# 2 About logs

That´s the Big brother of your system , where everything can be monitored, and we need be sure about nothing will scape. Keep in mind about we are not talking about a normal Unix sistem or a even a Linux where you can install any packet that you want. Most times the customer does not like you be putting strange programs or do unusual things with the Nokia box. So , let´s focus on a minimal intervention and use of scripts resources and cron to catch all needed info. We have some scripts with diferent ends, and need be very carefull about them , to don´t create any kind of instability caused by space problems , CPU % usage and things like that.

The script below, shows a lot of information that just have to be enabled as you need. There are specific sections where you can find some day by day usefull info to take a look.
[ I´m finishing the script....keep cool, ok?! ]

Forensics on Nokia/CheckPoint

Before we start let me explain the objectives of that whitepaper series.:
To realize a clear Forensic analisis on a environment with Nokia IP Appliances and CheckPoint FW-1, there is a list of steps to do before, during and after a elegible firewall receives the right treatment. The reference material used to create these documents are public, and the idea is to keep everything in full disclosure.
Those steps (in most cases) can be applicable to all versions of Ipso and FW-1, but some audits are very particular to each version, and the respective reference will be made as footnotes.
You can use as guidelines,or just apply some steps to a particular kind of debug or forensic analisis.

Tabula rasa
We need a clear concept about the environment where we will put our feet, and to do that, the only way is exploring the ipso and the combination with FW-1.
Considering that you will start your job with a clear box Nokia, the first step is create some files to be certain about the integrity of the appliance.

Ok, you finished to install the Ipso, and now , before the installation of the firewall packets, we need to do some things:
# 1 Registering the data to integrity verification
The ipso accepts the MD5 command to create a hash about any file. Lets use that tool to generate a initial file for integrity verification. If we could install a Tripwire or AIDE to do that kind of work, the things gonna be easyer, but we can´t , not the way we need, so lets hands on.
Please take a look at RFC1321 [search for at www.landfield.com] before continue to read, or use a windows version to familiarize yourself with the tool, try at www.cygwin.com.
First of all you need create a list of files to verify like that:

# cat list
/etc/config
/var/admin/file01
/etc/passwd
and so on…..

Now you need create the checksum of all listed files:

#md5sum ´cat list´> list.md5
#cat list.md5

81da4fd248fe4dd0b3e7bbfa4310d508 /etc/config
249956822e335619cdf5203d00b20a17 /var/admin/file01
3048b5a69ae235af27126de73ad89dc4 /etc/passwd

Put that file in a safe place. Anytime you want, the verification can be easely made.
#md5 -c list.md5

/etc/config: OK
/var/admin/file01: OK
/etc/passwd: OK

Internal politics sometimes do not leave you install binaries on the Ipso box, this way the integrity check explained above can be really usefull. If you have a full permissions , you can choice a automated program to do that like Tripwire [ already mencioned ].