Matt <panzer@dhp.com> writes:
> This came from the linux-server list. But reminded me of a something I
> wanted to know about. Is there a standard for people to syslog possible
> security violations? This would make it easier to find them in huge log
> files with swatch or other monitoring tools.
Security-related log entries don''t have their own
``facility'''' with
syslogd and I doubt that''s even possible because a security violation
on one system may be legal on another system. I personally use a
different approach to this whole problem:
Until a couple days ago (I''m currently switching to another
distribution) I''ve had syslog log everything to one file and another
process reading that file, scanning for unknown or known-to-be-serious
messages. Since I currently don''t have to bother much about
performance issues this is a simple
tail -f | awk ''
/.*/USR/SBIN/CRON\[[0-9]+\]: \(root\) CMD \(atrun -l 0.5\)/ { next; }
/.*sendmail\[[0-9]+\]:.* from=<[^>]*devnull.ruhr.de>.*/ { next; }
/.*sendmail\[[0-9]+\]:.* to=<[^>]*devnull.ruhr.de>.*/ { next; }
.
.
.
/.*LOGIN FAILURE.*/ {
system("play /usr/local/sounds/login.failure");
next ;
}
.
.
.
{
system("play
/usr/local/sounds/unknown.log.entry");
}
''
style thing. I''m sure you get the idea.
I originally did this with only the last ``pattern'''' and
fairly soon
had this filter adapted to all relevant log entries. You''ll need to
adapt the filter for your local needs, so I''m afraid you''ve
got to do
this for yourself. If you''ve kept a couple days worth of logs
it''s
probably done in half an hour or so.
It is also possible to use the named pipe mechanism in newer
syslogd''s, but I actually like to keep one log file with *all* entries
in the order they arrive in, aside from the usual split-up by facility
and priority. Your choice.
Playing silly sounds appears to me as the most reasonable thing to do
with serious messages. Sending those lines to a dedicated vt is also
handy. Sending mail, printing to a dedicated line printer, calling a
pager and shutting down services or interfaces may also be reasonable
depending on your requirements.
Finally, if performance is a bit of a problem I''m quite sure this can
be done with lex in a more efficient manner. Same if you''ve got a
drop-safe host you don''t want any languages lying around on. But
until then awk seems preferable to me --- more concise and easier to
modify.
Ben
--
Ben(edikt)? Stockebrand Runaway ping.de Admin---Never Ever Trust Old Friends
My name and email address are not to be added to any list used for advertising
purposes. Any sender of unsolicited advertisement e-mail to this address im-
plicitly agrees to pay a DM 500 fee to the recipient for proofreading services.
