出反應。
如果沒有生成日誌記錄的能力,建立、關聯、調查或識別事件發生相關訊息就會變了很困難。

Junos設備平台具有合理的 flash 儲存空間,可用於本地系統日誌的儲存,並通過遠端系統日誌伺服器來保留本地的系統日誌以增強安全性。一般的經驗法則是,遠程日誌用於取證目的,本地日誌用於故障排除

您還可以創建包含不同類型日誌消息的本地日誌文件。例如您想讓某些用戶(如審計員)能夠查看某些消息類型(如用戶已執行的命令),但不允許一般用戶來查看這些日誌時,這會是非常有用的方法。

Juniper SRX服務網關必須為DoD(美國國防部)定義的可審計事件啟用生成日誌記錄。DoD已經定義了設備將提供審計記錄生成能力的事件列表。這些事件如下所述:
(一)成功或不成功的嘗試訪問、修改或刪除事件等。
(二)訪問操作,例如成功和不成功的登錄嘗試,特權活動或其他系統級訪問,用戶訪問系統的開始和結束時間,來自不同工作站的並發登錄,成功和不成功訪問對象,所有程式啟動,和所有直接訪問資訊系統。
(三)所有帳戶的創建、修改、禁用和終止操作。

配置外部Syslog伺服器的最佳做法是在日誌檔案名稱中添加 log-prefixes 以幫助識別和研究。因為通常將訊息送往遠程服務器的設備不只一台,這是為了避免混淆的緣故

另一個最佳做法是添加匹配條件將記錄的事件儲存在個別的檔案中。這樣可以降低問題查找的困難度,並讓權限控管變得更簡單。

自動機制可用於發送自動警報或通知。這種自動警報或通知可以以各種方式傳送(例如,通過電話,通過電子郵件,通過文本消息或通過網站)。



檢查系統日誌Syslog是否已配置為在SRX設備上。
show system syslog

在以下配置中讓我們配置本地和遠程Syslog以及在不同日誌文件中分隔特定的消息類型。

當檢測到組件故障時,Juniper SRX服務網關必須生成警報或向管理主控台發送警報消息,登錄的用戶在登錄設備時應該會收到警報消息:
set system syslog user * any emergency
set system syslog user * daemon critical
set system syslog user * daemon alert


任何信息性(info)消息都應該記錄在設備本地的 messages 文件中,對於本地日誌檔必須要求分配日誌存儲容量以便日誌檔不會增長到導致操作問題的大小
set system syslog file messages any info
set system syslog file messages authorization info
set system syslog file messages archive size 30m files 3


以下為查看syslog共有哪些選項可以配置:
root@srx100# set system syslog ?
Possible completions:
  allow-duplicates     Do not suppress the repeated message for all targets
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> archive              Archive file information
> console              Console logging
> file                 File in which to log data
> host                 Host to be notified
  log-rotate-frequency  Rotate log frequency (1..59 minutes)
  source-address       Use specified address as source address
> time-format          Additional information to include in system log timestamp
> user                 Notify a user of the event
[edit]



我們創建一個名為 User-Auth 的單獨文件其中包含所有授權信息以及登錄用戶發出的任何命令
set system syslog file User-Auth authorization any
set system syslog file User-Auth interactive-commands any
set system syslog file User-Auth archive size 20m files 2


現在讓我們創建另一個名為 account-actions 的本地文件其中包含所有帳戶創建修改禁用和終止操作
set system syslog file account-actions change-log any any
set system syslog file account-actions match "system login user"
set system syslog file account-actions archive size 10m files 2


現在創建另一個本地文件,稱為processes,其中包含由系統守護進程生成的日誌消息:
set system syslog file processes daemon any
set system syslog file processes archive size 10m files 2


在控制台(console port)上連接時看到系統消息意識到設備的當前狀態會很有幫助。系統日誌Syslog輸出顯示SRX設備console port上,並設定輸出訊息等級為warning (設定warning是為了避免控制台出現太多無用訊息)
set system syslog console any warning


在高安全性環境中建議將所有消息發送到遠程Syslog服務器以達到審計(auditing)和取證(forensic)的目的 同時確保配置兩個Syslog服務器以實現永續性的目的。SRX設備配置外部Syslog伺服器可降低安全維護上的風險,無論是設備本身故障了,或是被駭客入侵並清除設備上的系統日誌,我們依然能從外部Syslog伺服器上來找尋相關訊息
set system syslog host 192.168.3.2 any any
set system syslog host 192.168.4.2 any any


默認情況下,主機名不包含在發送到遠程服務器的Syslog消息中。 因為通常將訊息送往遠程服務器的設備不只一台,為避免混淆,建議您在每條Syslog消息中使用唯一識別名稱(如主機名)來配置日誌前綴列表(log-prefix)選項:
set system syslog host 192.168.3.2 log-prefix SRX210
set system syslog host 192.168.4.2 log-prefix SRX210


(可選)為了保持一致性和彈性,Syslog流量應該來自環回地址。 如果未配置set system default-address selection請使用此命令
set system syslog source-address 192.168.5.1


在某些情況下標準時間格式可能不如您需要進行計算機取證調查或故障排除那樣精確。 配置毫秒和年份選項以使時間戳盡可能精確:
set system syslog time-format millisecond year


查看系統日誌配置
show system syslog



如何設定SRX Kapersky AV病毒防護的系統日誌syslog
在開始之前我們要先分析Kapersky AV會產生哪些訊息,下列為訊息範例:
AV_HUGE_FILE_DROPPED_MT  LOG_PFE,Skip antivirus scanning and drop the received traffic due to huge file
AV_HUGE_FILE_NOT_SCANNED_MT  LOG_PFE,Skip antivirus scanning and pass the received traffic due to huge file
AV_MANY_MSGS_DROPPED_MT  LOG_PFE,Drop the received file due to excessive traffic
AV_MANY_MSGS_NOT_SCANNED_MT  LOG_PFE,Skip antivirus scanning due to excessive traffic
AV_PATTERN_GET_FAILED  LOG_FIREWALL,The device was unable to retrieve an antivirus pattern file from the server
AV_PATTERN_KEY_EXPIRED  LOG_FIREWALL,Unable to download the antivirus pattern filebecause the antivirus license key has been expired
AV_PATTERN_KL_CHECK_FAILED  LOG_FIREWALL,The device is unable to use Kaspersky's pattern file
AV_PATTERN_TOO_BIG   LOG_FIREWALL,The pattern file size specified in the server initialization file exceeds the limit
AV_PATTERN_UPDATED   LOG_FIREWALL,The internal antivirus scanner successfully updated the antivirus pattern file
AV_PATTERN_WRITE_FS_FAILED  LOG_FIREWALL,The device is unable to save contents of an antivirus pattern file
AV_SCANNER_DROP_FILE_MT  LOG_PFE,Drop the received traffic due to an internal error of antivirus scanner
AV_SCANNER_ERROR_SKIPPED_MT  LOG_PFE,Skip antivirus scanning due to an internal error
AV_SCANNER_READY     LOG_FIREWALL,The antivirus scan engine is ready
AV_VIRUS_DETECTED_MT  LOG_PFE,The antivirus scanner detected a virus

Kapersky AV所產生的系統日誌訊息開頭都有"AV_"字串,當偵測到病毒時所產生的系統日誌訊息都有" AV_VIRUS_DETECTED_MT "字串,因此我們規劃將偵測到病毒的訊息存入AV_VIRUS檔案中,其他的訊息存入AV_OPS檔案中,以方便我們查找相關訊息。
set system syslog file AV_VIRUS any any
set system syslog file AV_VIRUS match "AV_VIRUS_DETECTED_MT"
set system syslog file AV_VIRUS archive size 1m files 3
set system syslog file AV_OPS any any
set system syslog file AV_OPS match "(AV_HUGE|AV_MANY|AV_PATTERN|AV_SCANNER)"
set system syslog file AV_OPS archive size 1m files 3

set system syslog host 192.168.1.3 port 514
set system syslog host 192.168.1.3 any any

本段我們設定的內容如下:
security {
    syslog {
        host 192.168.1.3 {
            any any;
            port 514;
        }
        file AV_VIRUS {
            any any;
            match " AV_VIRUS_DETECTED_MT ";
            archive size 1m files 3;
        }
        file AV_OPS {
            any any;
            match "(AV_HUGE|AV_MANY|AV_PATTERN|AV_SCANNER)";
            archive size 1m files 3;
        }
    }
}

當我們要查看儲存檔案中的系統日誌訊息時:
root@srx100> show log AV_VIRUS
Feb 24 01:42:18  srx100 RT_UTM: AV_VIRUS_DETECTED_MT: AntiVirus: Virus detected:
 from 213.211.198.62:80 to 192.168.1.2:50150 source-zone untrust www.eicar.org/d
ownload/eicarcom2.zip file www.eicar.org/download/eicarcom2.zip/eicar_com.zip/ei
car.com virus EICAR-Test-File URL:http://www.viruslist.com/en/search?VN=EICAR-Te
st-File username N/A roles N/A
Feb 24 03:42:15  srx100 RT_UTM: AV_VIRUS_DETECTED_MT: AntiVirus: Virus detected:
 from 213.211.198.62:80 to 192.168.1.2:50887 source-zone untrust www.eicar.org/d
ownload/eicar_com.zip file www.eicar.org/download/eicar_com.zip/eicar.com virus
EICAR-Test-File URL:http://www.viruslist.com/en/search?VN=EICAR-Test-File userna
me N/A roles N/A
root@srx100>



當系統日誌伺服器的通信丟失時
如果與系統日誌伺服器的通信丟失,則瞻博網絡SRX服務網關必須繼續在本地對日誌記錄進行排隊。當網絡設備面臨無法按需處理日誌的風險時,要採取措施減輕故障是至關重要的。日誌處理失敗包括:軟件/硬體錯誤日誌捕獲機制中的失敗審核存儲容量達到或超過時等。對日誌失敗的響應取決於失敗模式的性質。考慮到Juniper SRX在企業中的作用,可用性是首要考慮因素,因此在發生日誌處理失敗時,系統不能配置為關閉。系統將配置為將事件記錄到本地檔,這將提供日誌備份。如果與Syslog伺服器的通信丟失或伺服器發生故障,網絡設備必須繼續在本地對日誌記錄進行排隊。在恢復到集中式收集伺服器的連接時,應採取措施將本地日誌數據與收集伺服器同步。最佳做法是將日誌前綴添加到日誌檔案名中,以幫助研究事件和過濾器以防止日誌過載。另一個最佳做法是添加匹配條件以將記錄的事件限制為包含正則表達式(REGEX)的事件。因此,瞻博網絡SRX將固有地和持續地捕獲本地檔的事件,以防止與主要和次要事件伺服器的連接中斷。
下列為當事件伺服器的通信丟失時對日誌設定的應變處理:
set system syslog file messages any info
set system syslog file messages authorization none
set system syslog file messages interactive-commands none
set system syslog file messages daemon none
set system syslog file User-Auth authorization any
set system syslog file interactive-commands interactive-commands any
set system syslog file processes daemon any
set system syslog file account-actions change-log any
set system syslog file account-actions match "system login user"
set system syslog console any any

root@srx100# set system syslog file ?
Possible completions:
  <file-name>          Name of file in which to log data
  authorization        Name of file in which to log data
  configuration        Name of file in which to log data
  interactive-commands  Name of file in which to log data
  messages             Name of file in which to log data
  traffic-log          Name of file in which to log data
[edit]
root@srx100# set system syslog file account-actions ?
Possible completions:
  allow-duplicates     Do not suppress the repeated message
  any                  All facilities
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> archive              Archive file information
  authorization        Authorization system
  change-log           Configuration change log
  conflict-log         Configuration conflict log
  daemon               Various system processes
  dfc                  Dynamic flow capture
  explicit-priority    Include priority and facility in messages
  external             Local external applications
  firewall             Firewall filtering system
  ftp                  FTP process
  interactive-commands  Commands executed by the UI
  kernel               Kernel
  match                Regular expression for lines to be logged
  ntp                  NTP process
  pfe                  Packet Forwarding Engine
  security             Security related
> structured-data      Log system message in structured format
  user                 User processes
[edit]
root@srx100#



查看日誌檔訊息:
[edit]
root@srx100# run show log | no-more
total 1752
-rw-r--r--  1 root  wheel    6069 Apr 29 07:23 __jsrpd_commit_check__
-rw-r-----  1 root  wheel       0 Mar 14 22:33 appidd
-rw-r--r--  1 root  wheel       0 Mar 14 22:31 authd_libstats
-rw-r--r--  1 root  wheel       0 Mar 14 22:31 authd_profilelib
-rw-r--r--  1 root  wheel       0 Mar 14 22:31 authd_sdb.log
-rw-rw----  1 root  wheel   19849 Apr 30 03:09 authorization
-rw-r--r--  1 root  wheel       7 Mar 14 22:33 bin_messages
-rw-r-----  1 root  wheel  166037 Apr 29 08:27 chassisd
-rw-rw----  1 root  wheel    7632 Apr 30 04:18 configuration
-rw-r--r--  1 root  wheel   54720 Apr 29 08:23 cosd
-rw-r-----  1 root  wheel   78651 Apr 29 15:44 dcd
-rw-r--r--  1 root  wheel       0 Mar 14 22:30 dfwc
-rw-r-----  1 root  wheel    1012 Apr 29 08:23 eccd
drwxrwxr-x  2 root  wheel     512 Mar 14 22:29 ext
drwxrwxrwt  3 root  wheel     512 Mar 14 22:29 flowc
-rw-r--r--  1 root  wheel     298 Apr 28 23:11 fwauthd_chk_only
drwxrwxrwt  3 root  wheel     512 Mar 14 22:29 ggsn
-rw-r--r--  1 root  wheel    6520 Apr 29 08:23 gres-tp
-rw-r--r--  1 root  wheel   49202 Apr 30 02:44 httpd.log
-rw-r-----  1 root  wheel       0 Mar 14 22:33 idpd
-rw-r--r--  1 root  wheel      90 Apr 28 23:11 ifstraced
-rw-rw----  1 root  wheel   27216 Apr 30 04:28 interactive-commands
-rw-rw----  1 root  wheel    6860 Apr 29 19:30 interactive-commands.0.gz
-rw-rw----  1 root  wheel    7667 Apr 29 12:00 interactive-commands.1.gz
-rw-rw----  1 root  wheel    7432 Apr 29 09:00 interactive-commands.2.gz
-rw-r-----  1 root  wheel    4798 Apr 29 08:23 inventory
-rw-r--r--  1 root  wheel   30048 Apr 30 03:08 ipfd
-rw-r-----  1 root  wheel   41382 Apr 29 18:05 jsrpd
-rw-r--r--  1 root  wheel     740 Apr 28 23:13 kmd
-rw-r-----  1 root  wheel       0 Mar 14 22:33 license
-rw-r--r--  1 root  wheel    6790 Apr 29 08:24 license_subs_trace.log
-rw-r-----  1 root  wheel      55 Apr 29 08:18 mastership
-rw-rw----  1 root  wheel   45993 Apr 30 03:09 messages
-rw-rw----  1 root  wheel    9807 Apr 20 22:00 messages.0.gz
-rw-r--r--  1 root  wheel   22072 Apr  7 02:54 nsd
-rw-r--r--  1 root  wheel   38331 Apr 29 17:28 nsd_chk_only
-rw-r--r--  1 root  wheel   23147 Apr 29 18:05 nstraced
-rw-r--r--  1 root  wheel     370 Apr 29 07:23 nstraced_chk_only
-rw-r--r--  1 root  wheel     384 Apr 28 23:11 pf
-rw-r--r--  1 root  wheel       0 Mar 14 22:33 pfed
-rw-r--r--  1 root  wheel     288 Apr 28 23:11 pgmd
-rw-r--r--  1 root  wheel     456 Apr 29 15:44 rtlogd
-rw-r--r--  1 root  wheel    4249 Apr 29 08:22 snapshot
-rw-rw----  1 root  wheel  100326 Apr 30 04:28 traffic-log
-rw-rw----  1 root  wheel   18598 Apr 30 03:15 traffic-log.0.gz
-rw-rw----  1 root  wheel   12486 Apr 30 01:00 traffic-log.1.gz
-rw-rw----  1 root  wheel   11452 Apr 30 00:00 traffic-log.2.gz
-rw-r--r--  1 root  wheel    1782 Apr 29 08:24 utmd-av
-rw-rw-r--  1 root  wheel   30004 Apr 29 08:32 wtmp
-rw-rw-r--  1 root  wheel     139 Apr  7 00:24 wtmp.0.gz
[edit]
root@srx100# run show log ?
Possible completions:
  <[Enter]>            Execute this command
  <filename>           Name of log file
  __jsrpd_commit_check__  Size: 6069, Last changed: Apr 29 07:23:11
  appidd               Size: 0, Last changed: Mar 14 22:33:23
