secure log question
Rick Stevens
rstevens at vitalstream.com
Fri Aug 18 20:59:59 UTC 2006
On Fri, 2006-08-18 at 16:48 +0100, Stuart Sears wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Bret Stern wrote:
> > What is this process/session from the log "secure" on Fedora 5?
> >
> > Aug 16 04:02:09 servant su: pam_unix(su:session): session opened for user
> > beagleindex by (uid=0)
>
> that looks like beagled has been run to index files on your filesystem.
> Probably as a cron task. In fact definitely.
> this is run by cron via the /etc/cron.daily/beagle-crawl-system script
>
> > What log is the best place to look for malicious
> > connections?
>
> /var/log/messages
> - - should tell you when (eg) login sessions are opened
> and also
> /var/log/secure
> will give you security information about them.
Don't forget to use "lastlog" to check the login history of users.
> relying on local logs to detect malicious connections
> is not particularly reliable. if you have a firewall in place most
> incoming traffic will be rejected in any case.
Yup. Firewalls good. :-)
> other services will have logs that they use to detail requests that they
> have responded to or rejected.
'tis also good to have snort (http://www.snort.org/) in your hip pocket.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- grep me no patterns and I'll tell you no lines -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list