Honeypot Logging

The following is mental debris about preparation of a honeypot with respect to logging. Although all the core data gathering should be done on a bridge between the honeypot and the internet, having shell logging and HIDS/file integrity on a honeypot can provide beneficial data.

An interesting area on the honeypot is the system logging and command history. Although it should be possible to piece together the attackers session from the packet traces on the intermediary bridge, a local copy of the command history can be important as some attackers will use encrypted communication if you allow them.

One of the first things an attacker will likely do after compromise is stop logging. They will wipe the logs, trojan syslogd, and unset the $HISTFILE or symbolically link /dev/null to the $HISTFILE. I could counter by recompiling syslogd to read a different configuration file but an advanced attacker could run strings on the binary to see what configuration file is read. There's a bash patch which will record shell history and forward keystrokes to syslogd. Another option would be a modified version of TTY Watcher which is a kernel module that captures keystrokes and sends them over a TCP connect ion. However, one of the simplest solutions I found is to recompile bash with $FOO in place of $HISTFILE. When the attacker (if, even) unsets $HISTFILE or modifies the .bash_history they are really a dummy file placed there to fool said attacker. $FOO will point to the correct history location and keep on logging. Also, make sure to not give the attacker other shells to use if you want to trojan bash. To recompile bash to log to a different location alter the following code in variables.c:

#*** OLD *** #if (remember_on_history) # { # name = bash_tilde_expand (posixly_correct ? "~/.sh_history" : "~/.bash_history"); # set_if_not ("HISTFILE", name); # free (name); #*** NEW *** if (remember_on_history) { name = "/path/to/hidden/.somedir/.somefile" set_if_not ("HISTFILE", name); #HISTFILE should be something else by now, like FOO name = 0;

What we did here is take out the function that expands the "~" to /home/$user and instead of freeing the variable set it to 0 (since it will no longer be a pointer). Unless of course you still keep it in the user's directory.

For HIDS (Host IDS), I like AIDE (Advanced Intrusion Detection Environment). It is essentially Tripwire only better and is GPL. It will verify the integrity of files by saving a database of file attributes to a disc. After compromise it is then able to compare the database file attributes from the disc with the current files on disk which will show which files have been altered.

/ R database=file:/tmp/aide/bin/aide.db database_out=file:/tmp/aide/bin/aide.db.new ./aide --config=./aide.conf --init Move the db files to the cdr temporary and after build an iso image: mv aide.db.new /mnt/cdr-temp/aide/bin/aide.db After a config on the cdr/aide config could look like this : / R database=file:/mnt/cdrom/aide/bin/aide.db database_out=file:/mnt/cdrom/aide/bin/aide.db.new Mount the cdrom to check the db: cd /mnt/cdrom/aide/bin ./aide --config=./aide.conf --check