Intrusion Detection

Antivirus for Linux: is it really needed?

Is antivirus needed on Linux systems? The answer: it depends. We will look at the risks, the types of malware, and the related security measures to take.

Summary of Antivirus for Linux: is it really needed?

The question regarding the need for antivirus for Linux is after years still relevant. It is asked at forums and shows up regularly at Quora. As the original author of rkhunter, a malware scanner for Linux and Unix systems, I analyzed many malicious software components. You might be wondering that if there is malware, there is also a need for a scanner, right? It is actually not that easy to answer.

Read the full article…

Detecting Linux rootkits

In this post about intrusion detection we have a look at Linux rootkits, what they do and how to detect them. Linux rootkits are malicious pieces and should be detected as soon as possible.

Summary of Detecting Linux rootkits

Malware, or malicious software is also an issue on Linux systems. Let’s have a look into this threat and what actions you can take. What is a rootkit? A rootkit is a set of tools with the goal to hide its presence and to continue providing system access to an attacker. The word rootkit comes from the root user, which is the administrator account on Linux systems and Unix-clones. The kit refers to a toolkit, or a set of tools.

Read the full article…

Linux Audit Framework: using aureport

Guide regarding the aureport utility, including some aureport examples. Aureport helps with audit reports and is part of the Linux audit framework.

Summary of Linux Audit Framework: using aureport

The Linux audit framework logs events, as specified by the configured watches. To extract particular events we can use the ausearch or aureport tools. The latter is the one we will focus on in this article, to get the most out of the tool. Aureport The aureport utility can be executed without any parameters. It will then extract all audit events available from the log. Since the audit log can be very big, it might be better to use the -start parameter, together with a time interval (e.

Read the full article…

Monitoring Linux File access, Changes and Data Modifications

Linux has several methods available to protect your valuable data. With the right tool we can audit file access, changes and data modifications, including meta-data.

Summary of Monitoring Linux File access, Changes and Data Modifications

Linux has several solutions to monitor what happens with your data. From changing contents to who accessed particular information, and at what time. For our auditing toolkit Lynis, we researched and tested several solutions over the last few years. In this article we have a look at these solutions to monitor file access, changes and modifications to the data and beyond. What is Data? Data is a collection of bits, ordered in such a way it gives meaning to humans.

Read the full article…