OpenBSD Journal

Installing Logcheck

Contributed by Dengue on from the yet-some-more-of-the-old-stuff dept.

Still some more old content, I'm re-posting the shorter pieces first (little-to-no editing required on these), and will continue to edit and re-post more of the older content. This article outlines installing and configuring Logcheck to augment OpenBSD's already excellent set of logging utilities.

Getting started with Logcheck

The easiest way to get started with Logcheck is to download the files from Logchecks homepage . I grabbed version 1.1 and got started by untaring the source in ~/dengue/src/logcheck-1.1 . Important tip : Dont go madly untaring sources as root. You will be sorry when you accidently blow something important away. I like to create a src directory inside my home dir and work on files there. Dont get into the habit of routinely using the root account to do normal user tasks. Badİ things happen this way.

Whats the first thing you do after untarring source?

Read the README of course?

Hmmm, no specific mention made of OpenBSD.

Whats the second thing you do after untarring source?

Read the INSTALL of course?

Hmmm, better but still no banana

A quick look at the Makefile told me there was no native port for OpenBSD. Based on good mojo with FreeBSD based apps, and after looking closely to the BSDI port also, I determined it should be easy to modify. I started by copying the contents of ./systems/freebsd/ to ./systems/openbsd/ . Then I started editing the Makefile . Heres a context diff of the changes I made:

--- Makefile.orig       Tue Nov  2 23:15:07 1999
+++ Makefile    Tue Nov  2 23:12:36 1999
@@ -19,18 +19,18 @@
 # the new paths!!
 # This is where keyword files go.
-INSTALLDIR = /usr/local/etc
+INSTALLDIR = /etc
 # This is where logtail will go
 INSTALLDIR_BIN = /usr/local/bin
 # Some people want the logcheck.sh in /usr/local/bin. Uncomment this
 # if you want this. /usr/local/etc was kept for compatibility reasons.
-#INSTALLDIR_SH = /usr/local/bin
-INSTALLDIR_SH = /usr/local/etc
+INSTALLDIR_SH = /usr/local/bin
+#INSTALLDIR_SH = /usr/local/etc
 # The scratch directory for logcheck files.
-TMPDIR = /usr/local/etc/tmp
+TMPDIR = /var/logcheck
 # Debug mode for logtail
 # CFLAGS = -g -DDEBUG
@@ -100,4 +100,5 @@
 digital:
                make install SYSTYPE=digital
-
+openbsd:
+               make install SYSTYPE=openbsd
As you can see, I changed the INSTALLDIR to /etc , which is where machine specific configuration files go on OpenBSD. I made sure the executable script and binary would wind up in /usr/local/bin by setting the INSTALLDIR_BIN and INSTALLDIR_SH . I also changed the TMPDIR variable to point to /var/logcheck . I also added an entry for openbsd that allows you to run: make openbsd and have it build neatly. The clever ones among you will know to cut and paste that diff and use it with patch -p0 in the source directory to patch the files for use. See man patch for more details.

After patching the Makefile I changed to the newly created ./systems/openbsd/ directory and edited logcheck.sh to match the values in my Makefile . Here is another context diff (diff -u):

--- logcheck.sh Wed Nov  3 13:29:05 1999
+++ logcheck.sh.modified        Wed Nov  3 13:28:48 1999
@@ -52,7 +52,7 @@
 # You would also be well advised to make sure all your system/cron scripts
 # use this directory for their scratch area. 
 
-TMPDIR=/usr/local/etc/tmp
+TMPDIR=/var/logcheck
 
 # The grep command. This command MUST support the
 # -i -v and -f flags!! The GNU grep does this by default (thats
@@ -89,7 +89,7 @@
 # look for generic ISS probes (who the hell else looks for 
 # WIZ besides ISS?), and obvious sendmail attacks/probes.
 
-HACKING_FILE=/usr/local/etc/logcheck.hacking
+HACKING_FILE=/etc/logcheck.hacking
 
 # File of security violation patterns to specifically look for.
 # This file should contain keywords of information administrators should
@@ -98,7 +98,7 @@
 # some items, but these will be caught by the next check. Move suspicious
 # items into this file to have them reported regularly.
 
-VIOLATIONS_FILE=/usr/local/etc/logcheck.violations
+VIOLATIONS_FILE=/etc/logcheck.violations
 
 # File that contains more complete sentences that have keywords from
 # the violations file. These keywords are normal and are not cause for 
@@ -115,14 +115,14 @@
 #
 # Again, be careful what you put in here and DO NOT LEAVE IT EMPTY!
 
-VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore
+VIOLATIONS_IGNORE_FILE=/etc/logcheck.violations.ignore
 
 # This is the name of a file that contains patterns that we should
 # ignore if found in a log file. If you have repeated false alarms
 # or want specific errors ignored, you should put them in here.
 # Once again, be as specific as possible, and go easy on the wildcards
 
-IGNORE_FILE=/usr/local/etc/logcheck.ignore
+IGNORE_FILE=/etc/logcheck.ignore
 
 # The files are reported in the order of hacking, security 
 # violations, and unusual system events. Notice that this
@@ -181,6 +181,15 @@
 #$LOGTAIL /var/log/ftp.log >> $TMPDIR/check.$$
 # Un-comment out the line below if you are using BSDI 2.1
 #$LOGTAIL /var/log/daemon.log >> $TMPDIR/check.$$
+
+# OpenBSD Added by --jim--
+
+$LOGTAIL /var/log/adduser > $TMPDIR/check.$$
+$LOGTAIL /var/log/authlog >> $TMPDIR/check.$$
+$LOGTAIL /var/log/messages >> $TMPDIR/check.$$
+$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
+$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
+$LOGTAIL /var/log/daemon >> $TMPDIR/check.$$
 
 # SunOS, Sun Solaris 2.5
 #$LOGTAIL /var/log/syslog > $TMPDIR/check.$$
Again, the clever ones will use patch -p0 to apply the diff and save a lot of typing.

At this point, all of the necessary files are now patched and you can start the build. One thing I dont like about the supplied Makefile is that make also installs. I would prefer the standard make, make install so I could look over things after building but prior to installation.

After building and installing Logcheck, the next step is configuration. Logcheck runs from a cron script, so you can set it to run as frequently or infrequently as you wish. I chose the default example of 1 hour intervals and set my crontab accordingly. On OpenBSD crontabs are located in /var/cron/tabs/ and are edited via crontab . To edit your root crontab (you will need to be root to read all of the logs) simply su to root and type crontab -e . For a 1 hour interval scan, your crontab entry should look like this:

00      *       *       *       *       /usr/local/bin/logcheck.sh
Once you get cron setup to execute Logcheck, you need to look at the logcheck.* configuration files in the /etc directory. Craig has partially filled these out for you, but you definitely need to customize them for your site, particulary the logcheck.ignore file. I recommend creatively using grep to determine what is and what isnt suspicious behavior on your machine. For instance, I dont need to know everytime ntpd synchronizes, so I added:
ntpd.*: synchronisation lost
ntpd.*: synchronized to
to my /etc/logcheck.ignore file. I do want to know when a failed su attempt occurs, so I added:
BAD SU
to my /etc/logcheck.hacking file.

Now that you have Logcheck set to run, take a look at the permissions on your log files. On a default 2.5 install (honest dad, I didnt touch a thing!) your permissions should look like this:

[dengue@ulysses dengue]$ ls -l /var/log/*  
-rw-r--r--  1 root  wheel    235 Oct 31 17:26 /var/log/adduser
-rw-r-----  1 root  wheel  12475 Nov  3 10:04 /var/log/authlog
-rw-rw-r--  1 root  wheel  12710 Nov  2 21:40 /var/log/daemon
-rw-------  1 root  wheel   1269 Nov  3 11:35 /var/log/maillog
-rw-r--r--  1 root  wheel  16180 Nov  3 10:00 /var/log/messages
-rw-------  1 root  wheel     62 Oct 28 11:00 /var/log/secure
I dont really want other users to be able to read the logs, so I changed the log file permissions to look like this:
[dengue@openbsd openbsd]$ ls -l /var/log/*
-rw-r-----  1 root  wheel     292 Oct 19 15:53 /var/log/adduser
-rw-r-----  1 root  wheel  14664 Nov  3 13:38 /var/log/authlog
-rw-r-----  1 root  wheel  26502 Nov  3 12:45 /var/log/daemon
-rw-------  1 root  wheel    4326 Nov  3 11:35 /var/log/maillog
-rw-r-----  1 root  wheel  2794 Nov  3 08:14 /var/log/messages
-rw-------  1 root  wheel      62 Oct 30 16:00 /var/log/secure
This way, all of the members of group wheel can read logs without having to su. But if someone compromises a priveliged user account, they will still need to compromise root to modify the logs. Normal users cant read the logs, and shouldnt be reading them either.

It will take some trial and error to determine what you want Logcheck to ignore, and what you want Logcheck to warn you about. Craig includes good documentation with Logcheck, definitely read it. You can expect some pretty big e-mails when Logcheck first runs, but with a little trial and error, it is easy to configure.

I highly recommend Craig Rowlands Logcheck as an excellent addition to OpenBSDs already comprehensive set of logging and notification tools. *Authors Note*

Since the original publication of this article, I have been contacted by Craig, and he is planning on including the configuration changes necessary to ease OpenBSD installation in the next release of Logcheck

(Comments are closed)


Comments
  1. By josh () kingjosh@hotbot.com on anti.pyar.com

    Ever think of committing it to the ports tree?

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]