WEBVTT 00:00.740 --> 00:06.770 For any Linux user, it's a circular to be no knowledgeable in the use of the look files here. 00:07.190 --> 00:12.740 So look was store information about events that occurred when the operating system and applications 00:12.800 --> 00:18.700 are run, so including any errors and security errors, of course. 00:18.710 --> 00:26.930 So your system will log information automatically based on the series of rules that I will show show 00:27.140 --> 00:30.470 you how to configure in this elections. 00:30.860 --> 00:38.510 So I think this lecture will know this section of our Udemy course will be to lecture sexually. 00:38.930 --> 00:46.100 So as a hacker, the log files can be a trail to your target activities and identify identity. 00:46.850 --> 00:53.090 So but it can also be a trail to your own activities on someone else's system. 00:53.450 --> 00:59.860 So a hacker training for needs to know what information they can gather, as well as what can be gathered 00:59.870 --> 01:05.060 about their own actions and the methods in order to hide that evidence here. 01:05.780 --> 01:12.170 So on the other side, an insecure and an annual securing the new systems needs to know how to manage 01:12.170 --> 01:18.590 the logging functions to determine whether a system has been attacked and then decipher what actually 01:18.590 --> 01:21.980 happened and who did it so well. 01:22.020 --> 01:29.900 This, therefore, shows you how to fix a mine and configure log files, as well as how to remove evidence 01:29.900 --> 01:34.160 of your activity and even disable Loading all together. 01:34.190 --> 01:38.930 So first, we will look at the damage that, uh, doesn't uh, does the logging. 01:40.410 --> 01:50.890 So there are six log logging down, so Linux is a Linux user that Diamond called us. 01:51.060 --> 01:52.860 See, you say, look, they're here. 01:53.430 --> 02:01.980 So to automatically log in once on your computer simulation of cease logging coding since launching 02:01.980 --> 02:07.860 here, including our seas, look here and our seas look. 02:10.020 --> 02:18.270 Actually, since log energy here, we have actually so are used on different distributions of Linux, 02:18.630 --> 02:21.900 so were thought they operate very similarly. 02:21.950 --> 02:24.120 And some minor differences exist, of course. 02:24.540 --> 02:32.760 So since color Linux is built on Debian and Debian comes with RCC, look here. 02:33.030 --> 02:37.410 By default, we focus on that to achieve this lecture here. 02:37.800 --> 02:43.830 So if you want to use other distributions, it's what, uh, doing a little research on the old logging 02:43.830 --> 02:44.370 systems. 02:44.760 --> 02:51.720 So let's take a look at our, uh uh, our system, a log on our system here. 02:51.990 --> 02:56.160 We will search for all files related to our seas. 02:56.160 --> 02:59.460 Look here first, open a terminal in Cali and enter here. 02:59.790 --> 03:03.360 Locate our c c look here. 03:05.640 --> 03:11.450 So as you can see, numerous files can contain the key word cease. 03:11.460 --> 03:12.150 Look here. 03:13.330 --> 03:17.170 So, uh, some of which are more useful than others. 03:18.450 --> 03:22.900 Uh, the one we want to examine is the configuration file. 03:23.250 --> 03:28.590 Our seas look confused, so they are this low configuration file. 03:28.590 --> 03:35.850 Like nearly every application in Linux, our log is managed and configured by a plaintext configuration 03:35.850 --> 03:39.750 file located as a as is generally the case on Linux. 03:40.020 --> 03:46.350 So in the ATC Here directory, in the case of, uh, our seas look here. 03:46.350 --> 03:49.620 The configuration file is located at ATC Arceus. 03:49.620 --> 03:54.840 Look that conf uh, and open that file in with any text editor here. 03:54.840 --> 04:00.630 For example, mousepad, um, mousepad ATC. 04:01.440 --> 04:05.850 Uh, our our c c log here that can fill. 04:07.380 --> 04:13.620 And as you can see here, we opened this file, so it's read on, as you can see here, if we want to 04:13.620 --> 04:20.640 change, you should use this system for us was using pseudo command for root right here. 04:22.230 --> 04:22.620 So. 04:24.280 --> 04:27.100 You shall see a text file like that. 04:27.680 --> 04:36.420 Uh, so as you can see there, you see here, then our seats look, uh, that configuration file comes 04:36.430 --> 04:41.500 well documented with, uh, numerous, uh, numerous comments explaining its use. 04:41.950 --> 04:48.430 So much of this information will not be useful to you at this moment, but if you navigate down, believe, 04:48.760 --> 04:52.210 uh, to line here, uh, fifty one. 04:54.220 --> 04:59.740 Or 49 here, you will find the rules here. 05:00.780 --> 05:09.900 As you can see here, uh, so this is where you can set the rules for what your system will automatically 05:09.900 --> 05:10.530 look for you. 05:10.650 --> 05:21.480 So our um, sea slug, uh, logging groups here, then artists, uh, log in their rules, determine 05:21.480 --> 05:23.280 what kind of information is logged. 05:23.820 --> 05:29.980 So you know what programs have their messages logged and where that log is stored as a hacker? 05:30.000 --> 05:34.230 This allows you to find out what is being logged and varied. 05:34.230 --> 05:38.310 Dos logs are written so you can delete or upskill them. 05:38.790 --> 05:41.400 Scroll it, align to. 05:43.920 --> 05:49.680 56 here, and you should see something like this here. 05:51.390 --> 05:56.100 So each line is a separate looking role here. 05:56.460 --> 06:03.780 Uh, that that says what messages are locked and where where, uh, they are locked here. 06:04.110 --> 06:10.770 The basic format for these rules is, for example, um, facility priority here. 06:11.340 --> 06:14.430 And the action here like that. 06:15.750 --> 06:23.310 So the physiologically word references the programs such as such as meal here, as you can see here, 06:23.310 --> 06:29.010 male like Colonel or Ielpi are like this here. 06:29.850 --> 06:31.710 Colonel Ielpi are here. 06:32.560 --> 06:33.270 Uh, so. 06:35.280 --> 06:39.760 And the priority queue, what determines what kind of messages to look for that program? 06:40.240 --> 06:42.610 So the action keyword here. 06:43.520 --> 06:47.240 As you can see here, action and priority, um. 06:49.400 --> 06:56.480 Uh, on the far right here, as you can see here, action keyword here, uh, references the location 06:56.520 --> 06:59.950 where, uh, the log vehicle was sent here. 06:59.960 --> 07:04.640 As you can see, there is there where our logs will be sent. 07:07.080 --> 07:11.190 Let's look at each section more closely beginning there, no course. 07:11.490 --> 07:18.000 So beginning the UM facility, the key word here, as you can see, there is a specific keywords here 07:18.720 --> 07:25.110 and which refers to whatever software is generating the look, whether that's criminal, the mail system 07:25.110 --> 07:26.400 or the user here. 07:27.380 --> 07:33.350 So the following here, as you can see here, is a, for example. 07:34.840 --> 07:43.000 Uh, out of here is, uh, security authorization messages, for example, a Quran here is cloak diamonds 07:43.660 --> 07:44.860 and colonel. 07:44.860 --> 07:46.360 Here is colonel messages. 07:46.780 --> 07:47.590 Uh, diamond. 07:47.590 --> 07:50.700 Here is other diamonds, which stores as you can see. 07:50.710 --> 07:56.620 What a long time I'll look here and I'll pair is means, um, printing system here. 07:57.100 --> 08:03.910 Uh, mail is, as you know, mail, uh, use their mail system here and this is them their generic user 08:03.910 --> 08:05.290 level, uh, here. 08:06.160 --> 08:06.490 So. 08:08.140 --> 08:12.220 You can select more than one facility by listing them separately by coming here. 08:12.580 --> 08:16.540 So the two terms the system, what kinds of messages to lock you? 08:17.990 --> 08:18.470 So. 08:24.410 --> 08:31.070 For example, cuts are listed from lowest priorities starting at the back to highest priority ending 08:31.250 --> 08:32.080 panic here. 08:32.660 --> 08:42.410 So if it's a priority here is, uh, like that messages of our priorities are logged. 