Solved

Need help dechipering logs/fixing the problems they "describe".

Posted on 2003-11-14
6
464 Views
Last Modified: 2010-04-22
Hello, everybody.

I'm a programmer, not a network administrator, but in the absence of anyone better qualified, I'm managing (well... sort of) my company's network.

We have a Linux server setup in our network. It's a Red Hat 7.2 and it is a file server, PDC, and FireWall all in one.

PDC and file sharing soft: Samba.
FireWall soft: ShoreWall (Shoreline Firewall).

But it was setup by the gods, when mankind was young and now we don't have anyone with enough Linux skills to really manage it, so it's a lucky thing that Linux is so robust and stable.

In the /root directory, I've put a .forward file with my e-mail address and everyday I get two mails. One is always exactly the same. It's from the Cron Daemon, has subject "Cron <root@firewall> run-parts /etc/cron.daily" and says:


/etc/cron.daily/tripwire-check:

****    Error: Tripwire database for firewall not found.    ****
**** Run /etc/tripwire/twinstall.sh and/or tripwire --init. ****


Is this bad or good? If it's bad: how do I fix it?

The other mail is from root (also *to* root). Subject: Log watch for firewall. And it looks like this:


 ################## LogWatch 2.6 Begin #####################

 --------------------- Samba Begin ------------------------

**Unmatched Entries**
[2003/11/13 07:55:06, 0] lib/util_sock.c:read_data(436)
 : 1 Time(s)
[2003/11/13 09:12:30, 0] lib/util.c:smb_panic(1094)
 : 4 Time(s)
[2003/11/13 09:12:30, 0] lib/util_sec.c:assert_gid(111)
 : 4 Time(s)
[2003/11/13 09:12:33, 0] lib/util.c:smb_panic(1094)
 : 4 Time(s)
[2003/11/13 09:12:33, 0] lib/util_sec.c:assert_gid(111)
 : 4 Time(s)
[2003/11/13 10:02:22, 0] lib/util_sock.c:read_data(436)
 : 1 Time(s)
[2003/11/13 12:16:41, 0] lib/util_sock.c:read_data(436)
 : 1 Time(s)
[2003/11/13 14:17:05, 0] smbd/chgpasswd.c:check_oem_password(817)
 : 1 Time(s)
[2003/11/13 16:37:51, 0] lib/util_sock.c:read_data(436)
 : 1 Time(s)
[2003/11/13 18:52:59, 0] nmbd/nmbd_become_lmb.c:unbecome_local_master_success(154)
 : 1 Time(s)
[2003/11/13 18:52:59, 0] nmbd/nmbd_incomingdgrams.c:process_local_master_announce(312)
 : 1 Time(s)
[2003/11/13 18:53:16, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(404)
 : 1 Time(s)
[2003/11/13 18:53:59, 0] nmbd/nmbd_become_lmb.c:unbecome_local_master_success(154)
 : 1 Time(s)
[2003/11/13 18:53:59, 0] nmbd/nmbd_incomingdgrams.c:process_local_master_announce(312)
 : 1 Time(s)
[2003/11/13 18:54:16, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(404)
 : 1 Time(s)
[2003/11/13 18:55:00, 0] nmbd/nmbd_become_lmb.c:unbecome_local_master_success(154)
 : 1 Time(s)
[2003/11/13 18:55:00, 0] nmbd/nmbd_incomingdgrams.c:process_local_master_announce(312)
 : 1 Time(s)
[2003/11/13 18:55:17, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(404)
 : 1 Time(s)
[2003/11/13 18:56:13, 0] nmbd/nmbd_become_lmb.c:unbecome_local_master_success(154)
 : 1 Time(s)
[2003/11/13 18:56:13, 0] nmbd/nmbd_incomingdgrams.c:process_local_master_announce(312)
 : 1 Time(s)

...
[A lot more lines like this]
...

[2003/11/13 23:58:06, 0] nmbd/nmbd_become_lmb.c:unbecome_local_master_success(154)
 : 1 Time(s)
[2003/11/13 23:58:06, 0] nmbd/nmbd_incomingdgrams.c:process_local_master_announce(312)
 : 1 Time(s)
[2003/11/13 23:58:23, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(404)
 : 1 Time(s)


 ---------------------- Samba End -------------------------



 ---------------- Connections (secure-log) Begin -------------------

**Unmatched Entries**
useradd[7335]: new user: name=s250$, uid=586, gid=101, home=/dev/null, shell=/bin/false


 ----------------- Connections (secure-log) End --------------------



 --------------------- sendmail Begin ------------------------

1774 bytes transferred
2 messages sent
 ---------------------- sendmail End -------------------------


 ###################### LogWatch End #########################
 

The list of messages is never the same. It changes from day to day, but this is pretty representative.

What do all those messages mean?
Does smb_panic mean SoMeBody should be PANICing? Is it about a problem in the disk?
And what are all the rest of the messages?

Your help will be sincerely appreciated.

Regards:

Jack
0
Comment
Question by:JackNaif
  • 3
  • 3
6 Comments
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> Is this bad or good? If it's bad: how do I fix it?
the first mail informs you that tripwire is configure and seems to run. that's good.
But it complains that it misses a configuration. To fix this you need to do what the mail describes (and be an expert, for tripwire at least, somehow:-)

The 2'nd mail lists you some information from Samba logfiles.
I've seen these messages on my systems too, and never checked for them, think they are harmless.
To give more details about it, you need to post Your samba version.
0
 
LVL 1

Author Comment

by:JackNaif
Comment Utility
ahoffman,
thank you for your reply. As I said, I'm not an expert, but I am bold enough, so I gave it a try anyway.  :-)

Look at what the very wicked answered:

[root@firewall root]# tripwire --init
### Error: File could not be opened.
### Filename: /etc/tripwire/tw.cfg
### No such file or directory
### Configuration file could not be read.
### Exiting...

How bad is it if Tripwire is not running, or not properly configured? Is there a "Tripwire for dummies" page somewhere?


I'm not sure about how to determine the version of samba that's running. The man page says

VERSION
       This  man  page  is  correct  for version 2.2 of the Samba
       suite.

so I guess it must be v2.2 but I guess there's got to be a better way...
Is that "smb_panic" really usual? I mean: "kernel panic" is about as good as "your machine is dead" Isn't "smb_panic" like "your samba has its days counted" or "your disk is fry"?
And all that stuff about "local master announce": Is somebody trying to hack our network? Is it just a W98 box that doesn't know it's place on this earth?
Where can I find out the meaning of this messages?

0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
hmm, wher is the problem in understanding what tripwire reports?

   [root@firewall root]# tripwire --init
   ### Error: File could not be opened.
   ### Filename: /etc/tripwire/tw.cfg
   ### No such file or directory
   ### Configuration file could not be read.

it says that there is no /etc/tripwire/tw.cfg, and you simply can proof this with:

  /bin/ls -lF /etc/tripwire/tw.cfg

I'd suggest that you search for your tw.cfg, for example like.

  find -name tw.cfg -print

then start your tripwire with an appropriate -c option
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 1

Author Comment

by:JackNaif
Comment Utility
Thanks once again for your answer, ahoffmann. But, hey, be gentle on me! When it comes to Linux, I'm a complete rookie. I'm a programmer, but a Windows (as oposed to Linux) programmer.

Now, /etc/tripwire/tw.cfg doesn't exist.

And the find command you suggested didn't return nothing. (It was very helpful however, because I didn't understand how the find command could be used to find a file).

However, I found a /etc/tripwire/twcfg.txt file:

[root@firewall tripwire]# less twcfg.txt
ROOT                   =/usr/sbin
POLFILE                =/etc/tripwire/tw.pol
DBFILE                 =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE             =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE            =/etc/tripwire/site.key
LOCALKEYFILE           =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR                 =/bin/vi
LATEPROMPTING          =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS       =true
EMAILREPORTLEVEL       =3
REPORTLEVEL            =3
MAILMETHOD             =SENDMAIL
SYSLOGREPORTING        =false
MAILPROGRAM            =/usr/sbin/sendmail -oi -t
twcfg.txt (END)

By copying it to tw.cfg would I be fixing the problem, or entirely scrambling the whole system?
From the man page for tripwire I guess it checks to see no one's changed a system file but first I should have a database of the system. And in spite of having read the man page, I'm not at all sure about how to build it.
Isn't there really a more friendly manual for tripwire than the man page? (Of course I could Google for it, but I want one that comes with a recomendation).

And all those messages from samba: I read somewhere that an administrator should always read the log files to check for intrusions. Could this messages be a clue about intrusions or attempts to intrude? Or is it other logs that I should read, instead of this messages? Or is it just science-fiction to think that an admin will actually read the logs?

Regards:

Jack
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 150 total points
Comment Utility
no, twcfg.txt is different to tw.cfg.
Docs for tripwire either come with the tarball (tripwire*.tar.gz), or can be found at http://www.tripwire.com/
Note that tripwire up to version 1.x was free, while starting with 2.x it's commercial.
Configuration, and so docs, also changed from 1.x to 2.x, so first check which version you have.
0
 
LVL 1

Author Comment

by:JackNaif
Comment Utility
OK. No renaming twcfg.txt then.

A link in tripwire.com took me to the right page in source-forge and there I found a manual which is a whole lot clearer than the man page and though I haven't gone over the whole of it yet, the parts I've seen are clear enough.
I'm sure that with it I'm going to be able to get it running right. (At least I've already understood what it does).

Points thankfully awarded.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now