sshでのログインを一律監査する。
起動スクリプトなどは下記を参考にさせてもらった
link
必要物のインストール
sudo yum --enablerepo=epel -y install swatch sudo yum --enablerepo=epel install perl-File-Tail
/etc/swatch/secure.conf の 作成
# logfile /var/log/secure # ログイン成功 # Accepted password for yamagyu from xxx.xxx.xxx.xxx watchfor /Accepted/ [email protected],subject=ssh_accepted # 登録していないユーザー # Invalid user hoge from xxx.xxx.xxx.xxx watchfor /Invalid/ [email protected],subject=ssh_invalid # パスワード間違い # Failed password for yamagyu from xxx.xxx.xxx.xxx watchfor /Failed/ [email protected],subject=ssh_failed
/etc/rc.d/init.d/swatch の作成
#!/bin/bash # # swatch # # chkconfig: 2345 90 35 # description: swatch start/stop script # Source function library. . /etc/rc.d/init.d/functions PATH=/sbin:/usr/local/bin:/bin:/usr/bin mkdir -p /var/log/swatch start() { # Start daemons. ls /var/run/swatch_*.pid > /dev/null 2>&1 if [ $? -ne 0 ]; then echo -n "Starting swatch" pno=0 for conf in /etc/swatch/*.conf do pno=`expr $pno + 1` WATCHLOG=`grep "^# logfile" $conf | awk '{ print $3 }'` swatch --config-file $conf --tail-file $WATCHLOG \ --script-dir=/tmp --awk-field-syntax --use-cpan-file-tail --daemon \ --pid-file /var/run/swatch_$pno.pid \ >> /var/log/swatch/swatch.log 2>&1 RETVAL=$? [ $RETVAL != 0 ] && return $RETVAL done echo [ $RETVAL = 0 ] && touch /var/lock/subsys/swatch return $RETVAL else echo "swatch is already started" fi } stop() { # Stop daemons. ls /var/run/swatch_*.pid > /dev/null 2>&1 if [ $? -eq 0 ]; then echo -n "Shutting down swatch" for pid in /var/run/swatch_*.pid do kill $(cat $pid) rm -f $pid done echo rm -f /var/lock/subsys/swatch /tmp/.swatch_script.* else echo "swatch is not running" fi } status() { ls /var/run/swatch_*.pid > /dev/null 2>&1 if [ $? -eq 0 ]; then echo -n "swatch (pid" for pid in /var/run/swatch_*.pid do echo -n " `cat $pid`" done echo ") is running..." else echo "swatch is stopped" fi } case "$1" in start) start ;; stop) stop ;; restart) stop start ;; status) status ;; *) echo "Usage: swatch {start|stop|restart|status}" exit 1 esac exit $RETVAL
自動起動設定
chkconfig --add swatch