Audit security events on Unix systems

Protecting computer networks consists of implementing preventative measures, but especially properly implementing detection methods. These digital tripwires can be used for intrusion detection, or proper handling security events on Unix systems.

Security events

First we have to define a few events which are or can be security related. To get easily started, we focus on 3 tips to implement security events on Unix systems.

1. File changes

Some files you don’t want to change that often, like your DNS resolvers (/etc/resolv.conf). An unexpected change to this file could indicate compromise. Similar of your password file, if the only user is your account and that of the root user.

How: Monitor these kind of security events can be done with a file integrity tool like AIDE, Samhain or Tripwire. Another measure is implementing an auditing framework, like the Linux audit framework.

2. Process crashes

Since usually software is a weak spot in security defenses, a crash of software often indicates an unexpected event. Sometimes caused by bad hardware (e.g. a bad memory module), but usually due to bad memory management in the software itself. Malicious people try to abuse these weak spots to load special crafted code. There monitoring crashing software can be very helpful to discover potential attacks or intrusions.

How: Check logging for processes which exited abruptly (segfault). Monitor also system uptime, as a system which is continuously crashing, is definitely not helping in availability requirements of the related business goal.

3. Authentication

Each system has a (business) goal. It is very common for a system to interact with users, in one way or another. Since most applications have authentication and authorization capabilities, properly monitoring these related events is important.

How: Set a threshold after which failures are logged. For example if a user enter his or her password once, ignore it. If it occurs three times in 1 minute, then create a security events. OpenSSH is one of the tools which sets such threshold by default. Related events should be picked up and monitored.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon