Good sarc monitoring tip
Sarc is still in their month of security tips per day and todays is another good one. Todays tip is about monitoring machines, particularly those that “defend” your network. (Mail antivirus scanners/ proxy fitlers/scanners/etc.) The core of the advice is to not just ping – that only tells you if the system exists and is online – it doesn’t tell if things are working. They suggest scripting tests (antivirus scanner can be tested via the EICAR test signature for instance.) They note that doesn’t tell if the av scanner is updated (I prefer a crontab output of the days updates – looks like there were around 9 clamav signature updates yesterday.
I know, some of you are thinking, but I don’t want that much mail everyday. If you’re using a linux based system for monitoring you can script things in a number of ways. You can have the monitoring continually running and not contact you unless there’s a problem. (I have a tendency to use temporary files to hold the status of a service and then compare current results of a check to the last (in the temporary file) if the status has changed it will let me know, if all is the same I won’t be pestered by continual messages.) The only problem with this approach is if you start tuning out the messages because they’re too frequent. (That’s why it’s useful to improve your scripts to only notify you of changes.)