Attackers will try to remove their tracks by removing logs like /var/log/messages and /var/log/secure.
It would be pretty easy to check if certain logs exists and contain data.
I created a check for this myself like this (with $LOGFILES being a space separated list of important logs):
# Check all logfiles
for file in $LOGFILES; do
if [ ! -f $file ]; then
echo "CRITICAL: $file does NOT exists! Please check!"
[ -s $file ] || eval 'echo "WARNING: $file seems to be empty! Please check!"; ((pwarn++))' && echo "OK: $file exists and contains data."
It would be great if Rkhunter could do this check.
Log in to post a comment.