LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-19-2004, 07:01 AM   #1
steve_babbage
LQ Newbie
 
Registered: Jul 2003
Location: Australia
Distribution: redhat9
Posts: 23

Rep: Reputation: 15
log monitoring


Hello,

is there a definative list of log file that should be watched on a regular basis for 'unusual' activity.
Of course i understand that most people who would look for and abuse a hole will try to cover tracks by removing/erasing log files, but are there some that should be watched regularly.

Also, any thoughts on good apps like snort, tripwire etc??

thanks
 
Old 02-20-2004, 02:08 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
is there a definative list of log file that should be watched on a regular basis for 'unusual' activity.
For system messages (Iptables/ipchains too) it's the files Syslog uses (cat /etc/syslog.conf), plus daemon logs ("lsof | grep "var/" | awk '{print $9}' | egrep -ve "(lib|cache|run)" | sort | uniq" should show all open files under var, who are with some exceptions usually logfiles), plus (bad) logins (utmp,wtmp,last,lastb) and process accounting (pacct).

If you're running an ext2/3 system you can set the append-only flag, to make sure only info can be added. Don't forget to unset the flag temporarily on logrotation.


Also, any thoughts on good apps like snort, tripwire etc??
Snort definately, and I choose Aide over tripwire. However, you should deploy a filesystem integrity scanner when you install the OS (to be sure the system was not tampered with) and save (a copy of) the binary and db's on readonly media. Since a filesystem integrity scanner is a PASSIVE means, you should prep the system first to the point where the system cannot be tampered with easily, system users, users and processes are restricted. Check out the LQ FAQ: Security references.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Monitoring Windows Servers from Linux (CPU, Perfmon, Event log) big_linux_geek Linux - Enterprise 5 02-16-2005 01:20 PM
Strange results in /var/log/apache/access.log subt13 Linux - Security 2 08-03-2004 01:21 PM
pppd logging to /var/log/ppp.log problem mrtwice Linux - Software 1 01-10-2004 05:38 PM
Monitoring a Specific Port and Exporting to a log file chrisfirestar Linux - General 0 10-27-2003 04:17 AM
iptables, changing log file from /var/log/messages acid2000 Linux - Networking 3 03-11-2003 08:38 PM


All times are GMT -5. The time now is 07:15 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration