Store logs in safe location

Oct 06, '04 09:47:00AM

Contributed by: derekhed

I have gotten so many good tips from this site, I am grateful to post something back for the community. After a recent post regarding a compromised OS X box, it became painfully clear that having some forensic evidence of how your computer was compromised is very important. If your rig is broken into and someone gets root access, a quick rm -rf / could ruin your day, as well as erase all traces of how the bad guys broke in. You might be able to reinstall everything from good backups, but what about the original vulnerability?

One common technique to keep logs safe is to use a centralized logging system where each computer sends its logs to a separate, hardened computer for safer storage. I have no second computer, so I decided to burn my logs periodically to CD (via incremental burns, to get the most out of each CD), and use the read-only aspect of the medium to keep them safe.

Here is how I did it:

  1. Create the script below and make it executable.
  2. Put a blank CD in your drive and have your Finder 'ignore' it.
  3. Add an entry to your root crontab to fire off the script.
  4. Check your emails to make sure your disk isn't going to be full the next time you run it.
#!/bin/sh
#
# Back up logs to a CD incrementally. Saves as 'log n' in reverse order,
# renaming each as a higher increment and laying down a new file 'log'
# How the hell does it do this?
#
# May as well use a timestamp for our temp file.
stamp=`date +%y%m%d-%H%M%S`

# Create the image
hdiutil create -quiet -srcfolder /var/log/ /tmp/Log_$stamp.dmg

# Wait for it...?
sleep 5

# Now burn the image
hdiutil burn -quiet /tmp/Log_$stamp.dmg -noeject

# Clean up after yourself
rm /tmp/Log_$stamp.dmg

# Let the drive mount. 15 works for me, but yours may be different.
sleep 25

# Report back to cron how much space is used.
free=`du -ch /Volumes/log* | grep -i Total`
echo "$free used on log Backup CD"
Fire this puppy off from root's crontab nightly (or however often you feel you need to). You will receive an email telling you how much space you have used, so you can make sure you put a new blank in when the first one gets too full.

Caveats: I am no shell expert, and I'm sure this could be tidied up. I also have not tested what happens when your CD is full, but since we are working with copies of the logs, you won't suffer any catastrophic loss.

Comments (4)


Mac OS X Hints
http://hints.macworld.com/article.php?story=2004100119364513