Hello,

is there a definative list of log file that should be watched on a regular basis for 'unusual' activity.
Of course i understand that most people who would look for and abuse a hole will try to cover tracks by removing/erasing log files, but are there some that should be watched regularly.

Also, any thoughts on good apps like snort, tripwire etc??

thanks

is there a definative list of log file that should be watched on a regular basis for 'unusual' activity.
For system messages (Iptables/ipchains too) it's the files Syslog uses (cat /etc/syslog.conf), plus daemon logs ("lsof | grep "var/" | awk '{print $9}' | egrep -ve "(lib|cache|run)" | sort | uniq" should show all open files under var, who are with some exceptions usually logfiles), plus (bad) logins (utmp,wtmp,last,lastb) and process accounting (pacct).

If you're running an ext2/3 system you can set the append-only flag, to make sure only info can be added. Don't forget to unset the flag temporarily on logrotation.


Also, any thoughts on good apps like snort, tripwire etc??
Snort definately, and I choose Aide over tripwire. However, you should deploy a filesystem integrity scanner when you install the OS (to be sure the system was not tampered with) and save (a copy of) the binary and db's on readonly media. Since a filesystem integrity scanner is a PASSIVE means, you should prep the system first to the point where the system cannot be tampered with easily, system users, users and processes are restricted. Check out the LQ FAQ: Security references.