On Fri, 24 Apr 2020 at 13:21, bruce <badoug...@gmail.com> wrote: > Hi/Morning. > > This is a continuation of my looking to nail down what should be > Monitored/Scanned to secure a Fed server/VM. > > I've looked over a number of Monitor apps (Solarwinds/Nagios/Zabbix/etc). > Can't really find a good list of the things that should be monitored, so > I've compiled the following list. > > Years ago I found that monitoring for attempts to access/probe ports from boxes I didn't manage was detecting compromised systems (mostly Windows). IT then installed tools to block attempts to access unauthorized ports or domains on the internet (and then take offending boxes off to be reimaged). I did have to document our need to access a few blacklisted sites (there is an industry of people filing complaints against legit sites for political reasons or because they had been fired from a company that used the site). That had the effect of greatly reducing the unwanted access attempts. It would be interesting to know what capabilities the open source have to watch for suspicious connection attempts.
I should also mention that the Usenix Association makes issues of their ";logon:" magazine public a year after publication. These contain reports from security interest groups, book reviews, and articles highlighting tools for security monitoring. > I'm thinking the monitoring/scanning process needs to check for, > or handle the following: > -user attempts to access a system/ssh interaction/- logins/access > there's a ddos on one of the VM/webapps > rootkit/file issue > possible intrusion attempts > -for ports > -for log files > -for user accounts > files/dirs -perms/user owner > log files > system/services -- required services running... invalid services disabled > cron > dirs/files/filesystem > website > db > config file issues > rootkit issues > malware issues > vulnerability issues -- vuls.io > selinux > partitions for the drive > firewall > > mysqld > > httpd > > nfs > > sshd > > -php valid > -python valid > -package scan > -pip scan > -pecl scan > -should the libs be scanned? > -how to scan/check for/alert on invalid apps running? > > config files -- valid/invalid > > Feel free to add or comment on anything I've listed. > > Once I narrow down the list, I'll figure out which tool/dashboard to use > for the Monitoring/Scanning. I might have to also have a separate Dashboard > (ELK?) to handle the log analysis/display. > > Thanks > > > > _______________________________________________ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org > -- George N. White III
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org