Hacking Linux Exposed

About
Authors
Contents
Reviews
Foreword
Purchase

Articles
Books
Sourcecode
Tools
Errata

Home

 


(view this code in a separate window)


# Some patterns to ignore
ignore = /log: Server listening on port \d+$/
ignore = /log: Connection from .* port \d+$/
ignore = /log: Generating new \d+ bit RSA key.$/
ignore = /log: RSA key generation complete.$/
ignore = /log: .* authentication for .* accepted.$/
ignore = /log: Closing connection to/
ignore = /fatal: Read error from remote host/
ignore = /fatal: Connection closed by remote/
ignore = /log: Wrong response to RSA authentication challenge./
ignore = /fatal: Read from socket failed: Connection timed out./

# Highlight root logins we expect
watchfor = /log: ROOT LOGIN as 'root' from trusted.example.com/
	echo magenta

# Warn big time for root logins we aren't expecting
watchfor = /log: ROOT LOGIN/
	echo magenta_h
	bell 2
	mail root@localhost:reegen@localhost,subject=ROOT LOGIN ALERT
	write root:reegen
	exec /opt/bin/page_admins $0

# Forward/reverse mapping errors
watchfor = /POSSIBLE BREAKIN ATTEMPT!/
	echo red

watchfor = /fatal:/
	echo blue

# Make sure anything we don't explicitly ignore is logged in
# unobtrusive green. As we find new things that are important
# we'll make more rules for them.
watchfor = /.*/
	echo green