RootAdmin.co.uk

Well below is my first attempt at a shell script, firstly understand I am no programmer!

Before we look at it, my server is running OPENVPN and Uncomplicated Firewall(I’m running Ubuntu Server)

So how does it work?

Firstly we declare that we are using the bash shell using
#!/bin/bash

Next we’re setup some vairables, the first is simply formating the date and calling itself TODAYSDATE,
next we set todays archive to be archive.TODAYSDATE and call its self TODAYS_ARCHIVE

Next we create a directory called archive.TODAYSDATE

Now to the best bit, we start processing the logs
- We extract todays logs out of syslog
- From the extracted logs we extract the firewall (Uncomplicated Firewal/ UFW) logs to a seperate file
- Now extract todays messages log
- From todays extracted logs extract all OPENVPN related logs to a seperate log file
- Extract todays apache access.log and error.log
- Provide us with the currently running processes
- Zip it all up to the /archive/ folder
- back back up a directory level and delete the folder called archive.TODAYSDATE
- Now use mutt to attach the zip file to a email and send it

Now for the script – PLEASE FEEL FREE TO USE

#!/bin/bash
# Script By Liam Somerville, www.rootadmin.co.uk
# Use freely

#####################################################################
#                        Set up the variables
#####################################################################
#Set todays date
TODAYSDATE=`date +”%d-%b-%Y”`

#Format Archive
TODAYS_ARCHIVE=archive.$TODAYSDATE

#####################################################################
#                    Finished setting up Variables
#
#                   Now start processing the log files
#####################################################################

# Make a directory called archive with todays date and change to that direcory
mkdir $TODAYS_ARCHIVE
cd $TODAYS_ARCHIVE

#Write the log files
#Archive todays Syslog, extract all firewall related logs to firewall, then
# extract messages
cat /var/log/syslog | grep “`date +”%b %e” `” > syslog.$TODAYSDATE
cat syslog.$TODAYSDATE | grep UFW > firewall_log.$TODAYSDATE
cat /var/log/messages | grep “`date +”%b %e” `” > messages.$TODAYSDATE
#Process the OPEN VPN Server logs
cat syslog.$TODAYSDATE | grep “ovpn-server” > vpn_server_log.$TODAYSDATE
#
#Proceess Apache Logs
cat /var/log/apache2/error.log | grep “`date +”%b %d” `” > apache_error_log.$TODAYSDATE
cat /var/log/apache2/access.log | grep “`date +”%d/%b” `” > apache_access_log.$TODAYSDATE
#
#Process FTP Logs
cat /var/log/vsftpd.log | grep “`date +”%b %e” `” > ftp_log.$TODAYSDATE
#
# Get a list of currently running process
ps aux > Processes.$TODAYSDATE

# Zip up all the logs and delete todays log
zip /archive/$TODAYS_ARCHIVE.zip *
cd ..
rm -r $TODAYS_ARCHIVE

####################################################################
#                     Now email the zip file
###################################################################
echo | mutt -a /archive/$TODAYS_ARCHIVE.zip -s “Event logs for $TODAYSDATE” you@your.email.address.com

A recently published attack exploiting newer versions of the Linux kernel is getting plenty of notice because it works even when security enhancements are running and the bug is virtually impossible to detect in source code reviews.

The exploit code was released Friday by Brad Spengler of grsecurity, a developer of applications that enhance the security of the open-source OS. While it targets Linux versions that have yet to be adopted by most vendors, the bug has captured the attention of security researchers, who say it exposes overlooked weaknesses.

Linux developers “tried to protect against it and what this exploit shows is that even with all the protections turned to super max, it’s still possible for an attacker to figure out ways around this system,” said Bas Alberts, senior security researcher at Immunity. “The interesting angle here is the actual thing that made it exploitable, the whole class of vulnerabilities, which is a very serious thing.”

The vulnerability is located in several parts of Linux, including one that implements functions known as net/tun. Although the code correctly checks to make sure the tun variable doesn’t point to NULL, the compiler removes the lines responsible for that inspection during optimization routines. The result: When the variable points to zero, the kernel tries to access forbidden pieces of memory, leading to a compromise of the box running the OS.

The “NULL pointer dereference” bug has been confirmed in versions 2.6.30 and 2.6.30.1 of the Linux kernel, which Spengler said has been incorporated into only one vendor build: version 5 of Red Hat Enterprise Linux that’s used in test environments. The exploit works only when a security extension knows as SELinux, or Security-Enhanced Linux, is enabled. Conversely, it also works when audio software known as PulseAudio is installed.

An exploitation scenario would most likely involve the attack being used to escalate user privileges, when combined with the exploitation of another component – say, a PHP application. By itself, Spengler’s exploit does not work remotely.

With all the hoops to jump through, the exploit requires a fair amount of effort to be successful. Still, Spengler said it took him less than four hours to write a fully weaponized exploit that works on 32- and 64-bit versions of Linux, including the build offered by Red Hat. He told The Register he published the exploit after it became clear Linus Torvalds and other developers responsible for the Linux kernel didn’t regard the bug as a security risk.

“By the time I wrote the exploit, there was a fix floating around, but it didn’t look like it was going to be going into any of the stable releases,” he said. “It was just a trivial ‘oops’ instead of something that could give you arbitrary code execution in the kernel.”

Comments that accompany Spengler’s exploit code go on to detail statements Torvalds and other developers are said to have made in group emails discussing the bug.

“That does not look like a kernel problem to me at all,” Torvalds is quoted as saying in one message. “He’s running a setuid program that allows the user to specify its own modules. And then you people are surprised he gets local root?”

On that front, at least one security researcher agreed with the Linux team.

“Setuid is well-known as a chronic security hole,” Rob Graham, CEO of Errata Security wrote in an email. “Torvalds is right, it’s not a kernel issue, but it is a design ‘flaw’ that is inherited from Unix. There is no easy solution to the problem, though, so it’s going to be with us for many years to come.”

The larger point, Spengler said, is that the Linux developers are putting users at risk by failing to clearly disclose when security vulnerabilities have been discovered.

“Why is it that whenever there is an exploitable vulnerability in Linux, it’s described as a denial of service?” he said. “It kind of makes the vendors think the security is better than it actually is.”

Wherever the fault may lie, the potential damage is very real.

“It’s not going to light the world on fire, but it is a very subtle bug and solid exploit,” said Ed Skoudis, founder and senior security consultant for InGuardians. “The real story here is how subtle it is, and that the compiler itself introduced it during code optimization.”

So far, Torvalds and company have yet to respond to the disclosure. We’ll be sure to update this story if they do. ®
- Dan Goodin in San Francisco, 17th July 2009 22:32 GMT
- http://www.theregister.co.uk/2009/07/17/linux_kernel_exploit/

Exploit Code
- http://grsecurity.net/~spender/cheddar_bay.tgz

Learn the Linux shell – Part 1…

Well I am no master in Linux by no stretch of the imagination, I can get my way around a Linux shell, perhaps slowly, but I get there. As many people have taught me some of their knowledge and helped me along in life even if they could not really afford the time, I am a big believer in helping people where I can. I start with the these rules,

· No one is stupid, and they just need some help and

· There’s no such thing as a stupid question, you won’t believe how often the answer to one question just clicks multiple other questions and answers into place

· No one is ever too old to learn

Learning is a fantastic thing and so different for each person, if you enjoy learning about learning you should look up a guy called Marc Prensky – “Marc Prensky is an internationally acclaimed speaker, writer, consultant, and designer in the critical areas of education and learning”. In particular his articles about Digital Immigrants and Digital Natives

Anyway….. Back to class.

I will presume in this article you have just installed Linux and have no prior experience of Linux and are sitting in a terminal window.

The Linux shell is a command line utility designed to allow the user to interact with the operating system, it passes any valid command (either from a user or from a file) to the Linux kernel.

There are different versions of the Linux shell; all have slight small differences from each other.

You can easily find out which version of the shell you are running by typing:

echo $SHELL.

I use bash as this is the default for Ubuntu.

NOTE: Bash is with most shells is case sensitive

We may at a later date need the date and time to be set up correctly, might as well do it now.

Ok, so let’s start with the basics, lets ensure your clock is correctly set. From the shell type

Date

Ok so first rule to Linux, never run as root. Ok so you have probably come from a windows background and can’t possibly imagine running all day long without admin rights but i promise you in Linux, you really don’t want to or need to. I’ll explain more later.

For now let’s find out which user we are currently logged in as. At the shell type

Whoami.

Ok so now lets change your password, at the shell type

Passwd

Enter your current password, your new password and confirm your new password.

Let’s move on

File structure

The files on a Linux system are stored in what’s called a hierarchical directory structure, whats a hierarchical directory structure when it’s at home? Simply put this means that files are organised in a tree like pattern of directories (or folders) which may contain more directories or files. The very first folder of the Linux file system is called the root directory. This contains multiple other directories (referred to as sub directories) and files which also contain multiple other sub directories.

Linux does not use the idea of drive letters or splitting the file system up like that and creating multiple tree structures, instead everything comes off of one tree structure.

So, when you log in to you linux box (box is just another name for a system), the working directory is set to be your home directory. This is where you put your files, alot like “My Documents” on a windows box. In most cases your home directory is simply /home/your_user_name, but this may have been changed by a system administrator (if you haven’t set up the linux box). So let’s find out.

To view your current working directory you type the command

Pwd

Pwd is short for “print working directory”

Now let’s see what files and directories we have in our home directory. To do this type

ls

ls simple lists the contents of the working directory.

Ls is a very powerful tool as it has lots of extra options available to it. We will look at more of ls in another article

For now let’s create a new directory for us to play with, let’s call this folder stuff, to create a new directory we use the command

mkdir folder_name

mkdir as in make directory. So lets make our directory by typing

mkdir stuff

now if we type ls we should see a new directory that wasn’t there before, ok so lets go into that folder. To navigate to a new directory (by which i mean a different directory from that of the working directory) we type

cd folder_name

cd simply means change directory, so to get into our “stuff” directory we type

cd stuff

Whilst on the subject of cd I will show you how to move back up the directory tree one folder at a time, so in this example our current shell prompt looks something like

liam@linux: ~/stuff

Now if we type the command cd ..

We can move backup the directory one folder at a time

I think we have learnt enough for one small lesson, so we will leave it there and return to learn some more linux shortly