I have gotten so many good tips from this site, I am grateful to post something back for the community. After a recent post regarding a compromised OS X box, it became painfully clear that having some forensic evidence of how your computer was compromised is very important. If your rig is broken into and someone gets root access, a quick rm -rf / could ruin your day, as well as erase all traces of how the bad guys broke in. You might be able to reinstall everything from good backups, but what about the original vulnerability?
One common technique to keep logs safe is to use a centralized logging system where each computer sends its logs to a separate, hardened computer for safer storage. I have no second computer, so I decided to burn my logs periodically to CD (via incremental burns, to get the most out of each CD), and use the read-only aspect of the medium to keep them safe.
Here is how I did it:
#!/bin/sh
#
# Back up logs to a CD incrementally. Saves as 'log n' in reverse order,
# renaming each as a higher increment and laying down a new file 'log'
# How the hell does it do this?
#
# May as well use a timestamp for our temp file.
stamp=`date +%y%m%d-%H%M%S`
# Create the image
hdiutil create -quiet -srcfolder /var/log/ /tmp/Log_$stamp.dmg
# Wait for it...?
sleep 5
# Now burn the image
hdiutil burn -quiet /tmp/Log_$stamp.dmg -noeject
# Clean up after yourself
rm /tmp/Log_$stamp.dmg
# Let the drive mount. 15 works for me, but yours may be different.
sleep 25
# Report back to cron how much space is used.
free=`du -ch /Volumes/log* | grep -i Total`
echo "$free used on log Backup CD"
Fire this puppy off from root's crontab nightly (or however often you feel you need to). You will receive an email telling you how much space you have used, so you can make sure you put a new blank in when the first one gets too full.
Mac OS X Hints
http://hints.macworld.com/article.php?story=2004100119364513