[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Logcheck & Crontab

~Spanky

>>Did you (or someone) add "Active_Monitor_69" to violations.ignore?

Send a bit of what you LogCheck used to show.<<
-------------------------------------------------------------------

Answer No...

Here's a typical entry that we used to see from logcheck...

Security Violations
=-=-=-=-=-=-=-=-=-=
Oct 17 04:55:51 ns imapd[12849]: Login failure user=Active_Monitor_69
host=localhost [127.0.0.1]
(as the check is done hourly then there was usually another 3 similar
readings)

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Oct 17 04:55:49 ns proftpd[12848]: ns.xxxxxxx.com (localhost[127.0.0.1]) -
FTP session closed.
Oct 17 04:55:49 ns in.proftpd[12848]: connect from 127.0.0.1
Oct 17 04:55:50 ns imapd[12849]: connect from 127.0.0.1
Oct 17 04:55:51 ns imapd[12849]: imap service init from 127.0.0.1
Oct 17 04:55:51 ns imapd[12849]: Login failure user=Active_Monitor_69
host=localhost [127.0.0.1]
Oct 17 04:55:54 ns imapd[12849]: Command stream end of file, while reading
line user=Active_Monitor_69 host=localhost [127.0.0.1]
Oct 17 04:55:54 ns sendmail[12852]: NOQUEUE: Null connection from localhost
[127.0.0.1]
---------------------------------------------------------------

As I mentioned nothing has been changed in any of the logcheck files - this
reading was done by calling /usr/local/sbin/swatch >>/var/cobalt/adm.log
2>&1 from the root as SU then invoking the logcheck script
/usr/local/etc/logcheck.sh.

Yet if logcheck runs in the cron.hourly all I get is the "Unusual System
Events" readings and this doesn't include any of the above in it. SPOOKY it
worked before but just stopped.

Is there any way of checking that the crontab is activating the monitoring
service? and is running as it should be? I think that the problem may be
with crontab rather than logcheck - don't know

Regards from Auckland

Chae