Monday, April 19, 2010

Grepping an Active Log File and Mailing Matches

Recently, I had a need to be alerted by email each and every time a certain user logged in. After a few false starts, I eventually settled on something like this (sanitized and simplified for this blog):
tail -n0 -f /var/log/secure | grep --line-buffered "user" | while read line; do echo $line | mail myemail@example.com -s "Found"; done
We use the standard "tail -f" to follow the /var/log/secure file. The "-n0" option is used so that tail will start 0 lines from the end of the file. We only care about new entries in the file, so we start at the very end of the file, ignoring any existing entries.

Next, we pipe that to grep, looking for the username "user". The "--line-buffered" option is used to force grep to flush each and every line of output (instead of waiting for its default buffer to fill). Per the man page, this option can be a performance penalty, but this is not a concern in this scenario.

Then, we pipe that to a while loop that iterates over each line. For each line of output, we generate an email with a subject of "Found" and include what was found in the body of the email.

This solution works quite nicely and can very easily be extended in the following ways:
  • adding multiple grep criteria
  • modifying format of log entry to be emailed
  • changing final action from email to something else (like adding an IPTables drop rule)
Enjoy!

Thursday, April 8, 2010

Keep All Your Windows Software Updated with Secunia PSI

These days, it's imperative to keep all your software updated. Not only is it extremely important that you update your Microsoft software, but all third-party software must be kept updated as well (Adobe Reader and Flash, for example). You could open each application and look for its "Check for Updates" menu entry, but this can be time consuming. This method of updating may also miss some software. For example, you may have multiple installations of the Java JRE on your system in different locations. Many Java applications bundle their own JRE in their own directory and never update it.

What to do?

Secunia PSI (Personal Software Inspector) scans all files on your Windows system and, using Secunia's database of fingerprints, is able to determine the software versions installed on your system (including the multiple installations of Java in the example above). It then makes recommendations for any vulnerable software, including links to download the patched version of the software or to uninstall the program. I recommend switching from the default "simple" interface to the "advanced" interface to see all vulnerabilities on your system.

I've been using Secunia PSI on my personal systems for a few months now. It has saved me a lot of time in trying to keep track of all the different software versions on my systems. It also comes in quite handy when performing tech support for relatives--just install Secunia PSI and let it tell you what exactly needs to be updated.

Secunia PSI is free for personal use and I wholeheartedly recommend you try it today and see what vulnerabilities it finds on your system.

Search This Blog

Featured Post

Coming soon to Security Onion: Elastic Agent Deployment via MSI!

Our upcoming Security Onion 2.4.120 release includes a new MSI option for deploying the Elastic Agent to your Windows endpoints!  Security O...

Popular Posts

Blog Archive