RSS

Monitor your system for threats with rsec alerts

This week’s TechMail is Monitor your system for threats with rsec alerts which discusses the rsec tool I forked from Mandriva’s msec years ago (for Annvix). It’s been updated and is available for Red Hat Enterprise Linux 5 (and CentOS 5) as I think it’s still a pretty good tool and complements stuff like logwatch quite nicely. rsec essentially reports on various bits of your system… it lets you know if there are changes to suid/sgid files, points out unowned files, changes to firewall rules, indicates if there are new packages to install, if there are changes to listening services, etc. Basically it took all the best bits (reporting) of msec and got rid of all the crappy bits (that change things).

I have heard that msec now is much better, but have not had a chance to try it although I do try to keep up with the changes to msec related to reporting and fold those back into rsec.

4 Comments
Aug 25, 2009
By Red Hat Tags: , , , ,

4 Comments

  1. Eugeni

    If you are interested only in reporting capabilities of msec, take a look here:

    http://dodonov.net/blog/2009/06/26/msec-updates/

    All the source is still on mandriva svn:

    http://svn.mandriva.com/svn/soft/msec/trunk/cron-sh/

    I guess some of its features could be quite interested for rsec (like the unified Diffcheck function, logging, and so on). If you are interested, I am more than welcome on working with you on getting msec and rsec to use some common code base, or share features.

    To get into it quickly, take a look at scripts/02_network.sh for example – it is short and easy to understand (I hope :) ).

    Aug 26, 2009 @ 06:40:40

  2. vdanen

    Hmmm… we should do something like that. I tend to cherrypick bits from msec to roll back into rsec, so the reporting capabilities of the latest rsec should be quite close to those in current msec. But merging/sharing that codebase could be useful too.

    Aug 26, 2009 @ 09:04:46

  3. tahlen

    I am running fedora linux and I’ve been looking to test rsec but can’t find anywhere to download it. Might you point me to a download location? It does sound useful.

    Aug 27, 2009 @ 16:44:24

  4. vdanen

    You can grab the source rpm from http://repo.annvix.org/media/EL5/SRPMS/ and rebuild it on Fedora. I haven’t tested whether or not it works on Fedora (it should, although the rpm spec might need some tweaking), but I actually planned to try it out this weekend (I don’t run Fedora on servers, and rsec might be a pain on a laptop, which is why I’ve never tried it).

    Maybe this could be my first package maintainership for Fedora… hmmm….

    Aug 28, 2009 @ 06:24:40

Leave a Reply

*