On Feb 04, vic <vic66@xxxxxxxxx> wrote:
> visto che mi sarei stufato di trovarmi una mail ogni 30 minuti piena di
> log DENY, di accesso alle mailbox e di aggiornamento dei newsgroup
> (perche' poi questi debbano essere Unusual System Events?!?) volevo
> configurare logcheck in modo che mi passasse solo i log di eventi
> realmente preoccupanti i.e. malfunzionamenti, log Accept su porte
> dedicate, etc.
> Ho provato a leggere il man di logcheck ma ho scoperto che non esiste
> cosi' come non esiste il man per nessuno dei vari file di
> configurazione.
> Conoscete una Doc che mi possa aiutare a capire i file di
> configurazione in questione per modificarli?
######################################################################
SYNOPSIS
--------
Logcheck-database provides the egrep patterns required by the
package "logcheck"; they are used to filter recent log messages
(collected using "logtail") into a mailed news summary.
======================================================================
SETS OF RULES
-------------
There are three layers of sets of filtering rules, all of which are
normal egrep pattern-matches, applied in turn.
1) the "ATTACK ALERTS" layer, designed to detect the traces of active
intrusion attempts.
Patterns raising the alarm go in "/etc/logcheck/cracking.d"; any
event that matches one of these patterns turns the report
into an urgent "Attack Alerts" report, with the relevant
event moved to a special section. The cracking.d standard
keywords file is seeded with known symptoms of hostile
activity (see logcheck's README.keywords file).
Patterns cancelling such maximum-priority alarms are not used in
the default logcheck configuration, but if the local
administrator enables this layer of filtering in
logcheck.conf, then the rules go in the directory
"/etc/logcheck/cracking.ignore.d". Matches with
cracking.ignore rules will then reclassify the alert as a
false alarm (compare violations.ignore below). Note that
this means they are totally ignored - log messages handled
at one layer are not carried over to lower layers.
2) the "SECURITY VIOLATIONS" layer, designed to detect less critical
events still considered worthy of special attention.
Patterns raising the alarm go in "/etc/logcheck/violations.d";
matches with these result in a "Security Violations" alert,
with the relevant event moved to a special section.
Patterns cancelling such alarms go in the standard directory
"/etc/logcheck/violations.ignore.d"; apparent "Security
Violations" that match with violations.ignore patterns are
discarded as false alarms.
3) the "SYSTEM EVENTS" layer, handling leftover log messages.
This layer doesn't have an equivalent to the alarm-raising
cracking.d and violations.d; instead _all_ remaining lines
from the logfiles are considered for inclusion in the main
"System Events" section.
Patterns in the three "/etc/logcheck/ignore.d.*" directories
again function to overrule alerts; the log messages that
match them are excluded from the report as trivial. The
specific directories consulted depend on the prevailing
logcheck "REPORTLEVEL" (for details see the corresponding
README for logcheck). The bare minimum is the set of
filters in ignore.d.paranoid.
When _no_ logged events make it through the filters no report is
mailed.
======================================================================
FILES WITHIN EACH DIRECTORY
---------------------------
Each of the rules-directories can contain pattern files of the
following kinds:
./<packagename>
Contains filters relevant to only one Debian package - for
example if "fooserver" logs suspicious events like this:
"$DATE $HOSTNAME fooserver[$PID]: $USER is up to no good"
then a line in "/etc/logcheck/violations.d/fooserver" with
an appropriate pattern will promote it from a mere "System
Event" to a full "Security Violation" in a subsection of
the mailing headed "fooserver". Or then again if that kind
of log message is more trivial than it looks (maybe "foo" is
a networked game of spy-and-counterspy) then a line in
"/etc/logcheck/ignore.d.server/fooserver" will turn it into
a nonevent for all but the most assiduous of administrators.
Sometimes a package will have not only special alarm calls
which _do_ need to be "Security Violations" triggers but also
exceptional variants which _don't_ - maybe it logs either
"$DATE $HOSTNAME fooserver[$PID]: $USER barred" or
"$DATE $HOSTNAME fooserver[$PID]: none barred". In this
situation the alarm can be overruled by a violations.ignore
rulefile named "fooserver" which filters "none barred".
This will _not_ affect other "Security Violations" featuring
the words "none barred" (that might allow crackers to use
those words to cover attacks on ssh). Instead, any
<packagename> ignore-files only affect the log messages that
would have been in that package-specific report section.
Apart from anything else this limitation reduces the number
of rules that need to be processed.
./logcheck or ./logcheck-<packagename>
Standard "generic" rules go in each directory's "./logcheck"
file; thus for instance any log message at all matching
"ATTACK" (listed in "/etc/logcheck/cracking.d/logcheck")
_always_ triggers an "Attack Alert", unless you deliberately
tamper with "cracking.ignore.d" rules.
Remember that package-specific "ignore" filters will _not_
override non-package-specific "flagging" patterns! Thus for
instance if "fooserver" outputs syslog messages like this:
"$DATE $HOSTNAME fooserver[$PID]: 3 attempts 0 rejected"
then the standard keyword "reject" listed in the generic
"/etc/logcheck/violations.d/logcheck" file will trigger
frequent "Security Violation" reports. Putting a filtering
pattern in "/etc/logcheck/violations.ignore.d/fooserver"
won't help here! The solution is to use a file named in
the specially-privileged ./logcheck-<packagename> format:
"/etc/logcheck/violations.ignore.d/logcheck-fooserver".
This can contain patterns provided by that particular
package which nonetheless need to take precedence over the
generic rules.
./local or ./local-<packagename>
Sysadmins can use the "local*" filenames to create their own
additions to the "logcheck*" pattern lists. If you have
"ippl" logging network connections verbosely into syslog
then you can put custom "Security Violations" keywords in
"/etc/logcheck/violations.d/local-ippl" and exceptions in
"/etc/logcheck/violations.ignore.d/local-ippl".
======================================================================
WRITING RULES
-------------
Be careful when editing local rule files; logcheck will preprocess
them to eliminate dangerous blanks (since "egrep '' syslog" matches
every line) and comment lines, but some attention is needed when
composing custom patterns to avoid excessively generous filtering.
The objective in logcheck rules is to match precisely the target log
messages and no more, using all the resources of Extended Regular
Expressions. If you're sick of reading log messages like this:
Apr 6 19:30:24 oempc wwwoffled[11763]: WWWOFFLE Online.
Apr 6 19:31:54 oempc wwwoffled[11763]: WWWOFFLE Offline.
...then the local ignore pattern you need is something like this:
^\w{3} [ :0-9]{11} oempc wwwoffled\[[0-9]+\]: WWWOFFLE (On|Off)line\.$
The characters ".?*+[](){}^$|\" are "special" in extended-regexps,
so they need to be escaped if intended literally (like the final
stop in the example above). Be especially wary of unbalanced
brackets, which can choke egrep.
Local administrators can afford to be more specific than the package
maintainers who provide filters for "fooserver" etc. You can take
the locale for granted, saying "[a-zA-Z]" where package maintainers
should be using "[[:alpha:]]"; and you can write out things like
hostnames explicitly - hence "oempc" above, rather than the pattern
"[._[:alnum:]-]+".
Pass all rules files through "sort -u" to simplify maintenance, then
ensure they have a final end-of-line carriage return so that they
"cat" nicely. Since System Events aren't subdivided by package, it
makes no difference whether ignore.d.*/local rules are split up into
"local-x", "local-y" and "local-z" or merged into one "local" file;
use whatever's convenient.
Another safety-net is provided by the fact that the process that
collates all the applicable rules uses "run-parts", the standard
Debian utility also used for iterating through "/etc/cron.d",
"/etc/ppp/ip-up.d" etcetera. It therefore automatically ignores
files with names such as "fooserver.disabled" or "local~".
######################################################################
--
Ciao
Marco Innocenti
|