Link:
http://www.macosxtips.co.uk/geeklets/system/scurity-log-parse-aka-attack-tripwire/
-----
This is something I have been playing with on my Mac hosts to just keep an eye on the event logs that no one reads. You will need to install Geektool from the App Store (its free)
http://itunes.apple.com/us/app/geektool/id456877552?mt=12
----
Security Log Parse (aka Attack Tripwire)
Just add the following command in as an shell Geeklet
echo "Who is online:" ; who ; echo ''; echo 'Active Screen Sessions:'; screen -wls | awk -F 'in' '{print $1}'; echo ''; echo 'Failed Authentication:' ; grep 'Failed to authenticate user' /var/log/secure.log| awk -F ':' '{print $1":"$2""$4}' | awk -F '(' '{print $1}' | sort | uniq -c; grep 'authentication error' /var/log/secure.log| awk -F ':' '{print $1":"$2$6}' | sed 's/authentication error for //g' | sort | uniq -c
or if your getting a lot you can trim it to only alerts from the current month
echo "Who is online:" ; who ; echo ''; echo 'Active Screen Sessions:'; screen -wls | awk -F 'in' '{print $1}'; echo ''; echo 'Failed Authentication:'; i=$(date +"%b"); grep 'Failed to authenticate user' /var/log/secure.log| awk -F ':' '{print $1":"$2""$4}' | awk -F '(' '{print $1}' | sort | uniq -c | grep $i; grep 'authentication error' /var/log/secure.log| awk -F ':' '{print $1":"$2$6}' | sed 's/authentication error for //g' | sort | uniq -c | grep $i
This little script is good for in cafes or offices etc to see if someone it trying to log into your computer and what address they source from. Also it lists the active sessions on your machine.
*Note: The formatting of the awk may need adjusted if your not using Lion
Anyway just a fun little idea I had when I was sitting around today - enjoy and cheers
JSN
No comments:
Post a Comment