URL: security-projects.com/?libCryptoLog___Apache_example

Apache example

Centos 6.5:

1 Download and untar

# wget http://dl.bintray.com/yjesus/LibCryptoLog/libCryptoLog.tgz

# tar -xvzf libCryptoLog.tgz

2 To use the helpers we need perl-Crypt-RSA

# yum -y install perl-Crypt-RSA

3 Create your own RSA keys (key.public / key.private)

# perl rsacreate.pl

4 Copy key.public to /usr/local/etc/

# cp key.public /usr/local/etc/

5 Copy helper file to /usr/local/bin

# cp rsacrypt.pl /usr/local/bin/

6 Next, we need to locate the ID filedescriptor where Apache save the logs

# ps aux | grep -i httpd
 
root      1508  0.0  1.6 135832 17328 ?        Ss   09:26   0:00 /usr/sbin/httpd
apache    1540  0.0  0.6 135832  6932 ?        S    09:26   0:00 /usr/sbin/httpd
apache    1541  0.0  0.6 135832  6932 ?        S    09:26   0:00 /usr/sbin/httpd
apache    1542  0.0  0.6 135832  6932 ?        S    09:26   0:00 /usr/sbin/httpd
apache    1543  0.0  0.6 135832  6932 ?        S    09:26   0:00 /usr/sbin/httpd
apache    1544  0.0  0.6 135832  6932 ?        S    09:26   0:00 /usr/sbin/httpd
apache    1545  0.0  0.6 135832  6932 ?        S    09:26   0:00 /usr/sbin/httpd
apache    1546  0.0  0.6 135832  6932 ?        S    09:26   0:00 /usr/sbin/httpd
apache    1547  0.0  0.6 135832  6932 ?        S    09:26   0:00 /usr/sbin/httpd

# lsof -p 1508 

httpd   1508 root    0r   CHR    1,3      0t0   3903 /dev/null
httpd   1508 root    1w   CHR    1,3      0t0   3903 /dev/null
httpd   1508 root    2w   REG  253,0     3522 398650 /var/log/httpd/error_log
httpd   1508 root    3r   CHR    1,9      0t0   3908 /dev/urandom
httpd   1508 root    4u  sock    0,6      0t0  10395 can't identify protocol
httpd   1508 root    5u  IPv6  10396      0t0    TCP *:http (LISTEN)
httpd   1508 root    6r  FIFO    0,8      0t0  10489 pipe
httpd   1508 root    7w  FIFO    0,8      0t0  10489 pipe
httpd   1508 root    8w   REG  253,0   265970 398649 /var/log/httpd/access_log

So, as you can see, the ID for /var/log/httpd/error_log and /var/log/httpd/access_log are 2 and 8

7 Adapt libCryptoLog to encrypt only this filedescriptors

# vi libCryptoLog.c

And search for:

int filedesyes[2] = {3, 10};

Change to: 

int filedesyes[2] = {2, 8};

8 Compile and install

# gcc -Wall -fPIC -shared -o libCryptoLog.so libCryptoLog.c -ldl -lssl

# cp libCryptoLog.so /usr/local/lib/

9 Change init.d scripts to launch Apache with LD_PRELOAD pointing to our lib

# vi /etc/init.d/httpd

and change:

start() {
        echo -n $"Starting $prog: "
        LANG=$HTTPD_LANG daemon --pidfile=${pidfile} $httpd $OPTIONS
        RETVAL=$?
        echo
        [ $RETVAL = 0 ] && touch ${lockfile}
        return $RETVAL
}

To

start() {
        echo -n $"Starting $prog: "
        LD_PRELOAD=/usr/local/lib/libCryptoLog.so LANG=$HTTPD_LANG daemon --pidfile=${pidfile} $httpd $OPTIONS
        RETVAL=$?
        echo
        [ $RETVAL = 0 ] && touch ${lockfile}
        return $RETVAL
}

10 Restart apache

# service httpd stop

# service httpd start

11 et voila, if you check /var/log/httpd/error_log and /var/log/httpd/access_log you can see the logs encrypted

BEGINCRYPTO
gRNmfi/yS9Vaya37VJ7sM+iZtoYDG976SWPa4XTLnPGccBTd56J8Bk0uLZyK86vopcjdKp2JPDr7
oHWk/TKA00IStIgvTofUH9DeZGepqikIkjJg9wylAJ0ROjpcerozOX1LQWuj+ZoOxRu7K+UIeQmc
389SjDAyqNs/U8UHc75ntbVHy/A1e95fWUAHnkcD/1au463ugNHQmCJoSHA4NgwhDmwUJLafWSKr
T/L6BaOsruxDtkUqu0gBfROadVuc9oALSdRSc5WqA3T5HuS10a49szZ5zedqtQJiQFjikJCRo/v6
tzYHHs3Es+8yfpZti/l3pChW8+zHCxuPRKNccg==
ENDCRYPTO
BEGINCRYPTO
VB68V3MyG7yNHfYc8UR69ZbaC4ztBkOigWnKZzlKTMiXNdSBFEJ++TPKQXUFo4j8AfrgQPL6DQQ8
nd0yoMSaA3ojq+MvBY5cSLstVeEGaIJSXRboZMGyq6UpfOAqvWLvd48w63ND9cKKDBkEQcfUM3a7
S5KPss/qqSKYcsSHsqk=
ENDCRYPTO
BEGINCRYPTO

12 To decrypt logs, use rsadecrypt.pl 

# perl rsadecrypt.pl /var/log/httpd/error_log error2.txt

In error2.txt the are decrypted logs