Exercise 4: Swatch
Reconnaissance is important for a successful attack, but it can also give the attacker away. Knowing when and where you are being probed can help determine if your network is being attacked. Every intrusion detection system (IDS) logs the anomalies it detects. Reviewing these logs can be an overwhelming task. To assist with this process many tools have been developed.
One popular tool for monitoring Unix syslogs is Swatch. Swatch monitors syslogs looking for new entries that match specific criteria and provides a variety of alert mechanisms.
This exercise demonstrates how to install and configure Swatch. After Swatch is installed, an alert is triggered and notification is sent.
Intel-based PC running Red Hat Linux 7.2
Swatch, available at ftp://ftp.stanford.edu/general/security-tools/Swatch/
The following are the steps that you will perform for this exercise:
Download and install Swatch.
Test Swatch by triggering an event that requires notification to be provided.
Challenge Procedure Step-by-Step
The following are the detailed steps you will perform to install and run Swatch:
Download Swatch 3.0.2.tar.gz from ftp://ftp.stanford.edu/general/security-tools/Swatch/. Then, install Swatch.
Save the file to an appropriate directory on your system. Well-managed servers have a directory to hold files for additional packages installed on the server. Check with your system administrator for this directory. Otherwise, save it to your home directory.
At a command prompt change to the root directory where you stored the Swatch distribution files.
Create the Swatch source directory by running the tar command.
Change the directory to the Swatch source directory by using the cd command.
Create the MakeFile.
If MakeFile has no suffixes, repeat the previous steps until it does.
Make the Swatch executables:
Test the executables that were created:
If the test is successful, install the Swatch executables:
Change to the home directory:
Next, configure Swatch. Use a sample configuration file. The configuration file for Swatch contains patterns to look for and actions to take when a match is found. The default location and name for this file is $HOME/.swatchrc. A full description of the configuration options is outside the scope of this exercise, thus, in this exercise, you will copy a sample configuration to your home directory.
Review the configuration file. For the purposes of this exercise, check at least one entry in the configuration file. At a command prompt enter the following:
Now, you'll add an event to watch for. In this case we want to be notified if someone changes to a specific account. Use your favorite editor to add the following entry to .swatchrc. Change jmm to a valid user on your system.
Start Swatch as a background process.
Trigger an event that will cause Swatch to issue a notification. Do this to the jmm account by typing su jmm.
Check root's mail for the notification from Swatch by typing mail at the command prompt.
Determine the process ID for Swatch and kill the process. This is done using the ps command.
Depending on the configuration of your Perl environment, the make command may provide additional prompts to create Perl modules required by Swatch. If so prompted, answer affirmatively.
When MakeFile.PL completes execution, perform the following command to verify that it created the MakeFile required in the next step:
The keyword watchfor instructs Swatch to look for a pattern match and take an action if one is found. The INVALID|REPEATED|INCOMPLETE/ parameter determines which patterns to look for. The pipe (|) symbol means or. Thus, the statement translates as "look for any of the three words provided." The echo inverse is the first action to be taken if a match is found. In this case, Swatch will echo the log entry in reverse video. Finally, the bell 3 command causes the workstation to beep.
Challenge Question: What is the purpose of the ignore keyword?
Challenge Question: Why must Swatch be run by root?
Challenge Question: Review the entry that was added to .swatchrc. How will you know when the mail has been sent by Swatch?
Challenge Question: How long did it take for Swatch to generate a notification, and what is the significance of this time lag?
Challenge Question: Why should you use the kill command instead of killall?
Hansen, Stephen E. and Atkins, E. Hansen. "Centralized System Monitoring with Swatch," http://www.oit.ucsb.edu/~eta/swatch/lisa93.html.
Swatch is a widely used log-monitoring tool for Unix systems. It provides a simple method for notification when selected events occur on the system. While useful for security purposes, it is also valuable for other system administration purposes. With Swatch, you are able to specify the log messages to watch for, thus, any message that is logged can trigger a notification.
Swatch also provides for a variety of notification methods, such as mail, pagers, pop-up windows, or any other means available to a custom command.
Because the operating environment constantly changes, Swatch does not eliminate the need to periodically review log files. New problems may show up in the log files, which Swatch may not have been configured to monitor. However, Swatch does reduce the need for continual attention to log files while providing a more timely awareness of issues as they arise.