I'm currently managing two Gentoo servers. I wrote a small script that does the following:
1. Runs 'chkrootkit' to see if anything is infected
2. Runs 'emerge sync' to get a snapshot of the current portage tree
3. Runs 'emerge -up world' to show available updates
4. Runs 'glsa-check -l' to show if any security updates are available
5. E-mails results of above to security user on each server
The script is run daily at 4a.m. via cron. The next thing I want to add to the script is log checking. Specifically, I want the script to show all logins and failed logins for that day. I'm using metalog so everything relevant is stored in /var/log/everything and a simple 'grep session' would show all logins and failed logins.
The problem is that I don't know how to specify to only show the logins from that day. I could try to manipulate the date stamp on every entry in the log file but I'm not sure how to do this. The problem with this is that metalog rotates logs by file size so if the file gets rotated the data goes to /var/log/everything/log-2004-blah-blah. So, I'd have to check every file under /var/log/everything to see whats going on here.
Just wondering how you guys would tackle this. I'm open to suggestions. Here is the current script(I'm no perl expert by the way):
Code:
#!/usr/bin/perl -w
$date = `date`;
$hostname = `hostname`;
$text_file = "/root/email.txt";
$chk_file = "/root/chkrootkit_results.txt";
# CHKROOTKIT SECTION
system("echo 'Chkrootkit Results:\n' > $text_file");
system("chkrootkit > $chk_file");
open(CHK_IN, $chk_file);
while(<CHK_IN>)
{
push(@infected,$_) if (/INFECTED/);
}
close CHK_IN;
if (@infected)
{
system("echo 'INFECTED LINES FOUND!\n\n' >> $text_file");
system("echo '$_\n' >> $text_file") for @infected;
}
else
{
system("echo 'Nothing infected.\n' >> $text_file");
}
# SYNC TO CURRENT PORTAGE TREE
system("emerge sync > /dev/null 2> /dev/null");
# CHECK FOR AVAILABLE UPDATES
system("echo '\nAvailable Package Updates:\n' >> $text_file");
system("emerge -up world | grep ebuild >> $text_file");
# RUN GLSA-CHECK TO SEE IF ANY SECURITY UPDATES ARE AVAILABLE
system("echo '\nGlsa-Check Results:\n' >> $text_file");
system("glsa-check -l 2> /dev/null >> $text_file");
# E-MAIL RESULTS
system("cat $text_file | mail -s \"Security Report For $hostname On $date\" security\@localhost");
# CLEAN UP TEMPORARY TEXT FILES
system("rm -f $text_file");
system("rm -f $chk_file");
# TO DO LIST
# ADD SUPPORT TO PARSE LOG FILES FOR DAILY LOGINS AND DAILY FAILED LOGINS VIA METALOG