Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Most critical files that must be monitoring on Linux in terms of security

test_qweqwe
Builder
‎03-15-2018 10:37 AM

Hi.
I mean any critical points of Linux, any files, or directory that must be monitoring to detect any suspicious activity.

For example:
/tmp
because many exploits in the Unix world rely on creating temporary files in the /tmp standard folder which are not always deleted after the system hack

/etc/passwd or /etc/shadow
because, sometimes hacker attacks may add a new user in /etc/passwd which can be remotely logged in a later date.

/etc/services
Suspicious services added to /etc/services. Opening a backdoor in a Unix system is sometimes a matter of adding two text lines

crontab or /etc/init.d
It's good to detect any persistence

If it has SSH running, then I would be monitoring /var/log/secure (or /var/log/auth.log) and alerting on brute force events. Or also have alerting on certain firewall logs. Example, when heartbleed came out, after patching I would set up log monitors for addresses attempting to exploit it.

So, what about else? Of course I missed many and would be happy if you helped
If you will share any blogs, article, etc, will be cool.

0 Karma
Reply

mayurr98
Super Champion
‎03-16-2018 01:10 AM

hey in addition to that :

Linux Networks. The most important files to monitor (or exclude)
Linux. Files to INCLUDE in FIM:

Root folder:
– monitor the permissions
Monitor the permissions, the access/modification time and the content of all files (except logs and cache files) in the following folders:
– /bin
– /sbin
– /usr/sbin
– /usr/bin.
– /usr/local/bin
– /usr/local/sbin
– /opt/bin
– /opt/sbin
– /lib
– /usr/lib
– /usr/local/lib
– /lib64
– /usr/lib64
– /root, /etc
Some Linux attacks try to gain privileges by modifying the configuration of your grub file, therefore it must be properly monitored /boot/grub/grub.conf
https://outpost24.com/blog/windows-linux-vulnerable-files

Also, there is a good blog on Critical Linux Log Files You Must be Monitoring
https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/

let me know if this helps!

0 Karma
Reply

test_qweqwe
Builder
‎03-16-2018 07:44 AM

Hello.
I already got acquainted with these links, but thank for response! 🙂
To be trust, my question is very blurry and it's hard to answer. Security forumes not helped me.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...