- SYSLOG is the main UNIX logging tool. With this system, you can setup logging to be very high level to extremely detailed and have each logging stream go to a different file. Trust me, SYSLOG is your friend!
Edit /etc/syslog.conf and -ADD- the following lines if they aren't already in there:
******* * NOTE!!! All space from the left and right columns MUST BE TABS. * If they are SPACEs, syslog will NOT load! Kinda stupid eh? *
Redhat users:
*.warn;*.err /var/log/syslog
auth.*;user.*;daemon.none /var/log/loginlog
kern.* /var/log/kernel
Slackware users:
*.warn;*.err /var/adm/syslog
mail.* /var/adm/maillog
auth.*;user.*;daemon.none /var/adm/loginlog
kern.* /var/adm/kernel
All Distributions: Once you have edited the /etc/syslog.conf file, save your changes and exit the editor. Now, following files must be created for SYSLOG to work:
touch /var/log/syslog
touch /var/log/loginlog
touch /var/log/kernel
--
Nov 28 08:25:42 hostname -- MARK --
--
This is the SYSLOG daemon telling you that SYSLOG is running but had nothing to report. If you don't like this behavior, you can disable it by editing the following file and changing the MARK time out.
In /etc/rc.d/init.d/syslog, find the line that says:
--
daemon syslogd
--
and replace it with:
--
daemon syslogd -m 0
--
To make ALL of the above changes go into effect, run:
Next, close down these new files (and existing files) permissions:
chmod 600 /var/log/syslog
chmod 600 /var/log/loginlog
chmod 600 /var/log/kernel
echo "Make sure old SYSLOG file perms are ok too."
chmod 600 /etc/syslog.conf
chmod 600 /var/log/cron
chmod 700 /var/log/httpd
chmod 600 /var/log/httpd/*
chmod 600 /var/log/maillog
chmod 600 /var/log/messages
chmod 600 /var/log/mysql
chmod 600 /var/log/netconf.log
chmod 700 /var/log/samba
chmod 600 /var/log/samba/*
chmod 600 /var/log/sendmail.st
chmod 600 /var/log/secure
chmod 600 /var/log/spooler
chmod 700 /var/log/squid
chmod 600 /var/log/squid/*
chmod 600 /var/log/xferlog
chmod 600 /var/adm/syslog
chmod 600 /var/adm/loginlog
chmod 600 /var/adm/kernel
chmod 600 /etc/syslog.conf
Ok, now restart SYSLOG:
Stock Redhat comes with a tool that will take your SYSLOG log files, rename them to the day they came from, optionally compress them, and then restart the log files for the next day. This is very handy as SYSLOG files can get VERY large. If you are using some other Linux distribution that doesn't have this feature, I highly recommend installed a program that will do this for you (there are many to choose from).
- Redhat:
Next, allow the new syslog file to be rotated as well. Add these lines to the /etc/logrotate.d/syslog:
--
/var/log/kernel {
postrotate
/usr/bin/killall -9 klogd
/sbin/klogd &
endscript
}
/var/log/loginlog {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
/var/log/syslog {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
--
Also.. I highly recommend that you edit the /etc/logrotate.conf file and do the following:
Find "#compress" and remove the "#" so it only says "compress".
I also recommend that your #ed out the sections to look like this:
[ Why? If these files are rotated, you won't be easily able to ] [ tell when users have logged in. ]
## no packages own lastlog or wtmp -- we'll rotate them here
#/var/log/wtmp {
# monthly
# rotate 1
#}
#/var/log/lastlog {
# monthly
# rotate 1
#}
This will then compress the moved log files with Gzip.
Finally, some log files explicitly default to no-compression. Why? I recommend to add a "#" before the "nocompress" line in each of the following files:
/etc/logrotate.d/ftpd
/etc/logrotate.d/linuxconf
/etc/logrotate.d/sendfax
There might be other files in this directory. Check each one of them.
Lastly, I recommend to go into the /etc/logrotate.d/ directory and MOVE log config files that you KNOW you won't be using to a "disabled" directory. This is completely dependant on the services that you installed and then on which ones you opted to NOT run.
As mentioned before, for packages that you KNOW you won't ever use, instead of disabling the logrotation for a given package, DELETE the entire package either using RPM or PKGDEL.
To manually disable things:
mkdir -m 700 /etc/logrotate.d.disabled
mv /etc/logrotate.d/mysql /etc/logrotate.d.disabled
mv /etc/logrotate.d/squid /etc/logrotate.d.disabled
- Edit the "/etc/rc.d/rc.local" file and add the following lines at the end:
The following tip is a personal idea I like for both Redhat and Slackware. By default, then you login to a Linux box, it tells you the Linux distribution name, version, kernel version, and the name of the server. Even worse, Mandrake puts up a very stupid looking Penguin.
To me, this is giving away too much info. I rather just prompt users with a "Login: " prompt (if they ever get that far past your packet firewall and TCP wrappers).
To fix this, do the following:
Place "#"s in front of the following lines like shown:
NOTE: This looks a little different with Mandrake:
/etc/rc.d/rc.local
## This will overwrite /etc/issue at every boot. So, make any changes you ## want to make to /etc/issue here or you will lose them when you reboot. #echo "" > /etc/issue #echo "Red Hat Linux $R" >> /etc/issue #echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue # #cp -f /etc/issue /etc/issue.net
Then, do the following:
- rm -f /etc/issue - rm -f /etc/issue.net - touch /etc/issue - touch /etc/issue.net - chmod 400 /etc/issue - chmod 400 /etc/issue.net
/etc/rc.d/rc.local
dmesg >> /etc/info/dmesg
* Next, the following tip is a great way of seeing your various logs on your Linux box without having to login, etc. Some people might feel that this is a security risk but the risk stems from physical security.
Edit the following file and FIND each line for, say syslog or messages, and add in the respective line:
/etc/syslog.conf
*.warn;*.err /dev/tty7 mail.* /dev/tty8 kern.* /dev/tty8
To make these changes take effect, run the following line:
Now, whenever anything is added to those log files, just go to the ALT-F7 or F8 VTY and see the messages roll by in real-time.
* Like the real-time log monitor above, it's nice to be able to see errors in real time whenever you suspect problems via a TELNET, SSH, etc. To do this, create the file with the following:
Slackware:
/root/logit
-- #/bin/sh tail -f /var/adm/samba/log.nmb & tail -f /var/adm/samba/log.smb & tail -f /var/adm/xferlog & tail -f /var/adm/maillog & tail -f /var/adm/secure & tail -f /var/adm/syslog & tail -f /var/adm/messages & --
Redhat:
/root/logit
-- #!/bin/sh tail -f /var/log/samba/log.nmb & tail -f /var/log/samba/log.smb & tail -f /var/log/xferlog & tail -f /var/log/maillog & tail -f /var/log/secure & tail -f /var/log/syslog & tail -f /var/log/messages & --
Now, fix the permissions for it:
chmod 700 /root/logit
Close the file and then fix it's permissions with "chmod 700 /usr/local/sbin/logit".
Now, whenever you are suspecting problems with ANYTHING on your Linux box, just run "/root/logit" and watch the error logs go by in real-time.
A few tips: - type in "clear" at the UNIX prompt now and then to clean the screen up for readibility sake.
- When logs are scrolling by but you are looking for something that should show up in a few seconds, hit ENTER a few times to move up the old log info a few lines.
When you are done with "logit", run the command "killall tail" to stop all the logging.
Being a command line junky, I use the CLI (command line interface) most of the time. To make things a little easier on the eye, I recommend that you make the BASH prompt a little more easy on the eye. All NON-root users will get a "green" colored prompt but ROOT users will get a "red" colored prompt.
You can do this one of two ways. Have it setup on a PER USER basis or for ALL users.
For this example, let's do it just for the ROOT user.
1. Copy the main bash profile to the root user's home directory:
cp /etc/bashrc /root/.bashrc
NOTE: Why bashrc and not profile? The reason being is that bashrc OVERRIDES anything in the profile.
2. Edit it and find the line for the "PS1" variable and REPLACE it with the following. This will make the prompt be a bright green (easy on the eyes) color for NON-root users and red for ROOT uses. It will also show the machine name and a condensed directory prompt:
if [ `id -un` = root ]; then
PS1='\[\033[1;31m\]\h:\w\$\[\033[0m\] '
else
PS1='\[\033[1;32m\]\h:\w\$\[\033[0m\] '
fi
3. Save the .bashrc, login as the root user or run "su -" and then you should have the new prompt. For more good Bash ideas, check out the BASH howto from Section 5.
If you wanted to do it for ALL users, do the above changed to the /etc/bashrc file.
As you execute commands in bash, they are recorded for the command history, etc. Though this is great during your shell login, you might accidently put a password in as a command, etc. To clean this up and cover your tracks once you log off, add the following line as the LAST line in your /etc/profile:
/etc/profile
--<begin>
#Depending on your version of BASH, you might have to use
# the other form of this command
trap "rm -f ~$LOGNAME/.bash_history" 0
#The older KSH-style form
trap 0 rm -f ~$LOGNAME/.bash_history
--<end>
One powerful command in UNIX is the "apropos" or "man -k" command. This will let you do command searches on generic words like "modem", etc. BUT, when you first install Linux, this database isn't complete. It is usually run as a weekly cron job but I recommend to start it now:
makewhatis -w &
NOTE: This command will take a while depending on HD and CPU speed.
If you get ERRORs on the "makewhatis" command as I did in Mandrake 6.1, some of this is how to fix them. I received the following errors (bugs in the distribution - already reported as Bug #ier206). Running this command in Mandrake 7.0 runs without error.
-- bzcat: Can't open input file ./fetchmailconf.1.bz2: No such file or directory. bzcat: ./ksh.1.bz2 is not a bzip2 file. bzcat: Can't open input file ./pdksh.1.bz2: No such file or directory. Read file error: ./rec.1 No such file or directory bzcat: ./tixwish.1.bz2 is not a bzip2 file. bzcat: ./efence.3.bz2 is not a bzip2 file. Read file error: ./stm.8 No such file or directory Read file error: ./clockprobe.8 No such file or directory --
line 1: The /usr/man/man1/fetchmailconf.1.bz2 file is a symbolic link to fetchmail.1. This file doesn't exist since its compressed with bz2. To fix it, do:
rm /usr/man/man1/fetchmailconf.1.bz2
ln -s /usr/man/man1/fetchmail.1.bz2 /usr/man/man1/fetchmailconf.1.bz2
line 2: The /usr/man/man1/ksh.1.bz2 file isn't really bz2'ed. To fix it, do:
mv /usr/man/man1/ksh.1.bz2 /usr/man/man1/ksh.1
bzip2 -z /usr/man/man1/ksh.1
line 3: The /usr/man/man1/pdksh.1.bz2 file points to a non-bz2 file. (sloppy). To fix it, do:
Do the line-2 fix above
rm /usr/man/man1/pdksh.1.bz2
ln -s /usr/man/man1/ksh.1.bz2 /usr/man/man1/pdksh.1.bz2
line 4: The /usr/man/man1/rec.1 file points to a bogus path /var/tmp/sox-root//usr/man/man1/play.1 (sloppy). To fix it, do:
rm /usr/man/man1/rec.1
ln -s /usr/man/man1/play.1.bz2 /usr/man/man1/rec.1.bz2
line 5: The /usr/man/man1/tixwish.1.bz2 file is not a bz2 file. To fix it, do:
mv /usr/man/man1/tixwish.1.bz2 /usr/man/man1/tixwish.1
bzip2 -z /usr/man/man1/tixwish.1
line 6: The /usr/man/man3/efence.3.bz2 file is not a valid man page To fix it, do:
rm /usr/man/man3/efence.3.bz2
line 7: The /usr/man/man8/stm.8 file points to a non existing file. To fix it, do:
rm /usr/man/man8/stm.8
ln -s /usr/man/man8/SVGATextMode.8.bz2 /usr/man/man8/stm.8.bz2
line 8: The /usr/man/man8/clockprobe.8 file points to a non existing file. To fix it, do:
rm /usr/man/man8/clockprobe.8
ln -s /usr/man/man8/grabmode.8.bz2 /usr/man/man8/clockprobe.8.bz2
Once you have fixed these problems, re-run "makewhatis -w" and make sure it completes cleanly.
** HIGHLY RECOMMENDEDD for ALL Administrators **
If you are like me, you would like to know if any strange things are happening to your system like (processes failing, hacker attempts, etc.). At the same time, you probably don't have the time to scan over all these logs every day to see what is and isn't interesting. This script will simply count the number of specific blocked port connections (worms, viruses, etc.). This script also optionally monitors how many times your modem line came online (or failed due to busy signals, etc.) and report what speeds it connected at in a nice summarized table.
To do this, follow these next steps (note: this isn't the prettiest script I've wrote and it needs a LOT of cleaning but it should work for you).
*** Note:
ALL USERS: The first time this script executes, you
will receive some errors regarding:
- todays-date and yesterdays-date
You can safely ignore these errors!
Slackware users: This file should be called "/usr/local/sbin/sendlogs"
Redhat users: This file should be called "/usr/local/sbin/sendlogs"
(Note: All users: you will need to substitute in your proper mail address
( so you will get your logs
(
( Slackware users: please edit this file and change the /var/log
( references to /var/adm
(
( Modem users: You will need to un-# out the modem fields and
( make sure that the temp file swaping from
( $1.tmp to $2.tmp etc. transisions are correct.
(
( I have this disabled because I'm a cable modem dude
( now but this worked well.
------------------------------------------------------------------------------
All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at:
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-security/TrinityOS-security.tar.gz -----------------------------------------------------------------------------
/usr/local/sbin/sendlogs <Sendlogs START>
#!/bin/sh
# TrinityOS-sendlogs.sh
# 03/06/04
#
# Part of the copyrighted and trademarked TrinityOS document.
# <"http://www.ecst.csuchico.edu/~dranch">
#
# Written and Maintained by David A. Ranch
# dranch@trinnet.net
#
# Updates:
#
# 03/06/04 - Added counts for SQL
# 02/12/04 - Added counts for MyDoom trojans
# 01/12/04 - Added Samba counts to the DMZ segment
# 11/15/03 - Fixed a typo of > vs. >> for the cups and http filter
# 11/09/03 - added a count of port 631 hits (CUPS)
# 10/28/03 - Changed mirror DD drive to sdc
# 10/23/03 - Adding a logger debug command
# 09/26/03 - Added a count of port 80 hits (www)
# 09/23/03 - removed all port 80 hits
# 01/30/03 - Added MP3 archive change log
# 06/28/02 - Added Seti stats
# 12/13/01 - Added a calculated total runtime to the end of the script
# 11/13/01 - filter those damn run-parts messages
# 08/28/01 - Log the status of the script for debuging hangs
# 07/14/01 - delete all the Jeff R denied update messages
# 01/07/01 - This script is now parsed directly from the SGML code and
# because of this, several formatting issues were fixed.
# - Made the output a little more pretty
# - #ed out some diagnostic file information
# - added an lsof log entry
# - cleaned up the error reports in the SUID and RCMD searches
#
# 12/26/00 - Added --MARK-- Filtering
#
# 10/28/00 - Added an optional and #ed out section on DDing one HD to
# another. This is a simple but VERY effective online backup
# though it is only done once a night. If you have a spare HD
# in your system, this is the next best thing to setting up
# RAID1. Personally, I just recommend to setup RAID1! :)
#
# 10/08/00 - Deleted the removal of the SUID and RCMD new result files
#
# 09/16/00 - Added a full RPM database verification setup
#
# 04/15/00 - Added the $HOST variable to easily tune the SUBJECT field to
# reflect the name of your Linux system. You should edit this
# to reflect your system.
#
# 04/09/00 - Hmmm.. we need %e and NOT %d for catching dates 01-09.
# Basically, I need to reverve the change on 01/17/00.
#
# 02/21/00 - Doh! We do need the spaces between %b and %d
#
# 01/17/00 - Fixed all the "date" issues. Date now uses %d over %e and
# doesn't use any spaces.
#
# 01/01/00 - Fixed a missing ">" on line 139
#
# 12/16/99 - Fixed the RCMD mailer command at the end. The "mail -s" line
# needed to be ONE line
#
# 11/26/99 - Cleaned things up a bit
# - Made all file references absolute
#
# 02/01/99 - Added "w" to the vitals output
logger "Sendlogs starting: `date`"
# Change this variable to reflect the HOSTNAME of this box
# --------------------------------------------------------
HOST="roadrunner"
EXTIP="100.200.0.212"
export COLUMNS=132
echo "Sendlogs start: `date`" > /var/log/sendlogs.status
START=`date +%s`
#Make sure that the "yesterdays-date" file exists. If not, create it.
#
if [ -f /var/log/todays-date ]; then
mv /var/log/todays-date /var/log/yesterdays-date;
else
date +'%b %e' > /var/log/yesterdays-date;
fi
#Make sure that the "/etc/info/logs" directory exists. If not, create it.
#
if [ -a /etc/info ]; then
if [ -a /etc/info/logs ]; then
echo "";
else
mkdir /etc/info/logs;
fi
else
mkdir /etc/info;
mkdir /etc/info/logs;
fi
date +'%b %e' > /var/log/todays-date
echo " Start messages: `date`" >> /var/log/sendlogs.status
cat /var/log/messages | grep "`cat /var/log/yesterdays-date`" > /var/log/messlog.`date +'%b%d%y'`
export f1=/var/log/messlog.`date +'%b%d%y'`
export f2=/var/log/testfile
#echo "File 1: $f1"
#echo "File 2: $f2"
#For messages - FTP and PPP stuff
#
sed -e "/PWD/d" -e "/PASV/d" -e "/TYPE/d" -e "/PORT/d" -e "/NLST/d" -e "/SYST/d" $f1 > $f1.tmp
sed -e "/PASS/d" -e "/QUIT/d" -e "/LIST/d" -e "/CDUP/d" -e "/ATDT/d" -e "/Welcome/d" $f1.tmp > $f2.tmp
sed -e "/Using/d" -e "/Connect/d" -e "/Remote/d" -e "/IP address/d" -e "/CHECKSUM/d" $f2.tmp > $f1.tmp
sed -e "/Terminated/d" -e "/Terminating/d" -e "/diald/d" -e "/2.2.0/d" -e "/Exit./d" $f1.tmp > $f2.tmp
sed -e "/(passwd=guest)/d" -e "/alarm/d" -e "/Failed/d" $f2.tmp > $f1.tmp
#For messages - modem specific stuff
#
#sed -e "/send /d" -e "/expect/d" -e "/OK/d" -e "/AT&F/d" -e "/ATZ/d" -e "/ ^M /d" $f1.tmp > $f2.tmp
#sed -e "/Swansea/d" -e "/logging/d" -e "/starting/d" -e "/Ready/d" -e "/0x03f8/d" -e "/0x02f8/d" $f2.tmp > $f1.tmp
#sed -e "/sbpcd.c/d" -e "/CR-563/d" -e "/copyright/d" -e "/sockets/d" -e "/Serial/d" -e "/registered/d" $f1.tmp > $f2.tmp
#sed -e "/SLIP/d" -e "/sbpcd-0/d" -e "/ATM0X7/d" -e "/1.44M/d" -e "/8272A/d" -e "/statistics/d" $f2.tmp > $f1.tmp
#sed -e "/Please/d" -e "/hangup/d" -e "/ip-down/d" -e "/scans/d" $1.tmp -e "/abort on/d" $f1.tmp > $f2.tmp
#sed -e "/CONNECT /d" -e "/BUSY/d" -e "/SIGHUP/d" $f2.tmp > $f1.tmp
#For messages - modem dialout specific stuff
#
#echo -e "---------------------------------------" > /var/log/header.tmp
#echo -e "$HOST Call stats for \c" >> /var/log/header.tmp
#date >> /var/log/header.tmp
#echo -e " " >> /var/log/header.tmp
#echo -e "Total number of connects: \c" >> /var/log/header.tmp
#grep -c "CONNECT" $f1.tmp >> /var/log/header.tmp
#echo -e " 21600: \c" >> /var/log/header.tmp
#grep -c "21600" $f1.tmp >> /var/log/header.tmp
#echo -e " 26400: \c" >> /var/log/header.tmp
#grep -c "26400" $f1.tmp >> /var/log/header.tmp
#echo -e " 28800: \c" >> /var/log/header.tmp
#grep -c "28800" $f1.tmp >> /var/log/header.tmp
#echo -e " 31200: \c" >> /var/log/header.tmp
#grep -c "31200" $f1.tmp >> /var/log/header.tmp
#echo -e " 33600: \c" >> /var/log/header.tmp
#grep -c "33600" $f1.tmp >> /var/log/header.tmp
#echo -e " 33600: \c" >> /var/log/header.tmp
#grep -c "41333" $f1.tmp >> /var/log/header.tmp
#echo -e " 41333: \c" >> /var/log/header.tmp
#grep -c "42666" $f1.tmp >> /var/log/header.tmp
#echo -e " 42666: \c" >> /var/log/header.tmp
#echo -e " " >> /var/log/header.tmp
#echo -e "Total number of busys: \c" >> /var/log/header.tmp
#grep -c "BUSY" $f1.tmp >> /var/log/header.tmp
#echo -e "---------------------------------------" >> /var/log/header.tmp
#echo -e " " >> /var/log/header.tmp
#cat /var/log/header.tmp >> $f1.tmp
#For messages - named specific stuff
#
sed -e "/Cleaned/d" -e "/USAGE/d" -e "/NSTATS/d" -e "/XSTATS/d" $f1.tmp > $f2.tmp
sed -e "/points/d" -e "/Lame server/d" $f2.tmp > $f1.tmp
#For messges - SSH specific
sed -e "/Generating /d" -e "/generation /d" -e "/NSTATS/d" -e "/XSTATS/d" $f1.tmp > $f2.tmp
#For messges - Delete --MARK-- entries and J.Robinson DNS issues
sed -e "/-- MARK --/d" -e "/run-parts/d" $f2.tmp > $f1.tmp
#
# COUNT log hits but delete them -- greatly cuts down on log sizes
#
#
echo -e "Firewall hit log reduction section:" >> /var/log/messlog.tmp
echo -e " +----------------------------------------------------------" >> \
/var/log/messlog.tmp
# --- EXT interfaces ---
#For messages - count all port 80 hits
echo -en " | Port 80 (www) count: " >> /var/log/messlog.tmp
grep -c "$EXTIP:80" $f1.tmp >> /var/log/messlog.tmp
echo -e " +----------------------------------------------------------" >> \
/var/log/messlog.tmp
#For messges - Delete all PORT 80 stuff
sed -e "/$EXTIP:80/d" $f1.tmp > $f2.tmp
#For messages - count all port 1433 - SQL hits
echo -en " | Port 1433 (SQL) count: " >> /var/log/messlog.tmp
grep -c "$EXTIP:1433" $f2.tmp >> /var/log/messlog.tmp
echo -e " +----------------------------------------------------------" >> \
/var/log/messlog.tmp
#For messges - Delete all PORT 1443 stuff
sed -e "/$EXTIP:1433/d" $f2.tmp > $f1.tmp
#For messages - count all port 3127 hits
echo -en " | Port 3127 (MyDoom) count: " >> /var/log/messlog.tmp
grep -c "$EXTIP:3127" $f1.tmp >> /var/log/messlog.tmp
echo -e " +----------------------------------------------------------" >> \
/var/log/messlog.tmp
#For messges - Delete all PORT 3127 stuff
sed -e "/$EXTIP:3127/d" $f1.tmp > $f2.tmp
# --- INT2 interfaces ---
#For messages - count all port 631 hits
echo -en " | Port 631 (CUPS) count: " >> /var/log/messlog.tmp
grep -c "$INT2BROAD:631" $f2.tmp >> /var/log/messlog.tmp
echo -e " +----------------------------------------------------------" >> \
/var/log/messlog.tmp
#For messges - Delete all PORT 631 stuff
sed -e "/$INT2BROAD:631/d" $f2.tmp > $f1.tmp
#For messages - count all port port 137 hits
echo -en " | Port 137 (Samba) count: " >> /var/log/messlog.tmp
grep -c "$INT2BROAD:137" $f1.tmp >> /var/log/messlog.tmp
echo -e " +----------------------------------------------------------" >> \
/var/log/messlog.tmp
#For messges - Delete all PORT 137 stuff
sed -e "/$INT2BROAD:137/d" $f1.tmp > $f2.tmp
#For messages - count all port port 138 hits
echo -en " | Port 138 (Samba) count: " >> /var/log/messlog.tmp
grep -c "$INT2BROAD:138" $f2.tmp >> /var/log/messlog.tmp
echo -e " +----------------------------------------------------------\n" >> \
/var/log/messlog.tmp
#For messges - Delete all PORT 138 stuff
sed -e "/$INT2BROAD:138/d" $f2.tmp > $f1.tmp
mv /var/log/messlog.tmp $f1
cat $f1.tmp >> $f1
#cat $f2.tmp >> $f1
rm -R /var/log/*.tmp
mail -s "$HOST messages for `cat /var/log/yesterdays-date`" root@localhost < /var/log/messlog.`date +'%b%d%y'`
rm /var/log/messlog.`date +'%b%d%y'`
echo -e "-------------------------------------------------------"
echo -e "MESSAGES: Parsed, filtered, mailed and deleted messages"
echo -e "-------------------------------------------------------"
#---------------------------------------------
echo " Start syslog: `date`" >> /var/log/sendlogs.status
cat /var/log/syslog | grep "`cat /var/log/yesterdays-date`" > /var/log/syslog.`date +'%b%d%y'`
export f1=/var/log/syslog.`date +'%b%d%y'`
#echo "file 1: $f1"
#echo "file 2: $f2"
#Syslog - modem specific
#sed -e "/ got /d" -e "/abort on/d" -e "/expect/d" -e "/ ^M /d" -e "/AT&F1^M^M/d" $f1 > $f1.tmp
#sed -e "/ATZ^M^M/d" -e "/ATM0X7S11=40^M^M/d" -e "/Executed/d" -e "/ATDT/d" $f1.tmp > $f2.tmp
#sed -e "/Welcome/d" -e "/Using/d" -e "/Connect/d" -e "/Remote/d" -e "/IP address/d" $f2.tmp > $f1.tmp
#sed -e "/CHECKSUM/d" -e "/Terminated/d" -e "/Terminating/d" -e "/diald/d" -e "/2.2.0/d" $f1.tmp > $f2.tmp
#sed -e "/Exit./d" -e "/(passwd=guest)/d" -e "/alarm/d" -e "/Failed/d" -e "/CONNECT/d" $f2.tmp > $f1.tmp
#sed -e "/hangup/d" -e "/RINGING^M/d" $f1.tmp > $f2.tmp
#mv $f2.tmp $f1
#syslog FTP,
sed -e "/PWD/d" -e "/PASV/d" -e "/LIST/d" -e "/CDUP/d" -e "/RETR/d" -e "/CWD/d" $f1 > $f1.tmp
sed -e "/TYPE/d" -e "/PASS/d" -e "/QUIT/d" $f1.tmp > $f2.tmp
#For messages
sed -e "/send /d" -e "/expect/d" -e "/OK/d" -e "/AT&F/d" -e "/ATZ/d" -e "/ ^M /d" $f2.tmp > $f1.tmp
sed -e "/Swansea/d" -e "/logging/d" -e "/starting/d" -e "/Ready/d" -e "/0x03f8/d" $f1.tmp > $f2.tmp
sed -e "/0x02f8/d" -e "/sbpcd.c/d" -e "/CR-563/d" -e "/copyright/d" -e "/sockets/d" $f2.tmp > $f1.tmp
sed -e "/SLIP/d" -e "/sbpcd-0/d" -e "/1.44M/d" -e "/8272A/d" -e "/statistics/d" $f1.tmp > $f2.tmp
sed -e "/Please/d" -e "/hangup/d" -e "/ip-down/d" -e "/scans/d" $f2.tmp > $f1.tmp
sed -e "/abort on/d" -e "/Serial/d" -e "/registered/d" $f1.tmp > $f2.tmp
mv $f2.tmp $f1
rm -r /var/log/*.tmp
mail -s "$HOST syslog for `cat /var/log/yesterdays-date`" root@localhost < /var/log/syslog.`date +'%b%d%y'`
rm /var/log/syslog.`date +'%b%d%y'`
echo -e "SYSLOG: Parsed, filtered, mailed and deleted syslog"
echo -e "---------------------------------------------------"
echo " Start secure: `date`" >> /var/log/sendlogs.status
cat /var/log/secure | grep "`cat /var/log/yesterdays-date`" > /var/log/secure.`date +'%b%d%y'`
export f1=/var/log/secure.`date +'%b%d%y'`
#echo "file 1: $f1"
#echo "file 2: $f2"
sed -e "/127/d" $f1 > $f1.tmp
mv $f1.tmp /var/log/secure.`date +'%b%d%y'`
mail -s "$HOST secure for `cat /var/log/yesterdays-date`" root@localhost < /var/log/secure.`date +'%b%d%y'`
rm -r /var/log/*.tmp 2> /dev/null > /dev/null
rm /var/log/secure.`date +'%b%d%y'`
echo -e "SECURE: Parsed, filtered, mailed and deleted secure"
echo -e "---------------------------------------------------"
echo " Start xferlog: `date`" >> /var/log/sendlogs.status
cat /var/log/xferlog | grep "`cat /var/log/yesterdays-date`" > /var/log/xferlog.`date +'%b%d%y'`
mail -s "$HOST xferlog for `cat /var/log/yesterdays-date`" root@localhost < /var/log/xferlog.`date +'%b%d%y'`
rm /var/log/xferlog.`date +'%b%d%y'`
echo -e "XFERLOG: Parsed, filtered, mailed and deleted xferlog"
echo -e "-----------------------------------------------------"
echo " Start kernel: `date`" >> /var/log/sendlogs.status
cat /var/log/kernel | grep "`cat /var/log/yesterdays-date`" > /var/log/kernel.`date +'%b%d%y'`
export f1=/var/log/kernel.`date +'%b%d%y'`
export f2=/var/log/testfile
#For kernel - Delete all PORT 80 stuff
sed -e "/$EXTIP:80/d" $f1 > $f1.tmp
mail -s "$HOST kernel for `cat /var/log/yesterdays-date`" root@localhost < /var/log/$f1.tmp
rm -r /var/log/*.tmp 2> /dev/null > /dev/null
rm /var/log/kernel.`date +'%b%d%y'`
echo -e "KERNEL: Parsed, filtered, mailed and deleted kernel"
echo -e "---------------------------------------------------"
echo " Start vitals: `date`" >> /var/log/sendlogs.status
df > /var/log/sendlogs.`date +'%b%d%y'`
echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'`
w >> /var/log/sendlogs.`date +'%b%d%y'`
echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'`
free >> /var/log/sendlogs.`date +'%b%d%y'`
echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'`
ps aux >> /var/log/sendlogs.`date +'%b%d%y'`
echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'`
lsof -i >> /var/log/sendlogs.`date +'%b%d%y'`
mail -s "$HOST vitals for `cat /var/log/yesterdays-date`" root@localhost < /var/log/sendlogs.`date +'%b%d%y'`
rm -f /var/log/sendlogs.`date +'%b%d%y'`
echo -e "VITALS: Sent system vitals.."
echo -e "----------------------------"
# Create a full file system ls-laR archive in /etc/info
#
# NOTE: You should ALSO copy this file to somewhere on a DIFFERENT HD,
# floppy, etc. in case your mail HD fails.
#
echo " Start ls-laR: `date`" >> /var/log/sendlogs.status
ls -laR / 2> /dev/null | bzip2 -9 > /etc/info/logs/ls-laR.`date +'%b%d%y'`.bz2
echo -e "LS-LAR: Created full file system ls-laR archive in /etc/info"
echo -e "------------------------------------------------------------"
# cp /etc/info/logs/ls-laR.`date +'%b%d%y'`.bz2 /to/some/other/HD
# Create a full file system du archive in /etc/info
#
# NOTE: You should ALSO copy this file to somewhere on a DIFFERENT HD,
# floppy, etc. in case your mail HD fails.
#
echo " Start du: `date`" >> /var/log/sendlogs.status
du / 2> /dev/null | bzip2 -9 > /etc/info/logs/du.`date +'%b%d%y'`.bz2
# cp /etc/info/logs/du.`date +'%b%d%y'`.bz2 /to/some/other/HD
echo -e "DU: Created full file system du archive in /etc/info"
echo -e "----------------------------------------------------"
# Search for SUID programs, compare the results to the approved list and email
# the results
echo " Start SUID: `date`" >> /var/log/sendlogs.status
find / -type f \( -perm -04000 -o -perm -02000 \) -ls 2> /dev/null > /etc/info/suid-results-new
diff /etc/info/suid-results-checked /etc/info/suid-results-new 2> /dev/null > /etc/info/suid-results-diff
#
mail -s "$HOST SUID results for `cat /var/log/yesterdays-date`" root@localhost < /etc/info/suid-results-diff
rm -f /etc/info/suid-results-diff
echo -e "SUID: Sent SUID check.."
echo -e "-----------------------"
# Search for rhost files, compare the results to the approved list and email
# the results
echo " Start RHOSTs: `date`" >> /var/log/sendlogs.status
find / 2> /dev/null | grep -e ".rhosts" -e "hosts.equiv" > /etc/info/rcmd-results-new
diff /etc/info/rcmd-results-checked /etc/info/rcmd-results-new > /etc/info/rcmd-results-diff
#
mail -s "$HOST RCMD results for `cat /var/log/yesterdays-date`" root@localhost < /etc/info/rcmd-results-diff
rm -f /etc/info/rcmd-results-diff
echo -e "Sent RCMD check.."
echo -e "-----------------"
# Search for altered RPM packages, compare the results to the approved list
# and email the results
echo " Start RPMS: `date`" >> /var/log/sendlogs.status
/bin/rpm -Va > /etc/info/rpm-results-new
diff /etc/info/rpm-results-checked /etc/info/rpm-results-new > /etc/info/rpm-results-diff
#
mail -s "$HOST RPM results for `cat /var/log/yesterdays-date`" root@localhost < /etc/info/rpm-results-diff
rm -f /etc/info/rpm-results-diff
echo -e "Sent RPM check.."
echo -e "----------------"
#Get SETI statsistics
#
# This section is commented out by default
#
# (this is optional and only is useful for people using Seti and the Jsetidoor
# proxy
#
#JDATE=`cat /usr/src/archive/seti/proxy/jsetidoor/jseti-current-date`
#JPERF="/usr/src/archive/seti/proxy/jsetidoor/jsd-performance.log"
#JLOG="/usr/src/archive/seti/proxy/jsetidoor/jsd.log"
#JCOUNT=`cat $JLOG | grep -e $JDATE | grep -e update | wc --lines`
#echo -e "\nSETI stats: WU completed for $JDATE is $JCOUNT\n"
#echo -e "SETI stats: WU completed for $JDATE is $JCOUNT" >> $JPERF
#
#Update date for next run
#/usr/src/archive/seti/proxy/jsetidoor/jseti-date
# This section is commented out by default
#
# This section is to DD one HD to a backup HD. This is a simple but VERY
# effective online backup though it is only done once a night. If you
# have a spare HD in your system, this is the next best thing to setting
# up RAID1. Personally, I just recommend to setup RAID1! :)
#
# Please note that the block size and timing was found by doing testing
# for my specific system. You should do this for your own setup to
# to find your optimial setup.
#
#echo -e "-------------------------------------------------------------------------------"
#echo " Start dd: `date`" >> /var/log/sendlogs.status
#echo -e "DD /dev/sda to /dev/sdc : 1k transfers yields an optimal 22minute"
#echo -e "transfer at 27 percent CPU load\n"
#time dd if=/dev/sda of=/dev/sdc bs=1k
echo -e "-------------------------------------------------------------------------------"
echo -e "\nRemaining entries are due to errors in the cron files or in /etc/logrotate.d files\n"
echo "Finished Sendlogs: `date`" >> /var/log/sendlogs.status
STOP=`date +%s`
echo -e "\n\nSendlogs took `echo "( $STOP - $START ) / 60" | bc -l` minutes\n"
#!/bin/sh
# TrinityOS-sendlogs.sh
# v01/07/01
#
# Part of the copyrighted and trademarked TrinityOS document.
# <url url="http://www.ecst.csuchico.edu/~dranch">
#
# Written and Maintained by David A. Ranch
# dranch at trinnet dot net
#
# Updates:
#
# 01/07/01 - This script is now parsed directly from the SGML code and
# because of this, several formatting issues were fixed.
# - Made the output a little more pretty
# - #ed out some diagnostic file information
# - added an lsof log entry
# - cleaned up the error reports in the SUID and RCMD searches
#
# 12/26/00 - Added --MARK-- Filtering
#
# 10/28/00 - Added an optional and #ed out section on DDing one HD to
# another. This is a simple but VERY effective online backup
# though it is only done once a night. If you have a spare HD
# in your system, this is the next best thing to setting up
# RAID1. Personally, I just recommend to setup RAID1! :)
#
# 10/08/00 - Deleted the removal of the SUID and RCMD new result files
#
# 09/16/00 - Added a full RPM database verification setup
#
# 04/15/00 - Added the $HOST variable to easily tune the SUBJECT field to
# reflect the name of your Linux system. You should edit this
# to reflect your system.
#
# 04/09/00 - Hmmm.. we need %e and NOT %d for catching dates 01-09.
# Basically, I need to reverve the change on 01/17/00.
#
# 02/21/00 - Doh! We do need the spaces between %b and %d
#
# 01/17/00 - Fixed all the "date" issues. Date now uses %d over %e and
# doesn't use any spaces.
#
# 01/01/00 - Fixed a missing ">" on line 139
#
# 12/16/99 - Fixed the RCMD mailer command at the end. The "mail -s" line
# needed to be ONE line
#
# 11/26/99 - Cleaned things up a bit
# - Made all file references absolute
#
# 02/01/99 - Added "w" to the vitals output
# Change this variable to reflect the HOSTNAME of this box
# --------------------------------------------------------
HOST="TrinityOS"
#Make sure that the "yesterdays-date" file exists. If not, create it.
#
if [ -f /var/log/todays-date ]; then
mv /var/log/todays-date /var/log/yesterdays-date;
else
date +'%b %e' > /var/log/yesterdays-date;
fi
#Make sure that the "/etc/info/logs" directory exists. If not, create it.
#
if [ -a /etc/info ]; then
if [ -a /etc/info/logs ]; then
echo "";
else
mkdir /etc/info/logs;
fi
else
mkdir /etc/info;
mkdir /etc/info/logs;
fi
date +'%b %e' > /var/log/todays-date
cat /var/log/messages | grep "`cat /var/log/yesterdays-date`" > /var/log/messlog.`date +'%b%d%y'`
export f1=/var/log/messlog.`date +'%b%d%y'`
export f2=/var/log/testfile
#echo "File 1: $f1"
#echo "File 2: $f2"
#For messages - FTP and PPP stuff
#
sed -e "/PWD/d" -e "/PASV/d" -e "/TYPE/d" -e "/PORT/d" -e "/NLST/d" -e "/SYST/d" $f1 > $f1.tmp
sed -e "/PASS/d" -e "/QUIT/d" -e "/LIST/d" -e "/CDUP/d" -e "/ATDT/d" -e "/Welcome/d" $f1.tmp > $f2.tmp
sed -e "/Using/d" -e "/Connect/d" -e "/Remote/d" -e "/IP address/d" -e "/CHECKSUM/d" $f2.tmp > $f1.tmp
sed -e "/Terminated/d" -e "/Terminating/d" -e "/diald/d" -e "/2.2.0/d" -e "/Exit./d" $f1.tmp > $f2.tmp
sed -e "/(passwd=guest)/d" -e "/alarm/d" -e "/Failed/d" $f2.tmp > $f1.tmp
#For messages - modem specific stuff
#
#sed -e "/send /d" -e "/expect/d" -e "/OK/d" -e "/AT&F/d" -e "/ATZ/d" -e "/ ^M /d" $f1.tmp > $f2.tmp
#sed -e "/Swansea/d" -e "/logging/d" -e "/starting/d" -e "/Ready/d" -e "/0x03f8/d" -e "/0x02f8/d" $f2.tmp > $f1.tmp
#sed -e "/sbpcd.c/d" -e "/CR-563/d" -e "/copyright/d" -e "/sockets/d" -e "/Serial/d" -e "/registered/d" $f1.tmp > $f2.tmp
#sed -e "/SLIP/d" -e "/sbpcd-0/d" -e "/ATM0X7/d" -e "/1.44M/d" -e "/8272A/d" -e "/statistics/d" $f2.tmp > $f1.tmp
#sed -e "/Please/d" -e "/hangup/d" -e "/ip-down/d" -e "/scans/d" $1.tmp -e "/abort on/d" $f1.tmp > $f2.tmp
#sed -e "/CONNECT /d" -e "/BUSY/d" -e "/SIGHUP/d" $f2.tmp > $f1.tmp
#For messages - modem dialout specific stuff
#
#echo -e "---------------------------------------" > /var/log/header.tmp
#echo -e "$HOST Call stats for \c" >> /var/log/header.tmp
