Audit security events on Unix systems

Audit security events on Unix systems

Protecting computer networks consists of implementing preventative measures, but especially properly implementing detection methods. These digital tripwires can be used for intrusion detection, or proper handling security events on Unix systems.

Security events

First we have to define a few events which are or can be security related. To get easily started, we focus on 3 tips to implement security events on Unix systems.

1. File changes

Some files you don’t want to change that often, like your DNS resolvers (/etc/resolv.conf). An unexpected change to this file could indicate compromise. Similar of your password file, if the only user is your account and that of the root user.

How: Monitor these kind of security events can be done with a file integrity tool like AIDE, Samhain or Tripwire. Another measure is implementing an auditing framework, like the Linux audit framework.

2. Process crashes

Since usually software is a weak spot in security defenses, a crash of software often indicates an unexpected event. Sometimes caused by bad hardware (e.g. a bad memory module), but usually due to bad memory management in the software itself. Malicious people try to abuse these weak spots to load special crafted code. There monitoring crashing software can be very helpful to discover potential attacks or intrusions.

How: Check logging for processes which exited abruptly (segfault). Monitor also system uptime, as a system which is continuously crashing, is definitely not helping in availability requirements of the related business goal.

3. Authentication

Each system has a (business) goal. It is very common for a system to interact with users, in one way or another. Since most applications have authentication and authorization capabilities, properly monitoring these related events is important.

How: Set a threshold after which failures are logged. For example if a user enter his or her password once, ignore it. If it occurs three times in 1 minute, then create a security events. OpenSSH is one of the tools which sets such threshold by default. Related events should be picked up and monitored.


Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)

Leave a Reply

Your email address will not be published. Required fields are marked *