| Hi Pierre,
I know this is just a little late, but I've written the following,
can you please communicate to me via email. I have some things to
discuss with you on UNIX and the corporate requirements.
Following is the script that I use for ULTRIX, haven't had the
moments to swap back in my paranoia to do the same for DUNIX yet, but
give me some time.
It isn't pretty, but it works. Btw, I normally redirect roots mail
to a centralised mail system and every morning read the security logs
while having my morning coffee. I'm yet to make the script more pretty.
In CRONTAB of the system,
# Nightly security checks
55 23 * * * /usr/manager/security.sh > /usr/manager/security.log 2>&1
the /usr/manager/security.sh file.
#!/bin/sh
# security log sift to mail
#
# written by Dave Reinhold 5-Feb-1996
#
#
# This is a security log analyser run from CRON
# on a nightly basis.
# It basically looks for FTP, TELNET, and RLOGIN
# entries in the syslog file and does a last for
# Todays logins to determine that those who logged
# in were not suspicious.
# also it mails the sulog for today.
#
# Test cron entry logfile of script run
date
#
# Define day variables
cd /usr/manager
outfile=`date | awk '{print "security_report."$1".log"}'`
today=`date | awk '{print $1}'`
month=`date | awk '{print $2}'`
day=`date | awk '{print $3}'`
date3=`date | awk '{print $1" "$2" "$3}'`
year=`date | awk '{print $6}'`
#
# Timestamp and create the logfile
date > $outfile
#
# Harvest the information
echo " "
echo " "
echo "Logins and failures from /usr/spool/mqueue/syslog" >> /usr/manager/$outfile
grep -i login /usr/spool/mqueue/syslog >> /usr/manager/$outfile
grep -i telnet /usr/spool/mqueue/syslog >> /usr/manager/$outfile
grep -i ftp /usr/spool/mqueue/syslog >> /usr/manager/$outfile
echo " "
echo " "
echo "Today's SU's from /var/adm/sulog " >> /usr/manager/$outfile
grep $year /var/adm/sulog | grep $month | grep $today >> /usr/manager/$outfile
echo " "
echo " "
echo "Today's successful user logins - anything suspicious?" >> /usr/manager/$outfile
/usr/ucb/last | grep $month | grep $today | grep $day >> /usr/manager/$outfile
#
#
# Time to mail the file to the user
/usr/ucb/mail -s "Today's security info for hntsmn" root < /usr/manager/$outfile
exit
|
| Hi,
If anyones interested this is a logging script for a NON-C2 DUNIX
system. Yes, I know it's crude, but I've seen no other examples, and
this does do the job. As with the Ultrix one, it mails accounts the
daily login information.
Please note that BSD security in DUNIX only logs the login failures
after 5 attempts (and it records the 5th attempt, so if for example
ttyr6 is attacked 4 times and then ttyp2 has a valid user that mistypes
the login information, it's the entry for ttyp2 that is logged).
I'll get to do the C2 version sometime in the furture.
Any feedback would be nice, Cheers,
Dave
# tail -1 /var/spool/cron/crontabs/root
55 23 * * * /usr/manager/security.sh > /usr/manager/security.log
#!/bin/sh
# security log sift to mail
#
# written by Dave Reinhold 5-Feb-1996
#
# This VERSION is for DUNIX
#
#
# This is a security log analyser run from CRON
# on a nightly basis.
# It basically makes the daily audit log checks
# easier by mailing the daily entries.
#
# I know it's crude, but it works
#
# Define day variables
cd /usr/manager
outfile=`date | awk '{print "security_report."$1".log"}'`
today=`date | awk '{print $1}'`
month=`date | awk '{print $2}'`
day=`date | awk '{print $3}'`
date3=`date | awk '{print $3"-"$2}'`
#
# Timestamp and create the logfile
date > $outfile
#
# Harvest the information
file=`ls -la /usr/var/adm/syslog.dated | grep $date3 | awk '{print$9}'`
echo "Anything suspicious? " >> /usr/manager/$outfile
echo " " >> /usr/manager/$outfile
cat /usr/var/adm/syslog.dated/$file/auth.log >> /usr/manager/$outfile
#echo " "
#echo " "
echo "Today's login information" /usr/bin/last | grep $month | grep
$today | grep $day >> /usr/manager/$outfile
#
#
# Time to mail the file to the user
/usr/bin/Mail -s "Today's security info for RMSTAR"root
< /usr/manager/$outfile
exit
|