08:44.110 --> 08:51.280 So when you specify your priority messages of that priority and hires are logged, for instance, if 08:51.280 --> 08:58.090 you specify a priority code alert, the system will log messages classified as alert and a higher priority. 08:58.090 --> 09:05.290 But it won't look messages marked as Crete or any, uh, any prior to lower than the alert here. 09:05.530 --> 09:10.720 So first thing, I want to show you how priorities here and priority names here. 09:11.260 --> 09:12.330 So, um. 09:13.910 --> 09:17.870 And here is 12 priorities, I think so. 09:18.200 --> 09:19.370 The first is Denmark. 09:20.000 --> 09:20.960 Yes, there is a. 09:22.360 --> 09:23.320 Um, actually. 09:23.650 --> 09:24.180 Nine. 09:24.430 --> 09:25.720 Yes, they bark here. 09:25.960 --> 09:29.140 Uh, info notice here. 09:29.170 --> 09:33.580 Uh, warning the barn and roof air. 09:34.030 --> 09:38.680 Create alert, merge panic element here. 09:39.610 --> 09:41.860 So the court's warning? 09:44.240 --> 09:44.720 One. 09:44.840 --> 09:48.740 So there is the not most priorities here, for example. 09:49.280 --> 09:51.910 The bug is the motivator. 09:51.920 --> 10:00.140 Priorities in for little would be enforce priorities bigger than in the bank and not his priority is 10:00.380 --> 10:01.160 bigger than info. 10:01.500 --> 10:04.910 Priority priorities bigger than not is like that and the most prioritized. 10:04.940 --> 10:07.820 Um, this message we're looking at is panic. 10:08.630 --> 10:09.020 So. 10:11.990 --> 10:17.510 For example, there is the burning barn here where some barn. 10:18.620 --> 10:18.890 Oops! 10:20.430 --> 10:23.200 Warning, uh, one morning. 10:24.140 --> 10:24.620 Uh. 10:26.690 --> 10:29.360 Actually not warning, you know, one. 10:31.380 --> 10:31.750 Raw. 10:34.180 --> 10:38.170 Air and emerge here, um. 10:38.740 --> 10:45.790 And panic here have all been deprecated and shall not be used, so if you want to use it, the action 10:45.790 --> 10:49.660 is usually a file name and the location where the looks should be sent. 10:50.630 --> 10:51.080 So. 10:53.810 --> 10:56.280 Don't save, so we don't want to save. 10:56.540 --> 10:57.590 It's just a note here. 10:58.010 --> 11:04.240 So not at the general outlook for us are sent to VAR look directory. 11:05.300 --> 11:06.620 So um. 11:09.930 --> 11:15.450 With a file name, of course, that describes the facility that generated them, such as that out here, 11:16.020 --> 11:16.590 like that? 11:16.740 --> 11:17.640 Yeah, out. 11:19.370 --> 11:22.370 Or Colonel meal like that. 11:23.360 --> 11:24.260 As you can see here. 11:26.640 --> 11:34.440 Uh, this means, for example, that looks generated by the old facility will be sent to VAR, log out 11:34.710 --> 11:35.580 that lock here. 11:36.570 --> 11:44.040 So, uh, we can, uh, see the worm our mail looks cause, uh, VAR log mail that work here. 11:44.760 --> 11:47.070 Uh, so like that, for example. 11:48.460 --> 11:51.760 Actually, let's look out here, so. 11:53.430 --> 12:02.070 Yeah, we can clean automatically, upload speed logo, look, rotate here, so look, look files takes 12:02.580 --> 12:10.080 up space, so if you don't delete them, so actually, I um forgot to mention you are so you can change 12:10.080 --> 12:12.510 this look was the direction here. 12:12.510 --> 12:17.880 For example, if you want to save your mail, look uh, to your home directory. 