1. Главная
  2. Книги
  3. Tyler Chris
  4. Fedora Linux
  5. Страница 168
Выбрать главу

A syslog network server listens to UDP port 514 and processes any messages received there through the normal routing decisions.

One significant problem with the syslog implementation is that there is absolutely no authentication performed. Any application can log any message with any facility and priority. Therefore it is relatively easy to spoof log messages or to create a denial-of-service attack by sending huge numbers of logfile entries, eventually filling all available disk space and making it impossible to log further events. (For this reason, it is a good idea to use a separate filesystem for /var/log ).

The logwatch and logrotate programs are activated by cron through their entries in /etc/cron.daily .

8.7.3. What About...

8.7.3.1. ...sending log messages to a program?

The standard Fedora syslog program does not support output to a program such as a mailer. However, you can easily write a script that reads a logfile using the tail command and outputs new log entries to a program.

This example emails log messages to a pager or cell phone text service:

#!/bin/bash

DESTINATION= 8885551234@pagercompany.example.com

tail -0f /var/log/messages|

while read LINE

do

 echo $LINE|

 mail $DESTINATION

done

To use this script, place it in the file / usr/local/bin/log-mail and add read and execute permissions:

# chmod u+rx /usr/local/bin/log-mail

# log-mail  

You may want to use this script with a lower-volume logfile than /var/log/messages, especially if you pay for each pager message.

To filter messages by content, place a grep command between the tail and while lines in the script.

You can also have log output read to you over the system's speakers:

#!/bin/bash

logger -t log-speak "Starting log reading."

sleep 0.3

tail -1f /var/log/messages|

while read LINE

do

 # The sed expressions remove the date/time and PIDs

 # from messages to shorten the text.

 echo $LINE|

 sed -e "s/^.\{17\}[^ ]*//"  -e "s/\[.*\]//g"|

 festival --tts

done

8.7.3.2. ...outputting to a named pipe?

A named pipe is a special type of file that can be used to pass messages between two programs. While syslog supports writing to named pipes, the default SELinux security policy prohibits it.

To output to a named pipe, you must first disable SELinux protection for syslogd by setting the syslogd_disable_trans boolean and then create the named pipe with mkfifo :

# setsebool -P syslogd_disable_trans=1

# mkfifo /var/log/messagepipe

Next, create an entry in /etc/syslog.conf , placing a pipe symbol in front of the destination pathname:

*.* |/var/log/messagepipe

Restart syslogd . You can then follow the message output with a simple file read:

# service syslog restart

Shutting down kernel logger: [ OK ]

Shutting down system logger: [ OK ]

Starting system logger: [ OK ]

Starting kernel logger: [ OK ]

# cat /var/log/messagepipe

...(Messages appear as they are logged)...

8.7.3.3. ...logging messages from printers, routers, and other network devices?

Most network hardware offers the option of logging messages to a syslog server. Simply enter the IP address of your syslog network server into the configuration settings of the device.

8.7.3.4. ...using patterns within the message text to determine message routing?

The syslog-ng package from Fedora Extras can be used in place of the standard syslogd and klogd programs. It uses a different configuration file syntax, and it supports message-text matching and message routing to programs.

The original syslogd and klogd programs are from the package sysklogd.

8.7.4. Where Can I Learn More?

 The manpages for syslogd , syslog.conf , klogd , logrotate , and logwatch

 The home page for logwatch : http://www.logwatch.org

8.8. Detecting File Changes with AIDE

The Advanced Intrusion Detection Environment (AIDE) is a program that takes a "fingerprint" of system files so that changes in those files can be detected. You can use it to detect a system intrusion, accidental file overwrites, and file corruption.

8.8.1. How Do I Do That?

To initialize the AIDE fingerprint database, execute it with the --init option:

# aide --init

AIDE, version 0.11

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

It will take several minutes to run. When it is finished, a fingerprint database will be saved as /var/lib/aide/aide.db.new.gz . Rename it to /var/lib/aide/aide.db.gz to make it the active AIDE database:

# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Once the fingerprint database is configured, you can check for file changes using the --check argument:

# aide --check

AIDE found differences between database and filesystem!!

Start timestamp: 2006-06-01 12:50:01

Summary:

 Total number of files: 127172

 Added files: 2

 Removed files: 0

 Changed files: 4

---------------------------------------------------

~ 168 ~