The Linux Audit Framework 
The document linked below seems like a pretty decent overview of the auditing functionality on Linux. The link is here.The vital page is http://people.redhat.com/sgrubb/audit/index.html - the audit HQ.

To create a report that focuses on the login attempts to your machine, run the
aureport -l command. This command generates a numbered list of all loginrelated
events including date, time, audit ID, host and terminal used, name of the
executable, success or failure of the attempt, and an event ID.

aureport -l
Login Report
============================================
# date time auid host term exe success event
============================================
1. 04/23/2007 12:38:38 PM root earth.example.com /dev/pts/0 /usr/sbin/sshd yes 1624
2. 04/23/2007 01:38:12 PM root earth.example.com /dev/pts/1 /usr/sbin/sshd yes 1655
3. 04/23/2007 03:32:58 PM root 192.168.0.20 /dev/pts/0 /usr/sbin/sshd yes 1712


Also, there is a RH discussion list: http://blog.gmane.org/gmane.linux.redha ... ity.audit/

Code snippet which prints the login successes or failures even with sudo or su attempts.

# ausearch -m USER_AUTH -i | sed -n "s/.*msg=audit(\([^ ]*\) \([^. ]*\).[0-9]*[:]\([0-9]*\).* uid=\([^ ]*\).* auid=\([^ ]*\).* user=\([^ ]*\) exe=\([^ ]*\).* addr=\([^,]*\).* result=\([a-zA-Z]*\).*/\date='\1' time='\2' avc='\3' uid='\4' auid='\5' user='\6' exe='\7' addr='\8' result='\9'/p"

date='01/11/2011' time='07:50:24' avc='5' uid='root' auid='unset' user='root' exe='/bin/su' addr='?' result='Success'
date='01/11/2011' time='07:50:31' avc='11' uid='root' auid='unset' user='test' exe='/bin/su' addr='?' result='Success'


On Red Hat Enterprise Linux AS release 4 (Nahant Update 5) with audit-1.0.15-3.EL4 the ouptut is:

# ausearch -m USER_AUTH -i
----
type=USER_AUTH msg=audit(01/11/2011 07:50:24.457:5) : user pid=3350 uid=root auid=unset msg='PAM authentication: user=root exe=/bin/su (hostname=?, addr=?, terminal=pts/0 result=Success)'
----
type=USER_AUTH msg=audit(01/11/2011 09:40:28.323:30) : user pid=3810 uid=root auid=unset msg='PAM authentication: user=root exe=/usr/sbin/sshd (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'
----
type=USER_AUTH msg=audit(01/11/2011 09:40:59.756:39) : user pid=3849 uid=root auid=unset msg='PAM authentication: user=foo exe=/usr/sbin/sshd (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Authentication
----
type=USER_AUTH msg=audit(01/11/2011 09:41:03.236:41) : user pid=3849 uid=root auid=unset msg='PAM authentication: user=foo exe=/usr/sbin/sshd (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Authentication
----
type=USER_AUTH msg=audit(01/11/2011 09:41:06.738:43) : user pid=3849 uid=root auid=unset msg='PAM authentication: user=foo exe=/usr/sbin/sshd (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Authentication


So the sed filter does not work for failures as with RHEL5+. Notice the -i (interpreted) result reports failure as Authentication, which is a bug.

Example how to get rid of some characters:

# ausearch -m USER_AUTH | sed -e "s/'//g" | sed -e "s/\"//g" | se
d -e "s/,//g" | sed -e "s/Authentication failure/failure/g"


Parses out audit USER_AUTH on one line.

#!/bin/bash
# logname contais servername!
# ex: /var/log/syslog-ng/date/unix/servername-audit
if [ "$1" = "" ]; then
echo "specify pathname"
exit
fi
FILE=$1
TMP="/tmp/tmp.$$"
> ${TMP}
AUDIT_HEAD=".*msg=audit(\([^ ]*\) \([^. ]*\).[0-9]*[:]\([0-9]*\).*"
AUDIT_HEAD_P="date='\1' time='\2' avc='\3'"; VAL="\([^ ]*\).*" # space ending value
SERVER=`basename $FILE | sed -e 's/-audit//g'`
ausearch -i -m USER_AUTH -if $FILE 2>/dev/null | \
tr -d '\n' | \
sed -e 's/----/\n/g' | \
strings | \
sed -e "s/'//g" | \
sed -e "s/\"//g" | \
sed -e "s/,//g" | \
sed -e "s/acct/user/g" | \
sed -e "s/res=/result=/g" | \
sed -n "s/${AUDIT_HEAD} uid=${VAL} auid=${VAL} user=*${VAL} exe=${VAL} addr=${VAL} result=\([^)]*\).*/${AUDIT_HEAD_P} uid='\4' auid='\5' user='\6' exe='\7'
addr='\8' result='\9'/p" > ${TMP}

while read line
do
echo -n "server='$SERVER'"
echo " $line"
done < ${TMP}

rm ${TMP}
exit

# comments


[ add comment ] ( 29 views )   |  [ 0 trackbacks ]   |  permalink
ps3publictools 
make_self_npdrm makes valid NPDRM selfs from elfs
it does not contain any info on decrypting or removing NPDRM
NPDRM is required for interoperability of our homebrew applications
package_finalize turns your debug packages into psuedoretail packages
psuedoretail packages install on a geohot jailbroken PS3


https://github.com/geohot/ps3publictools/blob/master/README



[ add comment ] ( 29 views )   |  [ 0 trackbacks ]   |  permalink
Nagios: Could not open commandfile '/usr/local/nagios/var/rw/nagios.cmd' 
set nagios_group in nagios.cfg to be nagcmd, here is a thread.