#date >> /var/log/header.tmp
#echo -e " " >> /var/log/header.tmp
#echo -e "Total number of connects: \c" >> /var/log/header.tmp
#grep -c "CONNECT" $f1.tmp >> /var/log/header.tmp
#echo -e " 21600: \c" >> /var/log/header.tmp
#grep -c "21600" $f1.tmp >> /var/log/header.tmp
#echo -e " 26400: \c" >> /var/log/header.tmp
#grep -c "26400" $f1.tmp >> /var/log/header.tmp
#echo -e " 28800: \c" >> /var/log/header.tmp
#grep -c "28800" $f1.tmp >> /var/log/header.tmp
#echo -e " 31200: \c" >> /var/log/header.tmp
#grep -c "31200" $f1.tmp >> /var/log/header.tmp
#echo -e " 33600: \c" >> /var/log/header.tmp
#grep -c "33600" $f1.tmp >> /var/log/header.tmp
#echo -e " 33600: \c" >> /var/log/header.tmp
#grep -c "41333" $f1.tmp >> /var/log/header.tmp
#echo -e " 41333: \c" >> /var/log/header.tmp
#grep -c "42666" $f1.tmp >> /var/log/header.tmp
#echo -e " 42666: \c" >> /var/log/header.tmp
#echo -e " " >> /var/log/header.tmp
#echo -e "Total number of busys: \c" >> /var/log/header.tmp
#grep -c "BUSY" $f1.tmp >> /var/log/header.tmp
#echo -e "---------------------------------------" >> /var/log/header.tmp
#echo -e " " >> /var/log/header.tmp
#cat /var/log/header.tmp >> $f1.tmp
#For messages - named specific stuff
#
sed -e "/Cleaned/d" -e "/USAGE/d" -e "/NSTATS/d" -e "/XSTATS/d" $f1.tmp > $f2.tmp
sed -e "/points/d" -e "/Lame server/d" $f2.tmp > $f1.tmp
#For messges - SSH specific
sed -e "/Generating /d" -e "/generation /d" -e "/NSTATS/d" -e "/XSTATS/d" $f1.tmp > $f2.tmp
#For messges - Delete --MARK-- entries
sed -e "/-- MARK --/d" $f2.tmp > $f1.tmp
mv $f1.tmp $f1
rm -R /var/log/*.tmp
mail -s "$HOST messages for `cat /var/log/yesterdays-date`" root@localhost < /var/log/messlog.`date +'%b%d%y'`
rm /var/log/messlog.`date +'%b%d%y'`
echo -e "-------------------------------------------------------"
echo -e "MESSAGES: Parsed, filtered, mailed and deleted messages"
echo -e "-------------------------------------------------------"
#---------------------------------------------
cat /var/log/syslog | grep "`cat /var/log/yesterdays-date`" > /var/log/syslog.`date +'%b%d%y'`
export f1=/var/log/syslog.`date +'%b%d%y'`
#echo "file 1: $f1"
#echo "file 2: $f2"
#Syslog - modem specific
#sed -e "/ got /d" -e "/abort on/d" -e "/expect/d" -e "/ ^M /d" -e "/AT&F1^M^M/d" $f1 > $f1.tmp
#sed -e "/ATZ^M^M/d" -e "/ATM0X7S11=40^M^M/d" -e "/Executed/d" -e "/ATDT/d" $f1.tmp > $f2.tmp
#sed -e "/Welcome/d" -e "/Using/d" -e "/Connect/d" -e "/Remote/d" -e "/IP address/d" $f2.tmp > $f1.tmp
#sed -e "/CHECKSUM/d" -e "/Terminated/d" -e "/Terminating/d" -e "/diald/d" -e "/2.2.0/d" $f1.tmp > $f2.tmp
#sed -e "/Exit./d" -e "/(passwd=guest)/d" -e "/alarm/d" -e "/Failed/d" -e "/CONNECT/d" $f2.tmp > $f1.tmp
#sed -e "/hangup/d" -e "/RINGING^M/d" $f1.tmp > $f2.tmp
#mv $f2.tmp $f1
#syslog FTP,
sed -e "/PWD/d" -e "/PASV/d" -e "/LIST/d" -e "/CDUP/d" -e "/RETR/d" -e "/CWD/d" $f1 > $f1.tmp
sed -e "/TYPE/d" -e "/PASS/d" -e "/QUIT/d" $f1.tmp > $f2.tmp
#For messages
sed -e "/send /d" -e "/expect/d" -e "/OK/d" -e "/AT&F/d" -e "/ATZ/d" -e "/ ^M /d" $f2.tmp > $f1.tmp
sed -e "/Swansea/d" -e "/logging/d" -e "/starting/d" -e "/Ready/d" -e "/0x03f8/d" $f1.tmp > $f2.tmp
sed -e "/0x02f8/d" -e "/sbpcd.c/d" -e "/CR-563/d" -e "/copyright/d" -e "/sockets/d" $f2.tmp > $f1.tmp
sed -e "/SLIP/d" -e "/sbpcd-0/d" -e "/1.44M/d" -e "/8272A/d" -e "/statistics/d" $f1.tmp > $f2.tmp
sed -e "/Please/d" -e "/hangup/d" -e "/ip-down/d" -e "/scans/d" $f2.tmp > $f1.tmp
sed -e "/abort on/d" -e "/Serial/d" -e "/registered/d" $f1.tmp > $f2.tmp
mv $f2.tmp $f1
rm -r /var/log/*.tmp 2> /dev/null > /dev/null
mail -s "$HOST syslog for `cat /var/log/yesterdays-date`" root@localhost < /var/log/syslog.`date +'%b%d%y'`
rm /var/log/syslog.`date +'%b%d%y'`
echo -e "SYSLOG: Parsed, filtered, mailed and deleted syslog"
echo -e "---------------------------------------------------"
cat /var/log/secure | grep "`cat /var/log/yesterdays-date`" > /var/log/secure.`date +'%b%d%y'`
export f1=/var/log/secure.`date +'%b%d%y'`
#echo "file 1: $f1"
#echo "file 2: $f2"
sed -e "/127/d" $f1 > $f1.tmp
mv $f1.tmp /var/log/secure.`date +'%b%d%y'`
mail -s "$HOST secure for `cat /var/log/yesterdays-date`" root@localhost < /var/log/secure.`date +'%b%d%y'`
rm -r /var/log/*.tmp
rm /var/log/secure.`date +'%b%d%y'`
echo -e "SECURE: Parsed, filtered, mailed and deleted secure"
echo -e "---------------------------------------------------"
cat /var/log/xferlog | grep "`cat /var/log/yesterdays-date`" > /var/log/xferlog.`date +'%b%d%y'`
mail -s "$HOST xferlog for `cat /var/log/yesterdays-date`" root@localhost < /var/log/xferlog.`date +'%b%d%y'`
rm /var/log/xferlog.`date +'%b%d%y'`
echo -e "XFERLOG: Parsed, filtered, mailed and deleted xferlog"
echo -e "-----------------------------------------------------"
cat /var/log/kernel | grep "`cat /var/log/yesterdays-date`" > /var/log/kernel.`date +'%b%d%y'`
mail -s "$HOST kernel for `cat /var/log/yesterdays-date`" root@localhost < /var/log/kernel.`date +'%b%d%y'`
rm /var/log/kernel.`date +'%b%d%y'`
echo -e "KERNEL: Parsed, filtered, mailed and deleted kernel"
echo -e "---------------------------------------------------"
df > /var/log/sendlogs.`date +'%b%d%y'`
echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'`
w >> /var/log/sendlogs.`date +'%b%d%y'`
echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'`
free >> /var/log/sendlogs.`date +'%b%d%y'`
echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'`
ps aux >> /var/log/sendlogs.`date +'%b%d%y'`
echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'`
lsof -i >> /var/log/sendlogs.`date +'%b%d%y'`
mail -s "$HOST vitals for `cat /var/log/yesterdays-date`" root@localhost < /var/log/sendlogs.`date +'%b%d%y'`
rm -f /var/log/sendlogs.`date +'%b%d%y'`
echo -e "VITALS: Sent system vitals.."
