Table of Contents
In this article, I will take you through the steps to check and log Malicious RPM Installation in 3 Easy Steps. In Linux, logging is one of the most important functionality which is used to streamline the monitoring of events by maintaining set of log files as record. It is a strong troubleshooting tool which comes first in the picture whenever there is any functionality failure or any error occurs. Analyzing log files is the first thing a developer or an administrator does whenever there is an issue. More about Security Hardening in RHEL.
How to Check and Log Malicious RPM Installation in 3 Easy Steps
Also Read: How to Install netcat(nc) command on Linux(Ubuntu 18.04/20.04) in 7 Easy Steps
By default Linux provides a centralized repository for storing the log files which can be found in the directory /var/logs and subdirectories. There are log files generated for everything in Linux e.g system, database, kernel, process management, boot etc. You would find bunch of logs and directories inside this path which may vary from machine to machine depending on the configuration set up.
[root@cyberithub ~]# cd /var/log/ [root@cyberithub log]# ls -lhtr total 42M drwxr-xr-x. 2 chrony chrony 4.0K Mar 2 2021 chrony drwxr-xr-x. 2 root root 4.0K Jun 2 2021 tuned drwx------. 2 root root 4.0K Sep 10 20:17 private -rw-rw----. 1 root utmp 0 Sep 10 20:17 btmp -rw-------. 1 root root 0 Sep 10 20:18 spooler-20210922 -rw-------. 1 root root 0 Sep 10 20:18 maillog-20210922 drwxr-xr-x. 2 root root 4.0K Sep 10 20:21 anaconda -rw-------. 1 root root 20K Sep 22 13:24 secure-20210922 -rw-r--r--. 1 root root 1.6K Sep 22 14:16 hawkey.log-20210922 -rw-------. 1 root root 6.4K Sep 22 15:01 cron-20210922 -rw-------. 1 root root 22M Sep 22 15:49 messages-20210922 -rw------- 1 root root 65K Sep 22 15:50 boot.log-20210922 drwxr-x---. 2 sssd sssd 4.0K Sep 22 15:50 sssd -rw------- 1 root root 0 Sep 22 15:50 spooler -rw------- 1 root root 0 Sep 22 15:50 maillog drwx------. 2 root root 4.0K Sep 22 22:55 audit drwx------. 3 root root 4.0K Nov 2 19:01 samba drwxr-xr-x 2 root root 4.0K Feb 2 20:31 supervisor -rw-r--r-- 1 root root 1.4K Feb 2 22:31 hawkey.log -rw-r--r--. 1 root root 66K Feb 22 15:41 dnf.librepo.log -rw-r--r--. 1 root root 27K Feb 22 15:41 dnf.rpm.log -rw-r--r--. 1 root root 194K Feb 22 15:41 dnf.log -rw-------. 1 root root 30K Feb 22 18:23 boot.log -rw------- 1 root root 5.3K Feb 22 18:23 cron -rw-r--r--. 1 root root 12K Feb 22 18:23 kdump.log -rw-r-----. 1 root root 56K Feb 22 18:23 firewalld -rw-rw-r--. 1 root utmp 37K Feb 22 18:25 wtmp -rw-rw-r--. 1 root utmp 286K Feb 22 18:25 lastlog -rw------- 1 root root 5.5K Feb 22 18:25 secure -rw------- 1 root root 20M Feb 22 18:25 messages
In Linux, there are system log files and application log files. In this tutorial we will focus on application log files. We will develop a simple application and generate it’s log files. It can be generated in default folder i.e /var/log or we can generated customized log files in different folder. We will generate customized log files in our tutorial.
We will develop a tool which basically will scan the packages installed in our machine and alert for any unwanted packages which might have got installed (mistakenly or as virus) in the log file. Such tools are very crucial to secure and protect our system and applications from any sort of vulnerability. We will require below 3 files to serve our purpose. You can definitely modify the files based on the level of security you want to put to safe guard your applications and system.
Step 1: Create whitelist.csv
This file will be used to store list of installed rpm packages. If any other package is found installed in the system which is not part of the whitelist, it will be consider as vulnerability and an error will be reported. This will be passed as an input file to app.sh script.
Execute “rpm -qa” and store the output in whitelist.csv file like below. It will be a long listed file as it stores all the OS packages as well as application packages.
[root@cyberithub ~]# rpm -qa > whitelist.csv
libsss_nss_idmap-2.4.0-9.el8_4.2.x86_64
gettext-0.19.8.1-17.el8.x86_64
geolite2-city-20180605-1.el8.noarch
firewalld-filesystem-0.8.2-7.el8_4.noarch
fontpackages-filesystem-1.44-22.el8.noarch
systemd-239-45.el8_4.3.x86_64
trousers-0.3.15-1.el8.x86_64
tigervnc-license-1.11.0-6.el8.noarch
libldb-2.2.0-2.el8.x86_64
ncurses-base-6.1-7.20180224.el8.noarch
polkit-0.115-11.el8_4.1.x86_64
iproute-5.9.0-4.el8.x86_64
dnf-data-4.4.2-11.el8.noarch
kernel-modules-4.18.0-305.17.1.el8_4.x86_64
----------------------------------------------------------
Step 2: Create log.sh Script
Next we need to create a log functionality script called log.sh under /root directory. In this script, we are creating a function called log() which we are going to use in our application script called app.sh in next step. Below script will basically check the argument passed with the log function and then add the messages based on message type whether it is ERROR, WARNING and INFO. We will see few of the use cases in below section to understand this further in real time.
