- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Most critical files that must be monitoring on Lin...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Most critical files that must be monitoring on Linux in terms of security
Hi.
I mean any critical points of Linux, any files, or directory that must be monitoring to detect any suspicious activity.
For example:
/tmp
because many exploits in the Unix world rely on creating temporary files in the /tmp standard folder which are not always deleted after the system hack
/etc/passwd or /etc/shadow
because, sometimes hacker attacks may add a new user in /etc/passwd which can be remotely logged in a later date.
/etc/services
Suspicious services added to /etc/services. Opening a backdoor in a Unix system is sometimes a matter of adding two text lines
crontab or /etc/init.d
It's good to detect any persistence
If it has SSH running, then I would be monitoring /var/log/secure (or /var/log/auth.log) and alerting on brute force events. Or also have alerting on certain firewall logs. Example, when heartbleed came out, after patching I would set up log monitors for addresses attempting to exploit it.
So, what about else? Of course I missed many and would be happy if you helped
If you will share any blogs, article, etc, will be cool.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey in addition to that :
Linux Networks. The most important files to monitor (or exclude)
Linux. Files to INCLUDE in FIM:
Root folder:
– monitor the permissions
Monitor the permissions, the access/modification time and the content of all files (except logs and cache files) in the following folders:
– /bin
– /sbin
– /usr/sbin
– /usr/bin.
– /usr/local/bin
– /usr/local/sbin
– /opt/bin
– /opt/sbin
– /lib
– /usr/lib
– /usr/local/lib
– /lib64
– /usr/lib64
– /root, /etc
Some Linux attacks try to gain privileges by modifying the configuration of your grub file, therefore it must be properly monitored /boot/grub/grub.conf
https://outpost24.com/blog/windows-linux-vulnerable-files
Also, there is a good blog on Critical Linux Log Files You Must be Monitoring
https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
I already got acquainted with these links, but thank for response! 🙂
To be trust, my question is very blurry and it's hard to answer. Security forumes not helped me.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
