Monitoring System Activity
Examine all of the log files regularly for errors, warnings, and signs of an attack. This task can be automated by using log analysis tools or a simple grep command.
Sun Linux includes an automatic log analysis and reporting tool named logwatch. This tool sends nightly email reports to a root user. The email address can be changed by editing the /etc/log.d/conf/logwatch.conf file. Logwatch is of limited use from a security perspective, because it does not constantly monitor for unusual activity.
The syslog daemon receives log messages from several sources and directs them to the appropriate location based on the configured facility and priority. The programmer interface syslog() and system command logger are available for creating log messages. The facility or application type and the priority are configured in the /etc/syslog.conf file to forward log messages to specified locations. The location can be a log file, network host, selected users, or all users.
By default, Sun Linux defines several log files in the /etc/syslog.conf file:
The /var/log/messages log file contains a majority of the system messages.
The /var/log/maillog file contains mail system messages.
The /var/log/secure log file contains a majority of the security messages from sudo and ssh.
If you change the /etc/syslog.conf file, the syslog daemon must be restarted. Use the following command.
# killall -HUP syslogd
In addition to logging syslog events locally on each client system, Sun recommends that syslog events be sent to a centralized log server where logs can be more safely stored and analyzed. As an added benefit, by logging events to a central location, logs may be more readily preserved in the event that the client system is compromised.
Note that syslog monitoring is just a single process. Sun recommends that users protect their environments through architectures that implement defense-in-depth through mutually reinforcing, complementary security controls. The methodology for determining which controls are most appropriate to your environment and where they should be positioned in your architecture is outside the scope of this article.
Additional layered monitoring methods such as periodic-vulnerability assessments, file system integrity monitoring, and host-based intrusion detection mechanisms can greatly improve your ability to detect attempted or actual breaches of security whereas a single method might be more easily subverted.