Tips&Tricks Setting up Logcheck to monitor security v

[aru]

 

delboy711

Senior user

Joined: 03 May 2002

Posts: 412

Location: Wokingham, UK

 

Post Posted: Wed May 15, 2002 2:32 pm Post subject: Setting up Logcheck to monitor security violations.

_________________________________________________________________

 

 

Logcheck is a script on the Mandrake CD's which will go through the system logs and extract suspicius activity which may indicate your system has been compromised and send you an email informing you.

 

When you install the logcheck rpm it will automatically configure itself to run as a daily cron job. However there is still work to do before you will be able to see the alerts from logcheck.

 

Logcheck will by default send an email to root@yourhostname detailing security alerts.

That email will not be delivered unless you have Postfix installed (Sendmail can do it as well but it is a nightmare to configure)

 

In order to receive that mail as a normal user edit

/etc/postfix/aliases and make your user the one to receive root's post

 

# Person who should get root's mail

root: derek

 

To make Postfix recognise the alias. In a root terminal enter

newaliases

 

Now any mail for root will go into the mail file /var/spool/mail/derek

 

The next trick is to get your mail client to read the mail in this file. If you use kmail then Settings>Network>incomingMail

click on 'Add'

 

In the GUI set the parameters like this

Name local (or whatever you like)

Location /var/spool/mail/derek

Locking method Procmail lockfile (or 'none' if you cannot get it to work)

Enable Interval mail checking with a sensible interval.

 

Now any mails generated locally in your computer should come into your kmail inbox.

 

You will find that logcheck will send a lot of unneccessary information. You can cut this down over time by putting regular expressions in /etc/logcheck/ignore to filter out messages you know are not security violations.

 

Thats it. If I have missed out any steps let me know Smile

 

 

sminons

Newbie

Joined: 13 May 2002

Posts: 20

Post Posted: Tue Oct 08, 2002 7:52 am Post subject: How to

configure ?

_________________________________________________________________

 

 

I installed logcheck and ran the command. There was no feedback after running the command. How do we configure logcheck and set its various parameters?. Thanks in advance.

 

 

 

Editor's note: This thread was originally posted at the old MUB (Mandrake User Board at club-nihil). This post is the result of a 99% automatic backup, so due to its nature some text may be lost (improbable but possible).

[Relic2K]

This didn't work for me either, I was not able to run the "newalias" command where the TUT said to, I think it is because of the differences in versions.

[bvc]

It's newaliases and it's part of sendmail. Is sendmail installed?

[Relic2K]

BVC;

 

I am using Mandrake 9.0, and yes both PostFix and SendMail are installed an running. When I try to run

#newaliases

it does nothing. just hangs there, if I run;

#newaliases.postfix -I (Intialize DB)

It actually does something.

[Relic2K]

Logcheck will by default send an email to root@yourhostname detailing security alerts.

That email will not be delivered unless you have Postfix installed (Sendmail can do it as well but it is a nightmare to configure)

 

In order to receive that mail as a normal user edit

/etc/postfix/aliases and make your user the one to receive root's post

 

# Person who should get root's mail

root: user

 

To make Postfix recognise the alias. In a root terminal enter

newaliases  

 

Now any mail for root will go into the mail file /var/spool/mail/derek

 

I did the following but the "newaliases" command does not work with PostFix and Mandrake 9.0. I had to run the "newaliases.postfix -I" command to get it to work. I can see the mail going into /var/spool/mail/postfix, vice /var/spool/mail/user. I can even view them, and they are the output of the cronjob that Logcheck does. Why is the mail going to postfix vice my user account ? Anyone have any ideas ? Upon further examination of the /usr/bin/newaliases file, it is suppose to be symlinked to /etc/alternatives/mta-newaliases, but this file doesn't exist. The file is missing, there is only /etc/alternatives/mta and /etc/alternatives/mta-rmail. So now I know why it would not run when I tried to run the "newaliases" command. Does anyone one know where this file is supposed to be symlinked to ?