echo -e "----------------------------"
# Create a full file system ls-laR archive in /etc/info
#
# NOTE: You should ALSO copy this file to somewhere on a DIFFERENT HD,
# floppy, etc. in case your mail HD fails.
#
ls -laR / 2> /dev/null | bzip2 > /etc/info/logs/ls-laR.`date +'%b%d%y'`.bz2
echo -e "LS-LAR: Created full file system ls-laR archive in /etc/info"
echo -e "------------------------------------------------------------"
# cp /etc/info/logs/ls-laR.`date +'%b%d%y'`.bz2 /to/some/other/HD
# Create a full file system du archive in /etc/info
#
# NOTE: You should ALSO copy this file to somewhere on a DIFFERENT HD,
# floppy, etc. in case your mail HD fails.
#
du / 2> /dev/null | bzip2 > /etc/info/logs/du.`date +'%b%d%y'`.bz2
# cp /etc/info/logs/du.`date +'%b%d%y'`.bz2 /to/some/other/HD
echo -e "DU: Created full file system du archive in /etc/info"
echo -e "----------------------------------------------------"
# Search for SUID programs, compare the results to the approved list and email
# the results
find / -type f \( -perm -04000 -o -perm -02000 \) -ls 2> /dev/null > /etc/info/suid-results-new
diff /etc/info/suid-results-checked /etc/info/suid-results-new 2> /dev/null > /etc/info/suid-results-diff
#
mail -s "$HOST SUID results for `cat /var/log/yesterdays-date`" root@localhost < /etc/info/suid-results-diff
rm -f /etc/info/suid-results-new
echo -e "SUID: Sent SUID check.."
echo -e "-----------------------"
# Search for rhost files, compare the results to the approved list and email
# the results
find / 2> /dev/null | grep -e ".rhosts" -e "hosts.equiv" > /etc/info/rcmd-results-new
diff /etc/info/rcmd-results-checked /etc/info/rcmd-results-new > /etc/info/rcmd-results-diff
#
mail -s "$HOST RCMD results for `cat /var/log/yesterdays-date`" root@localhost < /etc/info/rcmd-results-diff
rm -f /etc/info/rcmd-results-new
echo -e "Sent RCMD check.."
echo -e "-----------------"
# Search for altered RPM packages, compare the results to the approved list
# and email the results
/bin/rpm -Va > /etc/info/rpm-results-new
diff /etc/info/rpm-results-checked /etc/info/rpm-results-new > /etc/info/rpm-results-diff
#
mail -s "$HOST RPM results for `cat /var/log/yesterdays-date`" root@localhost < /etc/info/rpm-results-diff
rm -f /etc/info/rpm-results-diff
echo -e "Sent RPM check.."
echo -e "----------------"
# This section is commented out by default
#
# This section is to DD one HD to a backup HD. This is a simple but VERY
# effective online backup though it is only done once a night. If you
# have a spare HD in your system, this is the next best thing to setting
# up RAID1. Personally, I just recommend to setup RAID1! :)
#
# Please note that the block size and timing was found by doing testing
# for my specific system. You should do this for your own setup to
# to find your optimial setup.
#
#echo -e "DD /dev/sda to /dev/sdd : 1k transfers yeilds an optimal 22minute transfer\n"
#time dd if=/dev/sda of=/dev/sdd bs=1k
echo -e "-------------------------------------------------------------------------------"
echo -e "\nRemaining entries are due to errors in the cron files or in /etc/logrotate.d files\n"
- Next, make the file executable by running "chmod 700 /usr/local/sbin/sendlogs"
- Now create the following directories and fix their permissions
mkdir /etc/info
mkdir /etc/info/logs
chmod -R 700 /etc/info
* Before you run the "sendlogs" script, follow the procedure in Section 18
- Now, you have to make cron run this script every day:
BSD-style (Slackware, etc): ---------------------------
Edit the file /var/spool/cron/crontabs/root and append the following:
--
# Run the sendlogs program at 12:00am everyday
0 12 * * * /usr/local/sbin/sendlogs
--
- That's it. Now, make cron re-read it's config files by doing:
SysV-style (Redhat): --------------------
Create the file /etc/cron.daily/a-sendlogs and enter in:
NOTE: Why the name "a-sendlogs"? The reason is because the crontab runs all the files in /etc/cron.daily in alphabetical order. We need to run the sendlogs script BEFORE the "rotatelogs" script executes.
#!/bin/sh
cd /usr/local/sbin
./sendlogs
Now make it executable via "chmod 700 /etc/cron.daily/a-sendlogs"
Once you start getting the parsed nightly logs, I HIGHLY recommend that you start creating a on-going log file of your firewall hits. You can learn how to read the firewall hits in Section 10.
I do this by manually creating a simple ASCII text file that I populate with the date, port #, port type, the source name (manually found via nslookup), and the IP address. For the sites that won't reverse resolve, I just do a traceroute to the closest named hop.
So why do I do this? Because you'll soon see trends of simple telnets to full blown port scans from specific IPs and/or domains. Also.. some hackers run port scans that take weeks and not minutes. If you run a log like this, you'll catch them!
Here is one example from my "Firewall hits list" of some dirtbag that tried to do a DoS attack against my IMAP service. Not only did my firewall stop him, but TCP wrappers would have stopped him and I logged the fact. I've changed the IP address to protect the luser and myself.
NOTE: Not only is it important to log the destination port the hacker was trying to get to but also their source port. This luser was using source port 0 which is common DoS attack method:
01/08/99 143/tcp Name: cc6666666-b..nj.home.com Address: 10.0.0.1
from port 0!
Once you start seeing the proactive logs via email, some entries will seem bad at first but hopefully this section will help you understand what things mean:
The /proc file system is a virtual file system and somethings cannot be listed due to operating system restrictions and/or security issues. If you see entries like:
ls: /proc/2/exe: No such file or directory
ls: /proc/3/exe: No such file or directory
ls: /proc/4/exe: No such file or directory
ls: /proc/5/exe: No such file or directory
As part of keeping a system secure, you will need to patch it often. When you apply a new set of patches, the file size, date, etc. will change. The next Sendlogs results will notify you of these changes. If the changed files were due to an applied patch, things are ok.
It should also be noted that as a Linux system is running, the EXT2 file system will eventually change a file's time stamp (typically after six months) from the file's creation DATE (month and day) and TIME (hour and minute) to simple the DATE (month, day, and year). So, when you see a file change from the Sendlogs script, definately make sure the file size and permissions are the same but pay close attention to the DATE. If only the date changed from the TIME to YEAR, things are ok.
As you patch your system, you want to be sure that the changed files, RPM database, and the MD5 sums of files are accounted for. One nice thing about the RPM verification is that you can monitor if files are modified either on purpose, by corruption, or by intrusion.
So, part of maintaining a secure and reliable Linux box is you will have to replace the reference files in /etc/info. Once you are sure that the changes that have shown up in your email box are ok (as described above), you will need to move the new files to become the new reference file.
mv /etc/info/suid-results-new /etc/info/suid-results-checked
mv /etc/info/rcmd-results-new /etc/info/rcmd-results-checked
mv /etc/info/rpm-results-new /etc/info/rpm-results-checked