LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Blogs > unSpawn
User Name
Password

Notices



Rate this Entry

Running Logwatch in a more portable way

Posted 04-28-2012 at 05:16 AM by unSpawn
Tags logwatch

In the Linux Security forum we often ask victims of (perceived) security breaches to gather log files and parse them for leads using Logwatch. Analysis is best done on a physically separate, known secure machine in a safe network. If left unmodified Logwatch configuration defaults will result in it picking up the machines logs instead of the compromised machines logs. Here is a patch for install_logwatch.sh that will install Logwatch in a temporary directory and prepare it for receiving log files in a separate directory:
Code:
--- install_logwatch.sh.orig	2012-03-24 11:35:34.000000000 +0000
+++ install_logwatch.sh	2012-03-24 11:35:35.000000000 +0000
@@ -72,11 +72,11 @@
 
 #All these can be set via user input
 #Defaults
-BASEDIR="/usr/share/logwatch"
-CONFIGDIR="/etc/logwatch"
-TEMPDIR="/var/cache/logwatch"
+BASEDIR="/tmp/logwatch_portable"
+CONFIGDIR="${BASEDIR}/etc"
+TEMPDIR="${BASEDIR}/tmp"
 PERLEXE="/usr/bin/perl"
-MANDIR="/usr/share/man"
+MANDIR="${BASEDIR}/man"
 
 #Command line options section
 #Currently only prefix is supported but now that the door is open other options should follow. -mgt
@@ -237,7 +237,7 @@
 #The install would destory the perms on /tmp
 if [ ! -d $TEMPDIR ]; then
    #Should this be 0700 -d $TEMPDIR ??
-   install -m 0755 -d $TEMPDIR
+   install -m 0750 -d $TEMPDIR
 fi
 
 #This can create duplicates need to grep first -mgt
@@ -271,22 +271,22 @@
    install -m 0644 postfix-logwatch.1 $MANDIR/man1
    install -m 0644 amavis-logwatch.1 $MANDIR/man1
    #OpenBSD no -s
-   if [ $OS = "OpenBSD" ]; then
-      makewhatis -u $MANDIR/man5 $MANDIR/man8 $MANDIR/man1
-   else
-      #FreeBSD and NetBSD no -s no -u
-      if [ $OS = "FreeBSD" ] || [ $OS = "NetBSD" ]; then
-         makewhatis $MANDIR/man5 $MANDIR/man8 $MANDIR/man1
-      else
-         #MacOS X aka Darwin no -u [even thought the manpage says]
-         if [ $OS = "Darwin" ]; then
-            makewhatis -s "1 5 8" $MANDIR
-         else
-         #Linux
-            makewhatis -u -s "1 5 8" $MANDIR
-         fi
-      fi
-   fi
+# DONT:   if [ $OS = "OpenBSD" ]; then
+# DONT:      makewhatis -u $MANDIR/man5 $MANDIR/man8 $MANDIR/man1
+# DONT:   else
+# DONT:      #FreeBSD and NetBSD no -s no -u
+# DONT:      if [ $OS = "FreeBSD" ] || [ $OS = "NetBSD" ]; then
+# DONT:         makewhatis $MANDIR/man5 $MANDIR/man8 $MANDIR/man1
+# DONT:      else
+# DONT:         #MacOS X aka Darwin no -u [even thought the manpage says]
+# DONT:         if [ $OS = "Darwin" ]; then
+# DONT:            makewhatis -s "1 5 8" $MANDIR
+# DONT:         else
+# DONT:         #Linux
+# DONT:            makewhatis -u -s "1 5 8" $MANDIR
+# DONT:         fi
+# DONT:      fi
+# DONT:   fi
 else
    if [ $OS = "SunOS" ]; then
       #Go for the safe install rather then editing man.cf
@@ -317,21 +317,115 @@
 fi
 
 #Symlink
-ln -f -s $BASEDIR/scripts/logwatch.pl /usr/sbin/logwatch
-printf "Created symlink for /usr/sbin/logwatch \n"
+# FIX_STATIC_PATH: ln -f -s $BASEDIR/scripts/logwatch.pl /usr/sbin/logwatch
+# FIX_STATIC_PATH: printf "Created symlink for /usr/sbin/logwatch \n"
 