[root@cyberithub ~]# vi log.sh
#!/bin/bash
function log(){
if [[ $1 == "-e" ]]; then
shift
msgType="ERROR: "
fi
if [[ $1 == "-w" ]]; then
shift
msgType="WARNING: "
fi
if [[ $1 == "-i" ]]; then
shift
msgType="INFO: "
fi
if [[ $1 == "-p" ]]; then
echo "$*"
fi
echo -n "`date +"%Y-%m-%dT%H:%M:%S.%6N%:z"`, $msgType " >> $logFile
echo "$*" >> $logFile
}
Description:-
-e -> To capture error messages
-i -> To capture info messages
-w -> To capture warning messages
Shift -> To move the command line argument to one position left
$* -> To capture all the command line arguments passed to the script.
Step 3: Create app.sh Script
Functionality of this script is to parse the whitelist.csv file. If any extra installed package is encountered in the machine, it will log the package entry as error in the log file. Next we write the logic for our application and define the log path where log files will get generated. You can enable the debug mode by uncommenting the set -x statement.
We are generating the log files in the folder /var/log/cyberithub/. This path can be changed depending on where we want to store our logs. Create a temporary file /tmp/temp_file which is the requirement for the script execution.
[root@cyberithub ~]# vi app.sh
#!/bin/bash
#set -x
#include log.sh
. /root/log.sh
#Call log function
log
mkdir -p /var/log/cyberithub/
logFile=/var/log/cyberithub/application.log
CSV_FILE=$1
TEMPFILE=/tmp/temp_file
function package_check(){
rpm -qa > $TEMPFILE
while read line
do
PACKAGE_NAME=`/bin/echo $line | cut -d';' -f 1`
grep -v "^$PACKAGE_NAME" $TEMPFILE > $TEMPFILE.o
cp $TEMPFILE.o $TEMPFILE
done < $CSV_FILE
if [ -s $TEMPFILE ]
then
for i in `cat $TEMPFILE`
do
log -e "New Installed Package Found $i..."
done
fi
rm -rf $TEMPFILE.o $TEMPFILE
log -w "Info message implementation"
log -w "Warning message implementation"
}
##MAIN
# Check CSV File
if [ ! -f "${CSV_FILE}" ]; then
log -e "Input file not found"
exit 1
fi
#Check file type
if [ "${CSV_FILE}" != *.csv ]; then
log -e "Input file should be a .csv file"
exit 1
fi
package_check
We need to change the file permission before executing the script.
[root@cyberithub ~]# chmod 755 *
Now install few extra rpm packages on the machine.
[root@cyberithub ~]# yum install net-tools -y [root@cyberithub ~]# yum install tcpdump -y [root@cyberithub ~]# yum install telnet -y
Use case 1: When whitelist.csv is not passed as input
[root@cyberithub ~]# ./app.sh [root@cyberithub ~]# cd /var/log/cyberithub/ [root@cyberithub cyberithub]# cat application.log 2022-02-22T19:10:12.151834+05:30, ERROR: Input file not found
Use case 2: When wrong file format is passed as input
[root@cyberithub ~]# ./app.sh whitelist [root@ cyberithub ~]# cd /var/log/cyberithub/ [root@ cyberithub cyberithub]# cat application.log 2022-02-22T19:10:12.151834+05:30, ERROR: Input file not found 2022-02-22T19:14:23.926123+05:30, ERROR: Input file should be a .csv file
Use case 3: When correct input file is passed
[root@ cyberithub ~]# ./app.sh whitelist.csv [root@ cyberithub ~]# cd /var/log/cyberithub/ [root@ cyberithub cyberithub]# cat application.log 2022-02-22T19:10:12.151834+05:30, ERROR: Input file not found 2022-02-22T19:14:23.926123+05:30, ERROR: Input file should be a .csv file 2022-02-22T19:48:20.905768+05:30, ERROR: New Installed Package Found telnet-0.17-76.el8.x86_64... 2022-02-22T19:48:20.906775+05:30, ERROR: New Installed Package Found tcpdump-4.9.3-2.el8.x86_64... 2022-02-22T19:48:20.907791+05:30, ERROR: New Installed Package Found net-tools-2.0-0.52.20160912git.el8.x86_64... 2022-02-22T19:48:20.909619+05:30, WARNING: Info message implementation 2022-02-22T19:48:20.910591+05:30, WARNING: Warning message implementation