Audit

Auditing Linux: Software Packages and Managers

Article about how to audit and check installed software packages and their security by using the related package managers.

Summary of Auditing Linux: Software Packages and Managers

No system can do its job without any installed software packages. However after installation of the system, or running it for a while, it often becomes unclear why some software was ever installed. This article looks at methods on auditing installed software, check for security updates and the related follow-up. Package managers To enable system administrators to properly manage software and upgrading them, Linux uses a package manager. This suite often consists of a package database, the software packages itself and several support tools.

Read the full article…

Auditing Linux: what to audit?

When auditing a Linux system it might be hard to determine what to audit actually. This article will provide the answers to the "what to audit?" question.

Summary of Auditing Linux: what to audit?

In this article we answer the big question on Linux systems “what to audit?”. Where do you start and what is useful to audit? We apply our three C’s in this article to determine what we should look for when auditing a Linux system. Current state What is the current state of the system and how does it compare to previous time? Ideal situation: compare current state of the system with a predefined baseline or previous scan

Read the full article…

CAATTs for Linux: Lynis

Article about a tool within CAATTs for Linux: Lynis. Helping auditors with computer-assisted audit tools and techniques, with focus on Linux and Unix scans.

Summary of CAATTs for Linux: Lynis

Within the field of the audit profession the usage of CAAT (Computer-assisted audit techniques) or CAATTs (computer-assisted audit tools and techniques) is growing. Lynis is filling this gap for Linux and Unix based systems. It’s a well-known and stable tool in this area and improves the audit process by automation. Only a few items could then be checked manually. This saves time, makes the audit more predictable and increases the quality of the overall audit.

Read the full article…

Central audit logging: Configuration and collecting of Linux audit events

Guide to setup central audit logging for your Linux based systems, with the use of the powerful Linux audit framework. No single audit log should get lost!

Summary of Central audit logging: Configuration and collecting of Linux audit events

This guide is to help our users of the Lynis Enterprise Suite to configure a central node to receive Linux audit events. It provides some pointers on how to do a quick set-up, to store and forward events. This information is very valuable for forensic investigations and intrusion detection. Configure the server First start by configuring the server. Since this is a central log host, it should have enough disk capacity and enough bandwidth to sustain peaks.

Read the full article…

Conducting a Linux Server Security Audit

Performing a Linux server security audit can be a time consuming process. In this article the most important parts are explained including automation.

Summary of Conducting a Linux Server Security Audit

Auditing a system can be a time-consuming job, which is no different when conducting a Linux server security audit. Within this article, we give some highlights regarding the audit and tips to automate them by using Lynis. The business goal Before auditing any system, determine the business goal of the system. How critical is this system for doing business? What if the system goes down? Usually each system has a clear role or multiple roles, like being a web server.

Read the full article…

Configuring and auditing Linux systems with Audit daemon

Guide for auditing Linux systems by using the audit daemon and related utilities. This powerful audit framework has many possibilities for auditing Linux.

Summary of Configuring and auditing Linux systems with Audit daemon

The Linux Audit Daemon is a framework to allow auditing events on a Linux system. Within this article we will have a look at installation, configuration and using the framework to perform Linux system and security auditing. Auditing goals By using a powerful audit framework, the system can track many event types to monitor and audit the system. Examples include: Audit file access and modification See who changed a particular file Detect unauthorized changes Monitoring of system calls and functions Detect anomalies like crashing processes Set tripwires for intrusion detection purposes Record commands used by individual users Components The framework itself has several components:

Read the full article…

Creating audit trails – Logging commands on Linux with Snoopy

Snoopy is a useful utility to log commands on Linux and create a related audit trail. If you need to be PCI compliant, auditing trails are considered to be important for proper accounting.

Summary of Creating audit trails – Logging commands on Linux with Snoopy

Logging commands on Linux with Snoopy Our customers often want to set-up an audit trail for accounting purposes. When something happens, they want to be able to see what happened, when it did and by whom. Defining an audit trail is also becoming mandatory for compliance, like PCI. One possible solution we cover is using Snoopy, a small library to log executed commands. How it works Snoopy is a wrapper around the execve() function.

Read the full article…

Find Differences Between Two Daily Lynis Audits

It can be useful to see the differences between scans of Lynis, especially when running it daily. Learn how to do this with just a few steps

Summary of Find Differences Between Two Daily Lynis Audits

Lately I saw a great feature request for Lynis, to detect differences between two runs of Lynis. Wouldn’t it be great to run Lynis daily and then see if anything changes and act upon those differences? While our auditing tool doesn’t have such an option itself, it is very easy to implement something and fine-tune it to your needs. Report Lynis has two important files to which is logs data:

Read the full article…

Find the alternatives: CIS-CAT auditing tool

Sometimes time or money is limited. We hunt to find great alternatives to commercial solutions. This time alternatives for the CIS auditing tool CIS-CAT.

Summary of Find the alternatives: CIS-CAT auditing tool

The Center for Internet Security, CIS for short, is the organization behind several in-depth hardening guides. The quality of these hardening guides is outstanding, with a high level of detail. This high level of detail has one downside: it costs a lot of time to read, try and test the recommendations. Sometimes we simply don’t have the time to do an extensive audit by hand. Let alone the time to actually repeat the auditing and hardening steps on a regular basis.

Read the full article…

Finding setuid binaries on Linux and BSD

To perform a basic audit of the binaries on your system, we can search for setuid binaries. Finding these setuid binaries is easy with the find command.

Summary of Finding setuid binaries on Linux and BSD

Why setuid? Binaries with the setuid bit enabled, are being executed as if they were running under the context of the root user. This enables normal (non-privileged) users to use special privileges, like opening sockets. While this seems unnecessary for a normal user, it is actually needed for simple commands like ping. Finding files with setuid bit To discover all files with the setuid bit, we can use the find command.

Read the full article…

FreeBSD hardening with Lynis

This article provides tips for FreeBSD hardening by using a powerful tool named Lynis. This script will perform an extensive audit to secure your systems.

Summary of FreeBSD hardening with Lynis

Lynis development has its roots on a FreeBSD system, therefore FreeBSD hardening is also easy and supported when using Lynis. People who want to audit and harden their FreeBSD system will discover Lynis to be a powerful tool for this purpose. In this article we will focus on how to audit your system with Lynis. Ports Lynis is available from the ports tree and usually the version is close or at the latest version.

Read the full article…

How to audit AIX Unix systems with Lynis

The term audit may sound more official than it is. This article shows how to perform a security scan of your AIX systems and apply hardening measures.

Summary of How to audit AIX Unix systems with Lynis

How to audit AIX Unix systems with Lynis Each system is as strong as its weakest link. Also for systems running on AIX this rule applies. Therefore a regular audit can help finding the weakest links. Next step is then the fortification of these weakened areas and implementing system hardening measures. What to audit? There is a lot to look for when auditing a system running AIX. Let’s have a look at the most important areas.

Read the full article…

How to secure a Linux system

Looking to secure your Linux system? This security guide shows you how to perform system hardening and run technical audits to keep it in optimal condition.

Summary of How to secure a Linux system

Every Linux system will benefit from more security, especially if it contains sensitive data. With so many resources available on the internet, one might think that securing Linux has become easy. We know it is not. Linux system hardening takes a good amount of understanding about how the Linux kernel works. It also requires a good understanding of the operating system principles. In this guide, we will help you to get this understanding and provide you with tips and tools.

Read the full article…

In-depth Linux Guide to Achieve PCI DSS Compliance and Certification

This is the technical Linux guide you need to achieve compliance with the PCI DSS standard. Become compliant and maintaining it, with Linux tips for configuration and auditing.

Summary of In-depth Linux Guide to Achieve PCI DSS Compliance and Certification

If you work for a company which accepts, processes, or stores credit card details, you might be familiar with the PCI Data Security Standard (DSS). The standard itself is very detailed. Still, it sometimes unclear on what specifically to implement and when. This guide will help with translating the PCI standard to technical security controls on Linux systems. This document has the goal to help you further secure your network and pass the PCI DSS audit.

