Ingo, Jean-Francois, Gilbert Fernandes, Ted Unangst, Cesary Morga, Joe Gidi, and Matheus Weber da Conceicao, (hope I didn't miss anyone)
Thank you all for your patience and guidance. I'll look at apropos(1), daily(8), and security(8) in the man pages and try to utilize them more. Last was a cool command to learn. Sincerely, Ted -----Original Message----- From: Ingo Schwarze [mailto:schwa...@usta.de] Sent: Tuesday, April 14, 2009 4:11 PM To: LeRoy, Ted Cc: misc@openbsd.org Subject: Re: Recommendations on a daily script to check syslog (or other)server security Hi Ted, LeRoy, Ted wrote on Tue, Apr 14, 2009 at 03:28:51PM -0400: > I'm pretty new to OpenBSD and BSD in general, In that case, welcome, but don't forget to read the fine manuals. Have a look at apropos(1) in particular. > but I have an OpenBSD Syslog server up and receiving data. > I'd like to have the system be pretty secure, and I'd like to > monitor its security via a simple script that runs daily. Did you read daily(8) and security(8)? Besides, OpenBSD is secure by default. Most people trying to make it more secure will typically end up making it less secure. Beginners will almost certainly rather break than improve security when trying to tweak anything. > Here's what I have in the script at the present time: > > { uptime ; date ; who ; ps -al ; cat /var/log/adduser ; cat > /var/log/authlog ; cat /var/log/messages ; cat /var/log/secure ; cat > /var/log/router ; } > daily-log.txt You could put part of this into /etc/daily.local, but most of it does not look useful. In particular, pay attention not to copy the contents of files like /var/log/secure and /var/log/authlog into world-readable files. Besides, if you want a different logging layout, use syslog.conf(5) and newsyslog(8) rather than cat(1). But probably, you should first try to understand and get used to the standard layout before tweaking it. Chances are, there is no need for tweaking, and you will just screw it up. > Can some of you BSD pro's out there recommend some additions or changes > or other things that should be checked to help ensure the system isn't > compromised? I'm working on improvements of daily/weekly/monthly right now. Of course, i cannot promise that there will be any result - and that the other developers will like it. Please be patient for some days or weeks and stay tuned... > Is there a way to see who has logged into the system over a given period > for example? Who only tells me who's logged in when the command is run. Did you look at "SEE ALSO" in who(1)? Check out last(1) and /var/log/authlog. > My sincere apologies if this isn't the right list for this query. > Please direct me to the proper are if that's the case. The list is right, but please try a bit harder to find answers yourself before posting, using the manual, the FAQ on the OpenBSD website and the mailing list archives. Yours, Ingo