12:17.880 --> 12:21.660 You can change it here, but I will not change any of it. 12:22.230 --> 12:22.590 So. 12:24.010 --> 12:30.280 Now you can also automatically clean up looks with a local road to. 12:31.320 --> 12:38.310 The log rotate command to look fires takes take up space, so if you don't delete them periodically, 12:38.580 --> 12:40.950 they will eventually fill your entire hard drive. 12:41.520 --> 12:46.710 On the other hand, if you delete your log fast or frequently, you won't have logs to investigate at 12:46.710 --> 12:51.900 some future point in time so you can use log, but rotate. 12:53.970 --> 13:00.780 A little later to determine the balance between the opposing requirements, by opposing the requirements, 13:00.780 --> 13:08.880 by rotating your blocks, so log rotation is the process of recovery archiving look fast by moving them 13:08.910 --> 13:10.890 to some other location. 13:11.310 --> 13:16.250 So leaving you with a fresh look, find that archive now. 13:16.350 --> 13:23.790 Location will get cleaned up after a specific, specific specified period of time, so your system is 13:23.790 --> 13:26.400 already rotating log files using your current job. 13:26.700 --> 13:35.070 So that employs the local state utility so you can configure the log rotate utility to choose the regularity 13:35.340 --> 13:40.230 of your log rotation with ATC Log Rotate Call Mantgem. 13:40.230 --> 13:49.290 It's um, so let's open it with a text editor sudo mousepad ATC log rotate here call. 13:50.890 --> 13:55.960 And you can see here we can see our little rate configuration file. 13:57.680 --> 13:59.960 So now let's talk about them. 14:00.380 --> 14:06.050 So first is virtually as quickly as you can see these comments here so quickly. 14:06.140 --> 14:11.210 What is very clear, first, you can see that the unit or unit of time you wrote it, numbers refer 14:11.220 --> 14:12.940 to this here. 14:12.950 --> 14:16.230 For example, the default here is weekly. 14:16.520 --> 14:20.450 Meaning any number after the rotate keyword always referred to weeks. 14:21.460 --> 14:24.280 So I'm further down, you can see the settings. 14:24.970 --> 14:27.880 How often rotate locks, locks here. 14:28.270 --> 14:34.420 Uh, the default setting is to rotate logs every four weeks. 14:34.870 --> 14:36.160 Um, here. 14:36.400 --> 14:40.120 So this default configuration will work for most people. 14:40.420 --> 14:47.370 But if you want to keep your locks longer for investigative purposes or, uh, shorter to clean, uh, 14:47.380 --> 14:54.460 them out quicker, this is the setting you should change so you can so you can change its here. 14:56.270 --> 15:03.530 So, for instance, if you check your log files every week and want to save storage space, you could 15:03.530 --> 15:07.550 change the setting to rotate one here. 15:08.000 --> 15:09.910 But I will leave it as it is. 15:10.880 --> 15:18.050 So if you have a plenty of storage for your looks and want to keep semi-permanent or record for forensic 15:18.050 --> 15:24.560 analysis later, you could change the setting to rotate, for example, to save to keep your logs for 15:25.220 --> 15:29.360 six months or rotate it to to keep them for one year. 15:36.690 --> 15:36.990 Yeah. 15:41.440 --> 15:48.850 So by default, the same plan and you look file is created when old ones are rotated out here, as you 15:48.850 --> 15:49.990 can see, create here. 15:50.930 --> 15:54.860 So as the comments in the configuration file advice. 15:55.920 --> 16:04.210 Uh, you can also choose the competition, uh, route rotated, uh, rotated, look, file, see it 16:04.230 --> 16:11.700 as you can see your compass, but it's common here and this means there's, uh, uncompressed look fancier 16:12.660 --> 16:14.630 at the end of the rotation period. 