Huntsville Macintosh Users Group
Configuring Logcheck Configuring Logcheck
BSD | Darwin | How Tos | Linux | man Pages | UNIX/Security News | Site Index
by Marius Schamschula

Since Mac OS X is derived from BSD UNIX it can be configured to provide any number of network services. Each of these services is bound to a particular port. "Crackers" will attempt to probe your computer to find "open" ports. One way to prevent this is by enabling tcpwrappers. This will block attempts to gain information and then entry to your computer. Wouldn't it be nice to know that your machine has been attacked?

Enter logcheck

logcheck is a set of routines that will automatically scan your log files and notify you of any unusual activity.

Step 1: Configure log files

The logs are located in the /var/log (really /private/var/log) directory. The Terminal (in the /Applications/Utilities folder) type: (the $ denotes the user prompt, clicking on a command will open a window with the man page)

$ cd /var/log

You are now in the log directory. We need to secure the log files. Only the superuser (root) should have access. Then type:

$ sudo chmod 600 *.log*

The computer will prompt you for your password:

Password:

Type in your regular password.

Step 2: Fix cron scripts

We now need to insure that the log permissions remain the same. The log files are rotated on a regular basis. We need to change to the /etc directory.

$ cd /etc

We now need to edit the daily, weekly and monthly files. TextEdit will not let us edit system files. Thus we need to use a command line editor pico is a good choice:

$ sudo pico daily
Password:

Under the section "Rotating log files" there is a line

touch "${i}" && chmod 640 "${i}

We need to change the 640 to 600. Do the same for weekly and monthly.

Step 3: Install logcheck

Download logcheck. cd to the download directory. Then unpack the gziped tarball:

$ tar zxf logcheck-1.2.3-osx.tar.gz

Now change directory:

$ cd logcheck-1.2.3-osx

and install

$ sudo ./install.sh
Password:

Step 4: Configure /etc/crontab

We need to add the following line to the /etc/crontab file (cron runs programs on a regular schedule, in this case every hour, on the hour).

00 * * * * root sh /usr/local/etc/logcheck.sh

It is a good idea first to back up the file:

$ sudo cp /etc/crontab /etc/crontab.bu

You can use $ sudo pico /etc/crontab to do the editing. If you have not modified the original crontab file you can also copy ($ sudo cp crontab /etc/crontab) the crontab included with logcheck.

Step 5: Restart cron

We now have to restart the cron daemon. First we need to find the process id for cron:

$ ps aux | grep cron

This will produce two lines of output. One will end in grep cron, the other in cron. The number in the second column of the line ending in cron is the process id. We now can send a command to restart the cron daemon:

$ sudo kill -HUP id#
Password:

Where id# is the number we got from the ps command.

Step 6: Enable a Mailserver

logcheck needs to notify you of its findings. This requires a mail delivery mechanism. Fortunately Mac OS X comes with Postfix preinstalled. You will need to to enable this feature. See How to Configure the Postfix Mailserver for details.

Step 7: Reading the results

Out of the box, Mac OS X, not unlike other UNIX systems, lacks a way to retrieve e-mail from the server. postfix does not provide this functionality. E-mail is retrieved via the pop3 or imap protocols. The University of Washington pine package provides all we need to read the output from logcheck. Follow the instructions in the README.MacOS_X after unpacking the package as above. pine provides a mail reader that can read local mail without pop3 or imap.

Version 1.3.0 - 20070302
User Group Logo