Log File Management and Intrusion Detection (Solaris ISP Server 2.0 Administration Guide)

Solaris ISP Server 2.0 Administration Guide

Log File Management and Intrusion Detection

The host configuration software includes a resident daemon, hclfmd, that performs log file management. This daemon runs as root. It starts at boot time and performs the following functions:

It parses the list of log files in /etc/syslog.conf for file paths that do not start with /dev (files associated with system devices) and performs a cleanup, journal, and cycle pass every day.

For every log file written by syslogd, it performs the following functions:
- It renames the existing log file and creates a new daily log.
- It sends the restart signal (-HUP) to the syslog daemon to create a new daily log.
- It generates a weekly archive by compressing daily log files every week and stores it as name.YYYYMMDD-YYYYMMDD.tar.Z.
- It discards weekly archives that are more than a month old.
It obtains the location of audit logs from /etc/security/audit_control and performs a cleanup, journal, and cycle pass every day.

It performs the following functions for every locally mounted audit directory:
- It executes audit -n to create a new daily log. This signals the audit directory to close the current audit file and open a new audit file in the current audit directory.
- It generates a weekly archive by compressing daily log files every week and stores it as audit.YYYYMMDD-YYYYMMDD.tar.Z.
- It discards weekly archives that are more than a month old.
It performs an intrusion detection check on the interval set by the user. For details, see hclfmd(4).
- It detects and reports every failed authorization entry in syslog files.
- By default, /etc/opt/SUNWisp/hc/hclfmd.conf is configured to send mail to root for every failed authorization attempt entered in syslog.
  
  Note -
  You can reconfigure this file. By default, it is configured as follows: /var/log/badauth:/usr/bin/mailx -s "%f" root < %c where:
  - /var/log/badauth is the file where the entries are made.
  - /usr/bin/mailx -s is the command to send mail to root.
  - "%f" is the subject-line of the mail, containing the name of the file where the entries were detected.
  - "%c" is the new content of the syslog file.