16.16 Cron: Watching the CrackersThe cron facility is very helpful for periodically doing the various analyses necessary for a SysAdmin to detect problems on a system. Having it do periodic analysis on log files is an excellent idea. The following root crontab entry is illustrative. (To use this, you will need to remove the "\" and the following newline character.) 0 9 * * * /bin/grep -v demuxprotrej: /var/adm/secure \ | tail -500 | mailx -s \ 'research.pentacorp security report' bob@pentacorp.com In this case, ignore demuxprotrej: warnings that you do not care about. Additional grep commands could be used to search or ignore additional items. Keep in mind that crackers can use crontabs similarly against you. Although I have not heard of it being done, a cracker could use a crontab entry to periodically invoke a Trojan horse. Unless the crontab entries are studied, this is hard to detect because most of the time there will be no evil process running. He even could invoke a standard program for this purpose so searches for Trojan programs will turn up nothing. Certainly, this is a job for Tripwire. |
Top |