[ add comment ] ( 10 views )   |  [ 0 trackbacks ]   |  permalink
Archive yesterday's logs 
When you can not use the find command with mtime option for some reason.

find /var/log/clc/ -type f -mtime 1 | grep -v *gz | xargs gzip --verbose


Then a nice funcionality of date command allows you to get the date before or after X days (hours/minutes/years). The example compress specific sub folder which name is $year/$month/$day format.

#!/bin/bash
# name: parchive.sh
# this script is copied into /etc/cron.daily/
cd /tmp

ARCHIVE_DIR="/home/log/"
MSG_FILE=/tmp/archive.tmp

year=`date +%Y -d "1 day ago"`
month=`date +%m -d "1 day ago"`
day=`date +%d -d "1 day ago"`

cd $ARCHIVE_DIR/$year/$month/$day
if [ $? != 0 ]; then
echo "Can't change directory to $ARCHIVE_DIR/$year/$month/$day, exitting"
echo "Can't change directory to $ARCHIVE_DIR/$year/$month/$day, exitting" \
| mailx -s "`hostname --fqdn` ${0} failed" root@localhost
exit 1
fi

gzip *
if [ $? != 0 ]; then
echo "Gzip failed, please check the $ARCHIVE_DIR/$year/$month/$day manually. Exitting." > $MSG_FILE
fuser * >> $MSG_FILE
cat $MSG_FILE
cat $MSG_FILE \
| mailx -s "`hostname --fqdn` ${0} failed" root@localhost
exit 1
fi

echo "Archives created successfuly for `ls` \n at `hostname --fqdn` with ${0}" \
| mailx -s "`hostname --fqdn` ${0} ok" root@localhost


[ add comment ] ( 10 views )   |  [ 0 trackbacks ]   |  permalink
Some old codger giving a lecture about arithmetic ;) 


[ add comment ] ( 10 views )   |  [ 0 trackbacks ]   |  permalink
Some syslog-ng filter examples 
# Get almost all messages according to 
# facility and priority (old syslogd concept)
filter f_all { level(debug .. emerg); };

# Filter just messages for ssh login attempts
filter f_sshlogin { program("sshd.*") and match("(Failed|Accepted)"); };

# Filter anything with "mymsg" messages
filter f_rmatch { match("mymsg"); };




[ add comment ] ( 5 views )   |  [ 0 trackbacks ]   |  permalink
Some links to Y2be videos 
http://www.youtube.com/user/FreeScienceLectures#p/u
http://www.youtube.com/watch?v=bvnyot6T ... re=related
http://www.youtube.com/watch?v=tI6S5CS- ... re=related
http://www.youtube.com/watch?v=OBmhoGRD ... re=related

[ 8 comments ] ( 16 views )   |  [ 0 trackbacks ]   |  permalink
Timey-Wimey T-Shirt 
http://www.cafepress.com/+timeywimey_tshirt,485649588

[ 2 comments ] ( 11 views )   |  [ 0 trackbacks ]   |  permalink
Monitoring Compaq Computer Corporation Smart Array pomoci Nagiosu 
# kudzu -p | grep Array
desc: "Compaq Computer Corporation Smart Array 5i/532"


You will need hpaducli-8.60-8.0.noarch.rpm which contains HP Array Diagnostics Utility (CLI) for Linux. It can be downloaded here:

http://h20000.www2.hp.com/bizsupport/Te ... 9c1ff709dd

The output from the command line diagnostics looks like:

# /usr/sbin/hpacucli controller all show status
Smart Array 5i in Slot 0 (Embedded)
Controller Status: OK
Cache Status: OK
Battery/Capacitor Status: OK


The actual script for getting the controller status (Nagios probe):

#!/bin/sh

STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE_DEPENDENT=4
/usr/bin/sudo /usr/sbin/hpacucli controller all show status > /tmp/check_raid.tmp$$

CTRLR_STATUS=""
while read line
do
CTRLR_STATUS=`echo -n $CTRLR_STATUS $line " "`
done < /tmp/check_raid.tmp$$


if [ `cat /tmp/check_raid.tmp$$ | grep "Status:" | grep "OK" | wc -l` -lt 3 ]; then
echo "CRITICAL: $CTRLR_STATUS"
rm /tmp/check_raid.tmp$$
exit $STATE_CRITICAL
fi
echo "OK: $CTRLR_STATUS"
rm /tmp/check_raid.tmp$$
exit $STATE_OK


The /usr/sbin/hpacucli requires root to run, therefore Nagios should use sudoers to run the tool:

Cmnd_Alias HPACUCLI = /usr/sbin/hpacucli
%nagios ALL = NOPASSWD: HPACUCLI


As it will not run as the interactive session we must comment out requiretty:

#Defaults    requiretty.



[ 1 comment ] ( 6 views )   |  [ 0 trackbacks ]   |  permalink
RSA SecurIDĀ® Appliance 
http://www.itsecuritywarehouse.com/Shop ... 9pd324.htm

http://www.rsa.com/products/securid/dat ... S_0710.pdf



[ add comment ] ( 5 views )   |  [ 0 trackbacks ]   |  permalink

<<First <Back | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | Next> Last>>