id="info"

Open Source

Monitor your system for threats with rsec alerts

Vincent Danen gives an overview of the monitoring and reporting tool rsec, which can help you keep a close eye on your system's security without having to pore over log files.

Mandriva has long had their security tool called msec. Love it or hate it, it has been an integral part of all Mandriva Linux versions for years. While many people liked using it, an equal number hated it because it was difficult to configure, and it did things behind your back. For instance, if you tried to tighten system permissions but did not update the msec security level, it would relax those permissions on its next run without any indication whatsoever.

Granted, it has gotten better in the last few months, but what is most interesting about msec, in my opinion, is the reports. Msec generates daily reports on what is happening on the system: ports that are open, ports that changed state (open or closed), unowned files, world-writable files, files owned by users that shouldn't own them, checks on suid files, and more. These reports are relatively small and are executed daily, so it is a simple thing to look at quickly in the morning to determine if anything has changed.

In light of that, rsec was forked from msec and stripped everything from msec beyond the reporting capabilities. Rsec was first introduced in the Annvix distribution and is available for any Linux system; packages for CentOS and Red Hat Enterprise Linux are available from the Annvix RHEL YUM Repository.

When you install the rsec package, it creates the /etc/security/rsec.conf configuration file where you can enable and disable any checks that you want. The file is heavily commented so configuration is simple. Rsec can also use rkhunter (scans for rootkits) in its reporting by enabling the CHECK_RKHUNTER test; this runs rkhunter and includes its output in the reports.

Rsec will log its activity to /var/log/security.log so you can opt to not receive emails; it can also print warnings to any tty that root is logged into.

Using a combination of AIDE (intrusion detection), rsec, and rkhunter you really get a good heads-up if anything changes on your system without having to manually scrutinize log files. There is also a configuration option to exclude files from the various reports as well, so you can ensure you only see things that are of importance.

For instance, because rsec will report on world-writable files, you may have files in your Web directories that require being world-writable (i.e., files owned by a regular user but Apache needs to be able to write to certain directories for a Web application). You can exclude those known world-writable files and directories using the EXCLUDE_REGEXP option in rsec.conf, which is an escaped regular expression, such as:

EXCLUDE_REGEXP="^/srv/www/\(myblog\|otherblog\)/html/wp-content/\(f\)\?uploads\|^/srv/www/wiki/html/mediawiki_cache"

Rsec is nothing more than a collection of shell scripts executed by cron on a daily basis. Beyond general reporting, it can also update yum caches and urpmi or apt metadata to alert you daily if there are new packages that require installing.

Get the PDF version of this tip here.

Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

Editor's Picks