 #Cron
-if [ -d /etc/cron.daily ]; then
-   rm -f /etc/cron.daily/0logwatch
-   install -m 0755 logwatch.cron /etc/cron.daily/0logwatch
-   printf "Created /etc/cron.daily/0logwatch \n" 
-else
-   install -m 0744 logwatch.cron $CONFIGDIR/logwatch.cron
-   printf "################ README ####################.\n"
-   printf "You need to setup your cron job for logwatch.\n"
-   printf "A sample script is included see $CONFIGDIR/logwatch.cron. \n"
-   printf "2 0 * * * $CONFIGDIR/logwatch.cron >/dev/null 2>&1 \n"
-fi
+# FIX_STATIC_PATH: if [ -d /etc/cron.daily ]; then
+# FIX_STATIC_PATH:    rm -f /etc/cron.daily/0logwatch
+# FIX_STATIC_PATH:    install -m 0755 logwatch.cron /etc/cron.daily/0logwatch
+# FIX_STATIC_PATH:    printf "Created /etc/cron.daily/0logwatch \n" 
+# FIX_STATIC_PATH: else
+# FIX_STATIC_PATH:    install -m 0744 logwatch.cron $CONFIGDIR/logwatch.cron
+# FIX_STATIC_PATH:    printf "################ README ####################.\n"
+# FIX_STATIC_PATH:    printf "You need to setup your cron job for logwatch.\n"
+# FIX_STATIC_PATH:    printf "A sample script is included see $CONFIGDIR/logwatch.cron. \n"
+# FIX_STATIC_PATH:    printf "2 0 * * * $CONFIGDIR/logwatch.cron >/dev/null 2>&1 \n"
+# FIX_STATIC_PATH: fi
+
+# Create dir for log files and report:
+install -m 0700 -d $BASEDIR/logs
+install -m 0700 -d $BASEDIR/report
+# Just let the user recursively copy /var into $BASEDIR/logs
+# mkdir -p ${BASEDIR}/logs/var/{adm,cron,log,log/mysql,spool,spool/MailScanner/incoming,tmp,run,mail,lib/rpm,spool/up2date}
+
+# Fix other static paths:
+find /tmp/logwatch_portable/ -type f -print0 | xargs -0 -iX sed -i "s|/usr/share/logwatch|/tmp/logwatch_portable|g" 'X'
+find /tmp/logwatch_portable/ -type f -print0 | xargs -0 -iX sed -i "s|/etc/logwatch|/tmp/logwatch_portable/etc|g" 'X'
+find /tmp/logwatch_portable/ -type f -print0 | xargs -0 -iX sed -i "s|/usr/local/etc|/tmp/logwatch_portable/etc|g" 'X'
+find /tmp/logwatch_portable/ -type f -print0 | xargs -0 -iX sed -i "s|/var/cache/logwatch|/tmp/logwatch_portable/tmp|g" 'X'
+find /tmp/logwatch_portable/ -type f -not -name http -print0 | xargs -0 -iX sed -i "s|/var|/tmp/logwatch_portable/logs/var|g" 'X'
+
+# Patch scripts/services/http
+cat > http.diff << EOP
+--- http.orig 2012-03-28 00:00:01.000000000 +0000
++++ http      2012-03-28 00:00:02.000000000 +0000
+@@ -334,6 +334,64 @@
+    'shtml\.exe',
+    'win\.ini',
+    'xxxxxxxxxxxxxxxxxxxxxx',
++   '%20/tmp',
++   '%20/var',
++   '7z%20',
++   'apt-get%20',
++   'cat%20',
++   'cc%20',
++   'cd%20',
++   'crontab%20',
++   'curl%20',
++   'cvs%20',
++   'echo%20',
++   'elinks%20',
++   'emerge%20',
++   'ftp%20',
++   'GET%20',
++   'gcc%20',
++   'gzip%20',
++   'gunzip%20',
++   'HEAD%20',
++   'id%20',
++   'kill%20',
++   'killall%20',
++   'links%20',
++   'ls%20',
++   'lwp-download%20',
++   'lwp-request%20',
++   'lwp-mirror%20',
++   'lwp-rget%20',
++   'lynx%20',
++   'mail%20',
++   'mailx%20',
++   'mkdir%20',
++   'nc%20',
++   'ncftp%20',
++   'netcat%20',
++   'netstat%20',
++   'POST%20',
++   'perl%20',
++   'ps%20',
++   'python%20',
++   'rar%20',
++   'rexec%20',
++   'rm%20',
++   'rpm%20',
++   'ruby%20',
++   'scp%20',
++   'sh%20',
++   'smbclient%20',
++   'ssh%20',
++   'svn%20',
++   'tar%20',
++   'telnet%20',
++   'tftp%20',
++   'wget%20',
++   'uname%20',
++   'wget%20',
++   'whoami%20',
++   'yum%20',
+ );
+ 
+ #
+EOP
+
+cat http.diff | patch -F 3 /tmp/logwatch_portable/scripts/services/http
+
+cat > /tmp/logwatch_portable/scripts/logwatch.sh << EOP
+#!/bin/bash ---
+/tmp/logwatch_portable/scripts/logwatch.pl --detail High --logdir /tmp/logwatch_portable/logs --output file --format text --archives --filename /tmp/logwatch_portable/report/logwatch.log --range All --numeric --debug Med --hostformat split 2>&1 | tee /tmp/logwatch_portable/report/logwatch.tee
+exit 0 
+EOP
+
+echo "Run /tmp/logwatch_portable/scripts/logwatch.sh now."
 
 exit
 # vi: shiftwidth=3 tabstop=3 et
Note I chose /tmp here which will work as long as it has enough space to store the log files, temporary files and report. 'sed -i "s|/tmp|/other path|g" /path/to/patch' if necessary.

Also note the default settings the logrotate package comes with are generally not sufficient for servers. It is impossible to give any rule of thumb for appropriate log retention settings because the amount of audit trail you need or want to keep should be based on which services you expose, the amount of logging that is generated on average, if disk space is an issue and if aggregated data in log file reporting alone offers enough details (prior to log deletion) for later analysis. Or in short: ask yourself what resources are at your disposal right now to analyze a possible security incident that happened three months ago.
Posted in Uncategorized
Views 824 Comments 0
« Prev     Main     Next »

  



All times are GMT -5. The time now is 12:24 PM.

Main Menu
Advertisement

Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration