Audit security events on Unix systems

Audit security events on Unix systems

Protecting computer networks consists of implementing preventative measures, but especially properly implementing detection methods. These digital tripwires can be used for intrusion detection, or proper handling security events on Unix systems.

Security events

First we have to define a few events which are or can be security related. To get easily started, we focus on 3 tips to implement security events on Unix systems.

1. File changes

Some files you don’t want to change that often, like your DNS resolvers (/etc/resolv.conf). An unexpected change to this file could indicate compromise. Similar of your password file, if the only user is your account and that of the root user.

How: Monitor these kind of security events can be done with a file integrity tool like AIDE, Samhain or Tripwire. Another measure is implementing an auditing framework, like the Linux audit framework.

2. Process crashes

Since usually software is a weak spot in security defenses, a crash of software often indicates an unexpected event. Sometimes caused by bad hardware (e.g. a bad memory module), but usually due to bad memory management in the software itself. Malicious people try to abuse these weak spots to load special crafted code. There monitoring crashing software can be very helpful to discover potential attacks or intrusions.

How: Check logging for processes which exited abruptly (segfault). Monitor also system uptime, as a system which is continuously crashing, is definitely not helping in availability requirements of the related business goal.

3. Authentication

Each system has a (business) goal. It is very common for a system to interact with users, in one way or another. Since most applications have authentication and authorization capabilities, properly monitoring these related events is important.

How: Set a threshold after which failures are logged. For example if a user enter his or her password once, ignore it. If it occurs three times in 1 minute, then create a security events. OpenSSH is one of the tools which sets such threshold by default. Related events should be picked up and monitored.


One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package

Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.