log system security events to twitter

Ok, so cdcarter’s server got compromised just recently. The attacker deleted a bunch of logs, so we don’t really know what went down.

you have got to be kidding

No, I’m not. There’s a really nice twitter gem all ready to go. So, here’s the core of our app, just 13 lines:

twit = Twitter::Base.new config[:user], config[:password]
tail = "tail -n 200 /var/log/auth.log | grep -v '(pam_unix)'" # optionally filter some events

while (sleep 1)
  if @last_msg
    msgs = `#{tail}`.split("\n")
    msgs = msgs[msgs.index(@last_msg)+1..-1] if msgs.include? @last_msg
    msgs.map{|n| twit.update n }
    @last_msg = msgs.last unless msgs.empty?
    twit.update "Twist rebooted at #{Time.now}"
    @last_msg = `#{tail}`.split("\n").last

twitter + system = twist

Check out the code from the Fauna repository:

svn co svn://rubyforge.org/var/svn/fauna/twist

Create a configuration file, /etc/twist.yml:

:sysuser: localuser
:user: twitteruser
:password: twittersecret

If the :sysuser is not root, you will have to make sure /var/log/auth.log as well as /etc/twist.rb are readable by the :sysuser. I recommend using a non-privileged :sysuser and adding it to a group that has permissions to read those two files.

Symlink twist.rb into /etc/init.d, set its permissions, and install it as a boot service (Ubuntu specific, your requirements may vary):

cd /etc/init.d/
sudo ln -s /home/you/twist/twist.rb twist.rb
sudo chown root twist.rb
sudo chgrp root twist.rb
sudo /usr/sbin/update-rc.d twist.rb defaults

Run /etc/init.d/twist.rb start to start it immediately.

but this isn’t secure!

It’s only insecure if you leave your twitterings set to public, since you can use the friend system as a privacy control. Also, it is certainly possible for an attacker to notice your Twist setup, see the password, and go in to Twitter and start deleting entries. But if you have your personal Twitter user “follow” the server user, and receive updates by SMS, then you will have a permanent, real-time log on your phone.

It’s not supposed to be the end-all of server monitoring. But it’s pretty fun.

3 responses

  1. We’ve been doing something similar for Grabb.it. Using a little glue between my svn_tools Rails plugin, and the Twitter gem, we’ve got our commit log live over the wire. And for the time being, it’s public:


  2. Sweet. Nice use of the gem.

    I just created something that does an svn post-commit paste of the log message and changes to a campfire chat room.

    It never even hit me that I could use twitter, which all of the other developers I work with already use. You’d think that writing the twitter gem and using twitter daily would make me more creative with it.