Re: unix auditing for intrusion

From: C Colon (foobar@asia.com)
Date: 01/07/02

Next message: Rick Kohrs: "UNIX - NAS - NT permission problem"
Previous message: R.Lehmann: "Re: LISA 2001: Test Pleas Ignore: Explore the future of system administration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: foobar@asia.com (C Colon)
Date: 7 Jan 2002 05:07:54 -0800

>
> >How do i extract meaningful information from the above mentioned
> files in real-time ?

Write a cron job that checks these audit files on a periodic basis as
set by you and scans for key words and messages - You need to modify
the script accordingly. For eg, you can make that cron job send a
mail to you as soon as it encounters an "Alert" level audit log in the
sysconf log file.

> >How can i monitor illegal activity by a user who attacks on system
> weak points, say, he uses a flaw in sendmail or tries to use setuid
> shell scripts to gain root access!

Keep a list of all suid files. Create a file size list of all suid
files and copy them elsewhere.

There are multiple free ware utilities available for the problems you
mention. For eg. check lsof.

Use netstat to find out realtime connections and their meanings.

There are multiple defence strategies for multiple issues. One needs
to keep on the toes. Keep checking www.cert.org, www.sans.org, and
other security sites

Regards
C:\>
------------------------------
Kindly post replies to the
newsgroup itself

Next message: Rick Kohrs: "UNIX - NAS - NT permission problem"
Previous message: R.Lehmann: "Re: LISA 2001: Test Pleas Ignore: Explore the future of system administration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]