Hi.
I mean any critical points of Linux, any files, or directory that must be monitoring to detect any suspicious activity.
For example:
/tmp
because many exploits in the Unix world rely on creating temporary files in the /tmp standard folder which are not always deleted after the system hack
/etc/passwd or /etc/shadow
because, sometimes hacker attacks may add a new user in /etc/passwd which can be remotely logged in a later date.
/etc/services
Suspicious services added to /etc/services. Opening a backdoor in a Unix system is sometimes a matter of adding two text lines
crontab or /etc/init.d
It's good to detect any persistence
If it has SSH running, then I would be monitoring /var/log/secure (or /var/log/auth.log) and alerting on brute force events. Or also have alerting on certain firewall logs. Example, when heartbleed came out, after patching I would set up log monitors for addresses attempting to exploit it.
So, what about else? Of course I missed many and would be happy if you helped
If you will share any blogs, article, etc, will be cool.
hey in addition to that :
Linux Networks. The most important files to monitor (or exclude)
Linux. Files to INCLUDE in FIM:
Root folder:
– monitor the permissions
Monitor the permissions, the access/modification time and the content of all files (except logs and cache files) in the following folders:
– /bin
– /sbin
– /usr/sbin
– /usr/bin.
– /usr/local/bin
– /usr/local/sbin
– /opt/bin
– /opt/sbin
– /lib
– /usr/lib
– /usr/local/lib
– /lib64
– /usr/lib64
– /root, /etc
Some Linux attacks try to gain privileges by modifying the configuration of your grub file, therefore it must be properly monitored /boot/grub/grub.conf
https://outpost24.com/blog/windows-linux-vulnerable-files
Also, there is a good blog on Critical Linux Log Files You Must be Monitoring
https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
let me know if this helps!
Hello.
I already got acquainted with these links, but thank for response! 🙂
To be trust, my question is very blurry and it's hard to answer. Security forumes not helped me.