The Difference Between Auditing and Vulnerability Scanning

Technical Auditing and Vulnerability Scanning Why both look the same, yet have subtle differences When talking about auditing, I see that most technical people immediately think about vulnerability scanning. While they definitely have things in common, there are also a lot of minor differences. In this blog post I will show them, and also share how technical auditing and vulnerability scanning can work together. Similarities and Differences Let’s first determine what makes technical auditing and vulnerability scanning look similar. First […]

Read more

In-depth Linux Guide to Achieve PCI DSS Compliance and Certification

Linux Guide for PCI DSS Certification, Compliance, and Auditing If you work for a company which accepts, processes or stores credit card details, you might be very familiar with the PCI Data Security Standard (DSS). The standard itself is detailed, yet sometimes unclear on what specifically to implement (and when). This guide will help with translating the PCI standard to technical security controls on Linux systems. It is based on the current version of PCI DSS, which is now version […]

Read more

Find Differences Between Two Daily Lynis Audits

Comparing Lynis Scan Results Lately I saw a great feature request for Lynis, to detect differences between two runs of Lynis. Wouldn’t it be great to run Lynis daily and then see if anything changes and act upon those differences? While our auditing tool doesn’t have such an option itself, it is very easy to implement something and fine-tune it to your needs. Report Lynis has two important files to which is logs data: /var/log/lynis.log /var/log/lynis-report.dat The first file /var/log/lynis.log has […]

Read more

Logging root actions by capturing execve system calls

Logging root actions Capturing execve system calls and store them in the audit log For compliance or security reasons you might want to capture all commands executed by the root user. Fortunately enough the Linux audit framework helps with capturing the right system calls and log it to the audit file. Configure audit To enable auditing, use the following commands: auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k root-commands auditctl -a exit,always -F arch=b32 -F euid=0 -S execve […]

Read more

Find the alternatives: CIS-CAT auditing tool

Alternatives to the CIS-CAT auditing tool The Center for Internet Security, CIS for short, is the organization behind several in-depth hardening guides. The quality of these hardening guides is outstanding, with a high level of detail. This high level of detail has one downside: it costs a lot of time to read, try and test the recommendations. Sometimes we simply don’t have the time to do an extensive audit by hand. Let alone the time to actually repeat the auditing […]

Read more

Linux Audit Framework 101 – Basic Rules for Configuration

Linux Audit Framework 101 Basic Rules for Configuration Starting with Linux auditing can be overwhelming. Fortunately there is a great tool available to tell the Linux kernel to watch some events and log them for us. To give you a quick start to use the Linux Audit Framework, we have collected some basic rules for configuring the audit daemon and its rules. Main Configuration By default the configuration values in /etc/audit/audit.conf are suitable for most systems. If you know your […]

Read more

Finding setuid binaries on Linux and BSD

Finding setuid binaries for Linux and BSD systems Why setuid? Binaries with the setuid bit enabled, are being executed as if they were running under the context of the root user. This enables normal (non-privileged) users to use special privileges, like opening sockets. While this seems unnecessary for a normal user, it is actually needed for simple commands like ping. Finding files with setuid bit To discover all files with the setuid bit, we can use the find command. Depending […]

Read more

Creating audit trails – Logging commands on Linux with Snoopy

Creating audit trails Logging commands on Linux with Snoopy Our customers often want to set-up an audit trail for accounting purposes. When something happens, they want to be able to see what happened, when it did and by whom. Defining an audit trail is also becoming mandatory for compliance, like PCI. One possible solution we cover is using Snoopy, a small library to log executed commands. How it works Snoopy is a wrapper around the execve() function. This is a […]

Read more
1234