Improve security: Logcheck

Configuration

by ross at 07:23:49 on October 28, 2011

Mails anomalies in the system logfiles to the administrator.

Logcheck helps spot problems, anomalies and security violations
in your logfiles automatically and will send the summaries to you
via e-mail. Logcheck is run as a cron job.

Install:

# cd /usr/ports/security/logcheck
# make install clean
# rehash

Edit /usr/local/etc/logcheck/logcheck.conf, set SENDMAILTO parameter.

According to /usr/local/etc/logcheck/logcheck.logfiles logcheck parses /var/log/messages and /var/log/auth.log. /var/log/messages permissions are OK. Let's adjust auth.log permissions:

# cd /var/log
# chgrp logcheck auth.log
# chmod g+r auth.log 

Edit /etc/newsyslog.conf, set mode of auth.log to 640.

Tweaking logcheck

Ntp on my system write to log file messages like "kernel time sync status changed" very often. To make logcheck ignore these messages edit /usr/local/etc/logcheck/ignore.d.server/ntp. Change

kernel time sync (disabled|enabled)

to

kernel time sync (disabled|enabled|status change)

 

Comments