This is one where there's probably no limit to what you could do.  We have a 
high-security environment and are using Aide and OSSEC.

Aide has been good at reporting file system changes and is very granular, the 
dilemma is what to monitor and what to ignore (keep from being inundated with 
reports of innocuous changes at the risk of missing something).  However, it is 
not daemon-based so changes between runs which are undone go unnoticed.  Also, 
somehow you need to protect the executable and configuration file so that an 
attacker can't replace the executable or read the configuration and find a way 
around it.  The executable could be placed on mounted read-only media, last 
time I checked Netac and Kanguru still made USB sticks with write-protect 
switches.  Our best effort for protecting configuration is to deliver the 
configuration file just-in-time and delete it after the scheduled run, not a 
great solution, anybody have a better idea?

OSSEC is daemon-based and centrally-managed.  It is a HIDS rather than just a 
FIMS as Aide is.  Its log monitoring has surfaced operational issues in 
addition to security ones (Postfix got in an odd state and had to be restarted 
for example).  Unfortunately, false positives are common, especially if you use 
the "detect new files" feature.  They admit that dealing with software updates 
is problematic.

I've used auditd to trace down what ended up being a funny situation, Aide 
detected that /etc/hosts.deny would change timestamp but nothing else, turns 
out OSSEC has an active response feature to block attacks which involves 
updating that file to block a host for 10 minutes.

You could also look into inotify options and Samhain is another HIDS (I'd love 
to hear about anyone's experience with it).  A free variant of tripwire may 
still exist but is probably unsupported and Aide is a clone of it.

I noticed that rootkit detection has also been mentioned in another reply.
________________________________
From: CentOS <centos-boun...@centos.org> on behalf of Christopher Wensink 
<cwens...@five-star-plastics.com>
Sent: Thursday, November 14, 2019 9:40 AM
To: CentOS mailing list <centos@centos.org>
Subject: [EXTERNAL] [CentOS] how to know when a system is compromised

How do you know when a Linux system has been compromised?

Every day I watch our systems with all the typical tools, ps, top, who,
I watch firewall / IPS logs, I have logwatch setup and mailing daily
summaries to me and I dive deeper into logs if something looks suspicious.

What am I missing or not looking at that you security gurus are looking at?

I subscribe to the centos and SANS newsletters, and I try to keep
current on all technology with credible sources of articles online and
with the Lynda library.

What other sources of information do you use to stay current about the
latest threats and technology updates?

I appreciate the feedback.

Chris



_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com


[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com<http://www..com>


This message has been sent on behalf of a company that is part of the Harris 
Operating Group of Constellation Software Inc.

If you prefer not to be contacted by Harris Operating Group please notify 
us<http://subscribe.harriscomputer.com/>.



This message is intended exclusively for the individual or entity to which it 
is addressed. This communication may contain information that is proprietary, 
privileged or confidential or otherwise legally exempt from disclosure. If you 
are not the named addressee, you are not authorized to read, print, retain, 
copy or disseminate this message or any part of it. If you have received this 
message in error, please notify the sender immediately by e-mail and delete all 
copies of the message.




_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Reply via email to