Novell SUSE Linux Enterprise Server Sentinel Collector

We did this in JAN/FEB 2010.

We installed the logmanager product with current patches, AFAIK.

What I wanted to Accomplish#

So this was the issue I wanted to solve: 
   
Unsupported Event
(O : Generic Event Collector )
1/31/10 6:03 PM
Unknown Initiator within Unknown Domain
from Unknown IP Unknown Target
within Unknown Domain   on Unknown IP
Unknown Observer

Message: pure-ftpd: (?@83.224.68.30) [DEBUG] Command [user] [sara]
Event ID: AD7F5B96-F0C4-102C-A392-00163E7990C0
Retention Period:min 5/1/10 (Default Data Retention)
Hide extended information
   
192.168.1.15 aka Unknown_Reporter
My thoughts on seeing this:

A couple of things about the event as reported. All the talk about an unknown IP and unknown reporter is baffling. The product does not know which IP sent the message? (Even though it is in the message?)

Needless to say, this is a pretty serious event as someone is attempting to hack into the FTP server. The event show up clearly in my "Smoothwall" firewall which also has snort installed and reports not only the IP and the port the "attack" is on.

So form my research, I determiend that I need to implement the Novell SUSE Linux Enterprise Server Collector and it so far, has been more of a struggle than implementing the rest of the package.

I would guess on the collector alone, I have consumed three to four hours and feel like I am more confused than when I started.

Here are my notes on my travels#

Using logmanager and trying to implement the Novell SUSE Linux Enterprise Server Collector.

On this link: http://support.novell.com/products/sentinel/secure/sentinel61.html

First, how would one find this link? I do not see it described on the downloads pages.

Some of the pretty little icons show shown the right side are not explained.

The PDF would appear to be explained. and points to:

http://support.novell.com/products/sentinel/doc/collectors/Novell_SUSE-Linux-Enterprise-Server_6.1r1.pdf

Follow the Collector Pack link to download the associated Pack. However, that provides the

http://support.novell.com/products/sentinel/zip/collectors/Novell_SUSE-Linux-Enterprise-Server_6.1r1.spz.zip

What about the other two icons? One is:

http://support.novell.com/products/sentinel/zip/collectors/Novell_SUSE-Linux-Enterprise-Server_6.1r1.clz.zip

And the other is:

http://support.novell.com/products/sentinel/zip/collectors/Novell_SUSE-Linux-Enterprise-Server_6.1r1.md5

Neither icon is described or explained.

Novell_SUSE-Linux-Enterprise-Server_6.1r1.clz.zip#

The Novell_SUSE-Linux-Enterprise-Server_6.1r1.clz.zip files contains a plugin.pdf file "SENTINEL COLLECTOR QUICK START". In the document it contains "Full Novell SUSE Linux Enterprise Server Collector documentation:

http://support.novell.com/products/sentinel/doc/collectors/Novell_SUSE-Linux-Enterprise-Server_6.1r1.pdf"

How would one supposed to be able to find this file? I just happened to stumble upon it from poking into the ZIP files to try to figure out what is going on.

Where is all the Documentation?#

So now we have three PDF files that all come from three different places and NONE of them are from the "normal" http://www.novell.com/documentation/.

ausearch and socat #

The pdf Novell_SUSE-Linux-Enterprise-Server_6.1r1.pdf file States: 
"In essence, the solution simply reads the local system's audit log and forwards it over TCP. This is accomplished using
SUSE's ausearch tool to pre-process the data, and the socat open-source utility to perform the TCP forwarding."

lafsetup script#

The pdf Novell_SUSE-Linux-Enterprise-Server_6.1r1.pdf file States:
"NOTE: The lafsetup script is attached to the Collector Pack associated with this Collector."
Where would one find and how would one utilize the ausearch and the socat utility for Sentinel? What would we need to know?

Where is the lafsetup script?#


It is not in
the "Novell_SUSE-Linux-Enterprise-Server_6.1r1.clz.zip" file or the Novell_SUSE-Linux-Enterprise-Server_6.1r1.spz.zip
I could not find it on the SLES or the "logmanager" server.

'wtmpsetup' script#

The Novell_SUSE-Linux-Enterprise-Server_6.1r1.pdf document also refers to: 
Note: Most Unix-based systems don't properly log normal successful authentication to syslog. Novell highly
recommends installing the 'wtmpsetup' script to address this deficiency and ensure compliance with certain regulations.
This simple script will monitor the 'wtmp' and 'btmp' files for logins and generate syslog messages to record activity. The
associated Collector Pack includes the 'wtmpsetup' script as well as additional setup instructions.

Does not provide any location for the script or describe how the script is to be run. The associated Collector Pack includes a script called wtmpsetup that will install a small service to monitor that file and report successful logins to Sentinel.

After searching for the script, and executing the script, the script reports: 

find / -name wtmpsetup
/opt/novell/sentinel_log_mgr_1.0_x86-64/setup/wtmpsetup
Running 
/opt/novell/sentinel_log_mgr_1.0_x86-64/setup/wtmpsetup
        Usage: /opt/novell/sentinel_log_mgr_1.0_x86-64/setup/wtmpsetup <path> <timetocheck>
           eg: /opt/novell/sentinel_log_mgr_1.0_x86-64/setup/wtmpsetup /var/adm/esec 5

        <path> Working directory; where baseline snapshots are kept
          MUST BE chmod 0700 and MUST BE owned by root.
        <timetocheck> how often to check for changes; default 5s

        Script must be executed as root
What and where is the "Working directory; where baseline snapshots are kept" ? How would someone know where baseline snapshots are kept?

More Information#

There might be more information for this subject on one of the following:
Please see our Copyright And Intellectual Property Page and Standard Disclaimer Pages!