16:14.640 --> 16:21.690 The log files are named and pushed, uh, towards the end of the chain of logs as a new look file is 16:21.690 --> 16:28.500 created, uh, replacing the current look for, for instance, VAR log out will become, uh, VAR log 16:28.500 --> 16:31.680 out one, then VAR log out too. 16:31.680 --> 16:42.330 And so if you rotate logs every four weeks and keep keep for a set of backups, you will have VAR log 16:42.330 --> 16:50.100 out for about no VAR log out five, meaning that VAR log out four will be deleted rather than being 16:50.100 --> 16:51.930 pushed to look out five. 16:52.410 --> 17:00.350 So you can see this by using the look at common to find, um, out log log files with the wildcard here, 17:00.360 --> 17:00.990 for example. 17:00.990 --> 17:02.450 Let's find. 17:04.980 --> 17:15.420 Locate, as we a layer of our law clear out that log and then quiet, as you can see here, we have 17:15.420 --> 17:18.960 to outlook one and outlook to hear. 17:19.900 --> 17:27.060 So for more details on the many ways to customize and use the log rotate, utilities say the MEN and 17:27.340 --> 17:33.400 log will rotate while the log rotate page here, as you can see here. 17:33.790 --> 17:40.090 So, uh, as you know, man, is there help, uh, documentation for every couple months in links? 17:41.140 --> 17:46.480 Uh, so we discussed that in previous elections so far. 17:46.480 --> 17:52.270 So this is an excellent resource to learn about the functions you can use and the variables we can change 17:52.270 --> 17:55.030 to customize how your looks are handled. 17:56.840 --> 18:02.750 So I once you become more familiar with Linux, you will get a better sense of how often you need to 18:02.750 --> 18:05.790 log and what options you prefer. 18:05.810 --> 18:08.540 So it's worth revisiting the logo. 18:08.540 --> 18:11.510 Rotate that configuration file. 18:15.090 --> 18:22.080 Remaining still, Tim, actually, I won't look at home, I mean, spend time, OK, remaining Stilton, 18:22.140 --> 18:27.480 once you have compromised the learning system, it's useful to disable logging and remove any evidence 18:27.480 --> 18:32.640 of your intrusion into look files to reduce the chances chances of detection. 18:33.300 --> 18:41.640 So there are many ways to do this, and each carrier's its own risks and level of reliability so we 18:41.640 --> 18:44.910 can remove evidence and others here. 18:45.930 --> 18:52.530 So first, you will want to remove any locks offshore activity so you can't simply open the log files 18:52.530 --> 18:59.550 and press a slim remove annual looks that healing your activity line by line using the file, the deletions 18:59.550 --> 19:03.000 techniques you learned in previously the previous lectures. 19:04.140 --> 19:13.020 So which will look, however, in here this could be time consuming, all the time gaps in the workforce, 19:13.980 --> 19:15.930 which would look suspicious. 19:15.940 --> 19:21.150 Also, deleted files can generally be recorded by a skilled forensics investigator. 19:21.750 --> 19:27.390 A better and more secure solution is to shred the log facts with other file deletion systems. 19:27.780 --> 19:31.170 A skilled investigator is still able to recover the deleted files. 19:31.890 --> 19:38.940 But suppose the way, uh, was a way to delete the file and override as several times making it much 19:38.940 --> 19:40.080 harder to recover. 19:40.710 --> 19:47.790 Lucky for us, Linux has built in command, appropriately named, uh, right here for justice purpose. 19:50.140 --> 19:52.990 So to understand how the red command's work. 19:53.020 --> 19:56.650 Take a quick look at help screen here red. 19:59.110 --> 20:00.960 Should help. 20:03.290 --> 20:08.120 So as you can see here, shreds once on file. 20:08.390 --> 20:15.890 So when it sounds credible, will delete the file and overwrite it several times by default or shred 20:16.370 --> 20:19.010 by default, shred all rights four times. 20:19.400 --> 20:25.280 So general, the more times the file is overwritten, the harder it is to recover. 20:25.550 --> 20:28.280 But keep in mind that each override takes time. 20:28.550 --> 20:32.960 So for very large files, shredding may become time-consuming. 20:33.440 --> 20:40.820 Uh, so two useful options to include are the if option, which means the permissions on the files to 20:41.260 --> 20:49.910 everything if a permission change is necessary and in an option here in, uh, in option. 20:51.920 --> 20:59.210 Which lets you choose how many times all right fails as an example with a shred log files ten times 20:59.630 --> 21:04.790 or using, for example, shred, uh, pseudo read. 21:06.140 --> 21:14.100 Um, if and in ten times so VAR log out will look. 21:14.390 --> 21:14.480 It. 21:17.360 --> 21:24.650 So we need the option to give us a permission to spread out fast and be full of the an option, which 21:24.650 --> 21:29.660 is desired number of number of times to operate. 21:30.050 --> 21:36.770 So after the head of the file, we want to shred being called the Volcker SSX, so we are shredding 21:36.770 --> 21:38.470 not just about that look file. 21:38.480 --> 21:45.530 We are also shredding and look for that have been created with low grade such as Outlook one, Outlook 21:45.530 --> 21:47.030 two, outlook and so on. 21:48.680 --> 21:49.340 So now. 21:51.070 --> 21:54.100 Once shredded, a valuable said that, um. 21:55.840 --> 22:06.220 Contents are in desperate and gibberish, yeah, I saw Mouse Pad Bar long hair out, long one. 22:07.840 --> 22:15.730 It's permissions denied pseudo here, so you can see here there's nothing to see because it's silly 22:15.730 --> 22:16.090 to know. 22:16.930 --> 22:23.020 So no, the security engineer or forensics investigator examines the look files and they will find nothing 22:23.470 --> 22:26.200 of use because none of its of its recoverable. 22:27.460 --> 22:28.720 So now we can. 22:29.260 --> 22:30.580 I want less last limb. 22:31.300 --> 22:37.510 Let's disable logging here, and there are options for recovering or tracks is too simple disable logging, 22:38.380 --> 22:45.040 uh, when a hiker takes control of the system and they could immediately disable logging to prevent 22:45.040 --> 22:47.950 system from keeping track of their activities. 22:48.850 --> 22:50.920 This, of course, requires route closures. 22:51.160 --> 22:53.710 So this to disable all logging. 22:54.040 --> 23:02.890 Uh, the hacker called simplicity of the Irish Sea SEAL Log Diamond Um and stopping and servicing Linux 23:02.890 --> 23:04.990 uses the same syntax here. 23:05.140 --> 23:08.530 Service here I will write syntax here. 23:08.530 --> 23:12.400 Cell service name and start. 23:13.720 --> 23:15.970 Stop or restart it. 23:16.940 --> 23:27.800 So to stop the looking down on you called simply enter here service, so it's, uh, Cecil, look, 23:27.800 --> 23:28.490 stop here. 23:32.480 --> 23:35.570 And it is need, uh, root privileges here. 23:36.050 --> 23:38.060 Enter your account password. 23:38.750 --> 23:43.760 Um, and as you can see here, we just stopped, uh, see smoke. 23:44.000 --> 23:44.300 Yeah. 23:45.370 --> 23:52.090 Now, nukes will stop generating and look fires under the services restarted, enabling you to operate 23:52.090 --> 23:57.340 without leaving behind any evidence in the low profile, so start there. 23:59.480 --> 24:06.530 So and here you can start and serious like that, log files track nearly everything that happens when 24:06.530 --> 24:07.490 your learning system. 24:07.790 --> 24:15.740 They can be invaluable resource in trying to analyze what has occurred, whether it be malfunction or 24:15.740 --> 24:16.160 heck. 24:16.910 --> 24:22.130 So for the hacker, look files can be evidence of their activities and their identity. 24:22.610 --> 24:29.540 So how we were and as true to Hacker, can remove and shred these files and disable logging entirely. 24:29.900 --> 24:31.760 So just leaving no evidence behind.