Read the full article…

Linux Audit Framework 101 – Basic Rules for Configuration

The Linux audit framework is a very powerful tool to monitor files, directories and system calls. It helps with troubleshooting, accounting and intrusion detection.

Summary of Linux Audit Framework 101 – Basic Rules for Configuration

Starting with Linux auditing can be overwhelming. Fortunately, there is a great feature in the Linux kernel to watch events and log them for us. To give you a quick start to use the Linux Audit Framework, we have collected some basic rules for configuring the audit daemon and its rules. Main Configuration By default the configuration values in /etc/audit/audit.conf are suitable for most systems. If you know your system is very low or very high (e.

Read the full article…

Linux Audit Framework: using aureport

Guide regarding the aureport utility, including some aureport examples. Aureport helps with audit reports and is part of the Linux audit framework.

Summary of Linux Audit Framework: using aureport

The Linux audit framework logs events, as specified by the configured watches. To extract particular events we can use the ausearch or aureport tools. The latter is the one we will focus on in this article, to get the most out of the tool. Aureport The aureport utility can be executed without any parameters. It will then extract all audit events available from the log. Since the audit log can be very big, it might be better to use the -start parameter, together with a time interval (e.

Read the full article…

Linux audit log: dealing with audit.log file

Article to deal with the Linux audit log file and how to use it. Including tips to search events and safeguard it against unintended alteration of the log.

Summary of Linux audit log: dealing with audit.log file

The Linux kernel audit framework consists of several components including a daemon, control client, audit rules and Linux audit log. In this article we take additional measures to protect the audit.log file. Aureport The first useful utility to parse the audit.log is aureport. Without parameters it will give a summary of all events. This includes the files, users, audit keys and also items like suspicious events (anomalies). Each sub item can be read independently by using the related parameter.

Read the full article…

Linux Audit: Auditing the Network Configuration

This article describes how to audit the network configuration of Unix and Linux based systems, with useful tips for auditors and system administrators.

Summary of Linux Audit: Auditing the Network Configuration

Within this article we have a look on how to audit and check the network configuration of Linux and other systems. The main focus is on gathering information and discover how systems are configured. By taking these steps we will do a manual audit. For efficiency reasons we suggest to use an automated tool like Lynis. Where to start? Each Linux distribution has their own way and files to configure the network.

Read the full article…

Linux audit: Log files in /var/log/audit

This article describes the purpose of the audit.log file in /var/log/audit and the relationship with the Linux audit framework.

Summary of Linux audit: Log files in /var/log/audit

By default the Linux audit framework logs all data in the /var/log/audit directory. Usually the related file is named audit.log and contains audit related information such as events. /var/log/audit/audit.log This file is the default log file for the Linux audit daemon. It has all related audit events and is configured using the configuration file of auditd (auditd.conf). # cat /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Usually there is no reason to alter this location, unless a different storage location is preferred.

Read the full article…

Linux Security Scanning for Dummies

Security scanning can be boring and time consuming. In this "for dummies" article we have a look at how simple it can be, when it comes to security scans.

Summary of Linux Security Scanning for Dummies

Every system needs some level of protection. Still, many people simply forget to do it, or can not find the time to properly do it. To be as efficient and effective as possible, let’s take at a structured way for security scanning your Linux machines. The 5 dummy steps are: 1. Focus on risk Like not every company is a bank, our systems are not all part of a top secret mission.

Read the full article…

Linux security: Reviewing log files

Log files are the precious collection of system events. Still many people don't use them, until it is really needed. Let's go from the reactive use of log files to a proactive stance.

Summary of Linux security: Reviewing log files

Log files are the precious collection of system events. Still many people don’t use them, until it is really needed. Let’s go from the reactive use of log files to a proactive stance. The Logging Dilemma Capturing events helps in troubleshooting. By defining what events are ignored and which ones are logged, we get a quick overview on the status of a system. The dilemma is usually in how much logging is enough to get a fair picture and when is it too much.

Read the full article…

Logging root actions by capturing execve system calls

Logging all actions performed by root might be needed for compliance or security. With the help of Linux audit we log all root actions easy in an audit log.