  authd_libstats       Size: 0, Last changed: Mar 14 22:31:05
  authd_profilelib     Size: 0, Last changed: Mar 14 22:31:05
  authd_sdb.log        Size: 0, Last changed: Mar 14 22:31:05
  authorization        Size: 19849, Last changed: Apr 30 03:09:22
  bin_messages         Size: 7, Last changed: Mar 14 22:33:06
  chassisd             Size: 166037, Last changed: Apr 29 08:27:41
  configuration        Size: 7632, Last changed: Apr 30 04:18:05
  cosd                 Size: 54720, Last changed: Apr 29 08:23:33
  dcd                  Size: 78651, Last changed: Apr 29 15:44:24
  dfwc                 Size: 0, Last changed: Mar 14 22:30:44
  eccd                 Size: 1012, Last changed: Apr 29 08:23:33
  ext/                 Last changed: Mar 14 22:29:36
  flowc/               Last changed: Mar 14 22:29:37
  fwauthd_chk_only     Size: 298, Last changed: Apr 28 23:11:37
  ggsn/                Last changed: Mar 14 22:29:36
  gres-tp              Size: 6520, Last changed: Apr 29 08:23:33
  httpd.log            Size: 49202, Last changed: Apr 30 02:44:03
  idpd                 Size: 0, Last changed: Mar 14 22:33:48
  ifstraced            Size: 90, Last changed: Apr 28 23:11:32
  interactive-commands  Size: 27312, Last changed: Apr 30 04:28:56
  interactive-commands.0.gz  Size: 6860, Last changed: Apr 29 19:30:00
  interactive-commands.1.gz  Size: 7667, Last changed: Apr 29 12:00:01
  interactive-commands.2.gz  Size: 7432, Last changed: Apr 29 09:00:00
  inventory            Size: 4798, Last changed: Apr 29 08:23:33
  ipfd                 Size: 30048, Last changed: Apr 30 03:08:58
  jsrpd                Size: 41382, Last changed: Apr 29 18:05:19
  kmd                  Size: 740, Last changed: Apr 28 23:13:35
  license              Size: 0, Last changed: Mar 14 22:33:04
  license_subs_trace.log  Size: 6790, Last changed: Apr 29 08:24:04
  mastership           Size: 55, Last changed: Apr 29 08:18:42
  messages             Size: 45993, Last changed: Apr 30 03:09:22
  messages.0.gz        Size: 9807, Last changed: Apr 20 22:00:00
  nsd                  Size: 22072, Last changed: Apr 07 02:54:29
  nsd_chk_only         Size: 38331, Last changed: Apr 29 17:28:22
  nstraced             Size: 23147, Last changed: Apr 29 18:05:19
  nstraced_chk_only    Size: 370, Last changed: Apr 29 07:23:10
  pf                   Size: 384, Last changed: Apr 28 23:11:10
  pfed                 Size: 0, Last changed: Mar 14 22:33:22
  pgmd                 Size: 288, Last changed: Apr 28 23:11:42
  rtlogd               Size: 456, Last changed: Apr 29 15:44:23
  snapshot             Size: 4249, Last changed: Apr 29 08:22:22
  traffic-log          Size: 100619, Last changed: Apr 30 04:28:56
  traffic-log.0.gz     Size: 18598, Last changed: Apr 30 03:15:00
  traffic-log.1.gz     Size: 12486, Last changed: Apr 30 01:00:00
  traffic-log.2.gz     Size: 11452, Last changed: Apr 30 00:00:01
  user                 Show recent user logins
  utmd-av              Size: 1782, Last changed: Apr 29 08:24:04
  wtmp                 Size: 30004, Last changed: Apr 29 08:32:41
  wtmp.0.gz            Size: 139, Last changed: Apr 07 00:24:06
  |                    Pipe through a command
[edit]
root@srx100#

user@host> show log messages Apr 11 10:27:25 router1 mgd[3606]: UI_DBASE_LOGIN_EVENT: User 'barbara' entering configuration mode
Apr 11 10:32:22 router1 mgd[3606]: UI_DBASE_LOGOUT_EVENT: User 'barbara' exiting configuration mode
Apr 11 11:36:15 router1 mgd[3606]: UI_COMMIT: User 'root' performed commit: no comment
Apr 11 11:46:37 router1 mib2d[2905]: SNMP_TRAP_LINK_DOWN: ifIndex 82, ifAdminStatus up(1), ifOperStatus down(2), ifName at-1/0/0

user@host> file show /var/log/processes Feb 22 08:58:24 router1 snmpd[359]: SNMPD_TRAP_WARM_START: trap_generate_warm: SNMP trap: warm start
Feb 22 20:35:07 router1 snmpd[359]: SNMPD_THROTTLE_QUEUE_DRAINED: trap_throttle_timer_handler: cleared all throttled traps
Feb 23 07:34:56 router1 snmpd[359]: SNMPD_TRAP_WARM_START: trap_generate_warm: SNMP trap: warm start
Feb 23 07:38:19 router1 snmpd[359]: SNMPD_TRAP_COLD_START: trap_generate_cold: SNMP trap: cold start

user@host> file show /var/log/processes Feb 22 08:58:24 router1 snmpd[359]:
%DAEMON-3-SNMPD_TRAP_WARM_START: trap_generate_warm: SNMP trap: warm start
Feb 22 20:35:07 router1 snmpd[359]:
%DAEMON-6-SNMPD_THROTTLE_QUEUE_DRAINED: trap_throttle_timer_handler: cleared all throttled traps
Feb 23 07:34:56 router1 snmpd[359]:
%DAEMON-3-SNMPD_TRAP_WARM_START: trap_generate_warm: SNMP trap: warm start
Feb 23 07:38:19 router1 snmpd[359]:
%DAEMON-2-SNMPD_TRAP_COLD_START: trap_generate_cold: SNMP trap: cold start

user@host> show log messages
Apr 25 14:01:12 user Throughput exceed 20Gbps and 7Mpps in 35% of last 15 minutes, above the time threshold 10%!
Apr 25 14:16:12 user Throughput exceed 20Gbps and 7Mpps in 95% of last 15 minutes, above the time threshold 10%!









這個網誌中的熱門文章

如何測試網路連線--網路斷線了怎麼辦?

筆記電腦刷BIOS失敗無法開機—用CH341A編程器重刷BIOS教學!

查理王的電腦部落格-首頁