LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 02-19-2004, 08:01 AM   #1
steve_babbage
LQ Newbie
 
Registered: Jul 2003
Location: Australia
Distribution: redhat9
Posts: 23

Rep: Reputation: 15
log monitoring


Hello,

is there a definative list of log file that should be watched on a regular basis for 'unusual' activity.
Of course i understand that most people who would look for and abuse a hole will try to cover tracks by removing/erasing log files, but are there some that should be watched regularly.

Also, any thoughts on good apps like snort, tripwire etc??

thanks
 
Old 02-20-2004, 03:08 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,679
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
is there a definative list of log file that should be watched on a regular basis for 'unusual' activity.
For system messages (Iptables/ipchains too) it's the files Syslog uses (cat /etc/syslog.conf), plus daemon logs ("lsof | grep "var/" | awk '{print $9}' | egrep -ve "(lib|cache|run)" | sort | uniq" should show all open files under var, who are with some exceptions usually logfiles), plus (bad) logins (utmp,wtmp,last,lastb) and process accounting (pacct).

If you're running an ext2/3 system you can set the append-only flag, to make sure only info can be added. Don't forget to unset the flag temporarily on logrotation.


Also, any thoughts on good apps like snort, tripwire etc??
Snort definately, and I choose Aide over tripwire. However, you should deploy a filesystem integrity scanner when you install the OS (to be sure the system was not tampered with) and save (a copy of) the binary and db's on readonly media. Since a filesystem integrity scanner is a PASSIVE means, you should prep the system first to the point where the system cannot be tampered with easily, system users, users and processes are restricted. Check out the LQ FAQ: Security references.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Monitoring Windows Servers from Linux (CPU, Perfmon, Event log) big_linux_geek Linux - Enterprise 5 02-16-2005 02:20 PM
Strange results in /var/log/apache/access.log subt13 Linux - Security 2 08-03-2004 02:21 PM
pppd logging to /var/log/ppp.log problem mrtwice Linux - Software 1 01-10-2004 06:38 PM
Monitoring a Specific Port and Exporting to a log file chrisfirestar Linux - General 0 10-27-2003 05:17 AM
iptables, changing log file from /var/log/messages acid2000 Linux - Networking 3 03-11-2003 09:38 PM


All times are GMT -5. The time now is 11:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration