- System Auditing
- System Logging
- Network Intrusion Detection with Snort
- Host File Integrity with Tripwire
System Auditing
- Auditing can track system activities to warn sysadmin of suspicious activity
- Allows sysadmin to understand the types of access that took place
- Can identify a security breach, and aid in the research of the breach
- More than simply logging or system accounting but they are component parts of auditing
- Other parts are intrusion detection and file verification, resource access, and privilege use
- Successful & unuccessful events both important
- Also involves analysis of dts and correlation of related events
- Some systems(i.e RHEL3 and SuSE Enterprise Linux) have special auditing software included
- Other distros can use ‘snare’ or ‘auditd’ for auditing functions
- Ensure audit data files can only be read by security auditors group
- Ensure the auditing software can record the following for each audit event:
- Date and time of the event
- Userid that initiated the event
- Type of event
- Success or failure of the event
- Origin of the request(IP or MAC address, host name ,etc)
- Retain audit data for at least one year(minimum)
- Ensure audit fles are backed up at least weekly onto a different system tha the one being audited or backup media
System Logging
- System logging is used to track events and when they occurred
- Used to identify system performance trends, keep a historical record of activities, and provide accountability for actions
- Logging must be managed, not simply turned and forgotten
- System log files refer to logs of system activities,such as the /var/log/syslog file, the /var/messages file, and others
- System logging is done via the sylog facility(syslogd)
- syslogd reas and forwards system messages to the log files and/or users
- /etc/syslog.conf is used to configure syslogd
- syslog can log bto local host or to centralized logging server
- Advantage of log server is that it allows centralized logging management for monitoring of possible malicious activity on network
- Many utilities log to syslogd by default or can be configured to do so
- syslogd should be secured to prevent log compromise, destruction, or unauthorized access
- Ensure reliable time source isused throghout network for accurate logging
- System logging normally takes place over port 514; services to this port should be resticated to local hosts at the firewall or premise router
- syslogd should be configured to accept messages only from designated hosts
- Ensure logs are reviewed daily
- Some messages need to be reviewed immediately by responsible sysadmin
- Archive logs at least daily to ease space requirements and to reduce the time requirements and to resuce the time required or log searches and reviews
Intrusion Detection With Snort
- Intrustion Detection Systems(IDS) monitor networks and hosts for unusual traffic patterns and behaviors to detect possible attacks
- IDS consists of sensors, collectors, databases, and analysis consoles
- Ability to detect attacks based upon knowns attack signatures or unusual activity (anomoly-based)
- IDS are host-based or Network-based
- Host-based(HIDS) detects attacks on a particular host
- Network-based(NIDS) detects unusual network traffic that may be an attack
- Snort is most popular open source IDS for Linux
- Signature-based NIDS that detects a wide variety of attacks
- Detected attacks include buffer overflows, Denial OF Service TCP/IP attacks Distributed DOS attacks, port scans and certain malware attacks
- Real-time Logging and alerting
- Highly configureable ruleset
- Ported to almst allLinux distros
- Configured through snot.conf file
- Uses the libpcap library as its packet detection engine
- Preprocesses packets before analysis to alert,filter,and modify potentailly harmfuyl traffic in advace
- Many types of preprocessors available.depending upon needed functionality
- After preprocessing, packets are delivered to the Rules Parsing and Detection Engine
- Reads configured rules and passes to detection engine for applcation to packets
- If packet matches a rule, Alerting an Logging engine logs details and fires and alert
- Logging can be done to centralized logging server
- Logs cn be text or binary format
- Alerts can be messages or emails sent to sysadmin
- Actions can be taken based upon packet type
- Snort can send output to text and databaes
- Works with MySQL, Oracle and others
- Data can be stored for trend analysis
Host File Integrity with Tripwire
- Host-baed IDS and file-integrity monitor
- Works by identifying changes to key system files
- Scans selected files and folders at regular intervals for changes
- Changes to monitored files result in alerts
- Alerts in the form of email to sysadmin
- Logs for only single system, but logs from multiple systems can be centerally managed
- Easy to use and configure
- Is not CPU intensive
- Configured from command line
- Configuration files stored in /etcx/tripwire
- Tripwire configuration file is twcfg
- Policy configurtion file is twpol
- Enable initail configuration of tripwire, then replaced by encrypted files
- Configured usung twadmin and tripwire commands
- Common files and directories to confirue for monitoring include:
- /root/, /boot, /etdc, and /usr/sbin
- hosts.allow and host.deny
- /etc/password and shadow password files
- /etc/fstab and inittab
- Initial run should baeline system
- Re-baseline system after planned patches and upgrades
- Monitor for unplanned or unauthorized changes to files
Latest posts by Rajesh Kumar (see all)
- Best Hospitals for affordable surgery for medical tourism - December 20, 2024
- Top Global Medical Tourism Companies in the World - December 20, 2024
- Medical Laboratory equipment manufacturing company - December 20, 2024