Summary of Logging root actions by capturing execve system calls

Capturing execve system calls and store them in the audit log For compliance or security reasons you might want to capture all commands executed by the root user. Fortunately enough the Linux audit framework helps with capturing the right system calls and log it to the audit file. Configure audit To enable auditing, use the following commands: # auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k root-commands # auditctl -a exit,always -F arch=b32 -F euid=0 -S execve -k root-commands These commands will enable monitoring for the execve system call and log it when the effective user ID is 0, equal to the root user.

Read the full article…

Lynis for Auditors: Linux and Unix auditing

Article about Linux / Unix auditing with a focus on the usage of Lynis for auditors. Simplifying the work of the auditor and increasing the quality of work.

Summary of Lynis for Auditors: Linux and Unix auditing

Auditing on Linux Although Unix and Linux based systems are not new, getting an extensive knowledge of the operating system takes years of practice. Even then, with all changes it might be hard to keep up, especially when being an auditor. Examples of these are the differences between package managers, the way services are started and where binaries or configuration files are located. But no worries, there is help! Why Lynis?

Read the full article…

OpenSSH security and hardening

The SSH configuration influences the security of your Linux system. This guide helps you to secure your OpenSSH server and client configuration.

Summary of OpenSSH security and hardening

SSH or Secure Shell is the popular protocol for doing system administration on Linux systems. It runs on most systems, often with its default configuration. As this service opens up a potential gateway into the system, it is one of the steps to hardening a Linux system. This article covers the SSH security tips to secure the OpenSSH service and increase the defenses of the system. OpenSSH security OpenSSH is under development by the security fanatics from the OpenBSD project.

Read the full article…

Securing Linux: Audit with Lynis (an introduction into auditing)

Introduction article into securing Linux based systems by performing a scan with Lynis. After this first audit it will be much easier to harden the system!

Summary of Securing Linux: Audit with Lynis (an introduction into auditing)

Securing a Linux system can take a lot of time. For this purpose we have written Lynis, a quick and small audit tool. It’s an open source tool and freely available. You just need root permissions and a common shell and you’re ready to do your first audit. The main audience for this tool is auditors, security professionals, penetrating testers and system administrators. First audit Most Linux distributions already have Lynis in their software repository.

Read the full article…

The Difference Between Auditing and Vulnerability Scanning

Technical Auditing and Vulnerability Scanning. Why both look the same, yet have subtle differences When talking about auditing, I see that most technical people immediately think about...

Summary of The Difference Between Auditing and Vulnerability Scanning

Why both look the same, yet have subtle differences When talking about auditing, I see that most technical people immediately think about vulnerability scanning. While they definitely have things in common, there are also a lot of minor differences. In this blog post I will show them, and also share how technical auditing and vulnerability scanning can work together. Similarities and Differences Let’s first determine what makes technical auditing and vulnerability scanning look similar.

Read the full article…

Unix security audit: Perform an audit in 3 minutes

Quick guide for performing a unix security audit on a Unix or Linux based system. Under three minutes you have the results and finished the first audit!

Summary of Unix security audit: Perform an audit in 3 minutes

Want to know the vulnerabilities of a Unix/Linux system is in just 3 minutes? How? Perform a scan with Lynis, the open source Unix security audit tool! Lynis Lynis is open source software (GPLv3), released in 2007 and a popular choice by many security professionals and system administrators. Hundreds of downloads in the first week of each release and with a lot of community feedback, Lynis is the right tool for the job.

Read the full article…

What is a security audit?

This article describes what a security audit is and why or when to use it. System audits also apply to Linux systems as part of technical auditing.

Summary of What is a security audit?

In the world of compliance, reported break-ins on the news and many security incidents, it’s common to see a security audit showing up sooner or later. Still, many people in our field don’t like them. But what is a security audit and why should we actually embrace them? Why audit? Auditing has a simple goal: check if something is configured according to best practices, a baseline or a preferred state. In an ideal situation these values are all the same and part of a properly taken decision.

Read the full article…