for rpmlist in `rpm -qa | sort`
echo " __ $rpmlist __"
rpm -V $rpmlist
done > /tmp/123.out
cat /tmp/123.out | mail -s "RPM Check `date +%T %A %d.%m.%Y`" email@example.com
This shell script basically makes a list of RPM files on your system, sorts them in an easily viewable format and verifies them to see what has changed. After that it mails the whole list to the administrative mailbox. Everything can of course be re-configured to suite your needs the best.
This is the snapshop of one of the e-mails sent as the result of this shell script:
Also it would be suitable to add this script in CRON, so you can receive a daily snapshot of the RPM's on your system. In this exaple is starts every day at 10 am.
[admin@pilatus]# crontab -l
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.1759 installed on Tue Apr 16 16:06:48 2002)
00 10 * * * /usr/local/etc/rpmcheck.sh
Checking the logs
Usually you should periodically check the logs on your system. All the vital things about the current status of your system can be seen from the logs. While manually checking all the files takes some time, and time is precious, there are a few tools that help you automate the process of checking your system logs.
I like to use LogSentry, a freeware product by Psionic Technologies.
As can be seen from the product description: "LogSentry automatically monitors your system logs and mails security violations to you on a periodic basis. It is based on a program that ships with the TIS Gauntlet firewall but has been improved upon in many ways to make it work nicely for normal system auditing."
Setting up your copy of logcheck.sh is very easy, these are some of the main sections that must be edited:
As the purpose of LogSentry is to send you e-mail alerts of things happening on your system, you should point out your mailbox.
Full path to logtail program is usually in /usr/local/bin. Logtail is custom executable that remembers the last position of a text file. This program is used by logcheck to parse out information from the last time the log was opened, this prevents reviewing old material twice.
This should be non public writable /tmp directory which prevents race condition and potential symlink problems.
LogCheck should also be added to CRON, so it can check the logs in desired time formats. I prefer every 30 minutes.
A few examples of LogCheck reports:
May 13 23:58:32 pilus sshd: Bad protocol version identification '' from 22.214.171.124
May 10 01:51:20 pilus su(pam_unix): authentication failure; logname=spartacus uid=502 euid=0 tty= ruser= rhost= user=root