[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Little log advice needed

Good day everyone

In my battles to centralize my PF and other logs with a secure means I
have decided to dump syslog because well, it couldn't handle the data
loads without dropping data and I can't be loosing logs.

I also don't want to install 3rd party software on my systems where
possible as I want them to do only what is needed while limiting risks

This being said, I have taken a little differnt approach and could use
some advice so here goes.

I created a file that has the following info and made it executable to
root and the wheel group and no access to everyone. This file sits in
/usr/local/bin with the name logkick

# this file is used to roll over the PFLog file to a new file so that
# it can be transfered to the Corporate log server every hour
DATE=$(date +%d%m%y%H)
sudo mv /var/log/pflog /var/log/pflog-$DATE$HOSTNM
chmod 660 /var/log/pflog-$DATE$HOSTNM
touch /var/log/pflog
sudo kill -HUP `cat /var/run/pflogd.pid`

I have created an account on my firewalls and logging system which is in
the sudoers file with ability to do all with nopassword being prompted
for (probably risky but this is why I'm asking for feedback). This user
is also part of the wheel group

On, my logging system, I created a script in the users home folder called
loggrab. this is mod 700

ssh USERNAME_(_at_)_FWIP /usr/local/bin/./logkick
scp USERNAME_(_at_)_FWIP:/var/log/pflog-* /home/USERNAME/
ssh USERNAME_(_at_)_FWIP rm /var/log/pflog-*

I have created a public/private key pair as to make sure the ssh and scp
connections can happen securely and without password prompts.

This is as far as I have gotten thus far, but I do plan to add an hourly
cron job to run this script

Can you offer me advice on my risk levels for this.. I am using a crazy
30 character length password with symbols, caps, numbers etc so I think
the account is pretty safe. I think the risk here would be if someone
hacked this account, they could do anything on my systems, but with a
long password like this I think it would be a little tough to
accomplish. I am also looking at shutting down SSH unless you tunnel in
first and then you can SSH to the server via the internal IP.

Anyhow, any suggestions on this would be great as I want to make sure the
risks associated with the sudoers process is not to risky and if there
is a better way I could do this as in limiting exactly what someone
using sudo can do as they only have to HUP the pflogd process as thats
the only thing I couldn't get working until I took that step.

thanks again