The Difference Between Auditing and Vulnerability Scanning

Technical Auditing and Vulnerability Scanning Why both look the same, yet have subtle differences When talking about auditing, I see that most technical people immediately think about vulnerability scanning. While they definitely have things in common, there are also a lot of minor differences. In this blog post I will show them, and also share how technical auditing and vulnerability scanning can work together. Similarities and Differences Let’s first determine what makes technical auditing and vulnerability scanning look similar. First […]

Read more

Tiger is History, Long Live Modern Alternatives!

The History and Alternatives to the Tiger Security Tool Recently I saw some tweets showing up from an old friend: Tiger. Surprised to see it being promoted, as I know the tool for years, but never seen any new releases in the last years. Both are actually a shame. An outdated tool is usually of lower value. Promoting old tools might actually disappoint others and harm the initial trust in the software. History of Tiger In its day, the tool […]

Read more

Find Differences Between Two Daily Lynis Audits

Comparing Lynis Scan Results Lately I saw a great feature request for Lynis, to detect differences between two runs of Lynis. Wouldn’t it be great to run Lynis daily and then see if anything changes and act upon those differences? While our auditing tool doesn’t have such an option itself, it is very easy to implement something and fine-tune it to your needs. Report Lynis has two important files to which is logs data: /var/log/lynis.log /var/log/lynis-report.dat The first file /var/log/lynis.log has […]

Read more

The ultimate strace cheat sheet

Strace cheat sheet The strace utility is very powerful to learn what a new or running process is doing. Due to its diversity of monitoring options, the tool is less accessible at first. This strace cheat sheet helps with getting the best out of this tool. Normally cheat sheets come in a single 1 page PDF. In this case, we combined it all within a blog post. First section shows an explanation per area, the bottom of the post contains […]

Read more

Monitor file access by Linux processes

Process Auditing: Disk and File Activity Processes are the running workforce on a Linux system. Each process has a particular goal, like forking child processes, handling incoming user requests of monitoring other processes. As a system administrator or IT auditor, you might want to know at some point what disk activity occurs in a process. In this article, we have a look at a few options to quickly reveal what is occuring in a process, including disk and file activity. Monitor syscalls […]

Read more

Forget Linux Vulnerability Scanning: Get Better Defenses

Building Defenses Beyond Linux Vulnerability Scanning Every month or so, I get a few questions about the vulnerability capabilities Lynis has to offer. It made me think about this subject and I realized something: Many security professionals are still focusing too much on vulnerabilities. They want to know their security gaps, so they can know where they stand. While this isn’t a bad approach, there might be a better solution. The solution I will discuss today is to focus on (permanent) […]

Read more

Linux System Integrity Explained: Ensure Data, Logging and Kernel Integrity

Linux System Integrity Explained From Data and Logging, up to Kernel Integrity Systems exist for one primary goal, which is processing data. Information security helps protecting this valuable data, by ensuring its availability, integrity, and confidentiality. In other words, data should be available when we need it. Then it should be properly transmitted and stored, without errors. Our last goal ensures that it is only available to those with a need to know. Many open source software components are available […]

Read more

Logging root actions by capturing execve system calls

Logging root actions Capturing execve system calls and store them in the audit log For compliance or security reasons you might want to capture all commands executed by the root user. Fortunately enough the Linux audit framework helps with capturing the right system calls and log it to the audit file. Configure audit To enable auditing, use the following commands: auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k root-commands auditctl -a exit,always -F arch=b32 -F euid=0 -S execve […]

Read more
1238