Auditing

Audit security events on Unix systems

Protecting computer networks consists of implementing preventative measures, including system auditing. A look at how to audit security events on Unix and dealing with these events.

Summary of Audit security events on Unix systems

Protecting computer networks consists of implementing preventative measures, but especially properly implementing detection methods. These digital tripwires can be used for intrusion detection, or proper handling security events on Unix systems. Security events First we have to define a few events which are or can be security related. To get easily started, we focus on 3 tips to implement security events on Unix systems. 1. File changes Some files you don’t want to change that often, like your DNS resolvers (/etc/resolv.

Read the full article…

Auditing Linux processes: The Deep Dive!

In-depth article about auditing Linux processes. Determination of running processes, memory and on-disk structure and the proper tools for analyzing them.

Summary of Auditing Linux processes: The Deep Dive!

From the initial start of the Linux operating system, the first processes are already born. In this article we have a look on dealing with processes. In particular we look at how to do process auditing. Whenever you are an auditor, system administrator or just a Linux enthusiast, you can’t ignore processes and should know how to deal with them. Process listing For most people working on Linux systems, it might be obvious to display running processes with ps.

Read the full article…

Auditing Linux: what to audit?

When auditing a Linux system it might be hard to determine what to audit actually. This article will provide the answers to the "what to audit?" question.

Summary of Auditing Linux: what to audit?

In this article we answer the big question on Linux systems “what to audit?”. Where do you start and what is useful to audit? We apply our three C’s in this article to determine what we should look for when auditing a Linux system. Current state What is the current state of the system and how does it compare to previous time? Ideal situation: compare current state of the system with a predefined baseline or previous scan

Read the full article…

CAATTs for Linux: Lynis

Article about a tool within CAATTs for Linux: Lynis. Helping auditors with computer-assisted audit tools and techniques, with focus on Linux and Unix scans.

Summary of CAATTs for Linux: Lynis

Within the field of the audit profession the usage of CAAT (Computer-assisted audit techniques) or CAATTs (computer-assisted audit tools and techniques) is growing. Lynis is filling this gap for Linux and Unix based systems. It’s a well-known and stable tool in this area and improves the audit process by automation. Only a few items could then be checked manually. This saves time, makes the audit more predictable and increases the quality of the overall audit.

Read the full article…

Creating audit trails – Logging commands on Linux with Snoopy

Snoopy is a useful utility to log commands on Linux and create a related audit trail. If you need to be PCI compliant, auditing trails are considered to be important for proper accounting.

Summary of Creating audit trails – Logging commands on Linux with Snoopy

Logging commands on Linux with Snoopy Our customers often want to set-up an audit trail for accounting purposes. When something happens, they want to be able to see what happened, when it did and by whom. Defining an audit trail is also becoming mandatory for compliance, like PCI. One possible solution we cover is using Snoopy, a small library to log executed commands. How it works Snoopy is a wrapper around the execve() function.

Read the full article…

FreeBSD hardening with Lynis

This article provides tips for FreeBSD hardening by using a powerful tool named Lynis. This script will perform an extensive audit to secure your systems.

Summary of FreeBSD hardening with Lynis

Lynis development has its roots on a FreeBSD system, therefore FreeBSD hardening is also easy and supported when using Lynis. People who want to audit and harden their FreeBSD system will discover Lynis to be a powerful tool for this purpose. In this article we will focus on how to audit your system with Lynis. Ports Lynis is available from the ports tree and usually the version is close or at the latest version.

Read the full article…

Hardening Guides and Tools for Red Hat Linux (RHEL)

Overview of tools and hardening guides to implement system hardening for Red Hat Linux. Also applies Fedora, CentOS and Scientific Linux systems.

Summary of Hardening Guides and Tools for Red Hat Linux (RHEL)

System hardening is an important part in securing computer networks. Each system should get the appropriate security measures to provide a minimum level of trust. In this post we have a look at some of the options when securing a Red Hat based system. This information applies to Red Hat Linux (RHEL), Fedora, CentOS, Scientific Linux and others. Red Hat Red Hat itself has a hardening guide for RHEL 4 and is freely available.

Read the full article…

How and why Linux daemons drop privileges

We have a look on how to drop privileges for Linux daemons. By dropping privileges a process can be safeguarded against attacks and a successful compromise of the system.

Summary of How and why Linux daemons drop privileges

In this article we have a look at the privileges of Linux daemons and dropping privileges in particular. The samples provided are in C. Why drop privileges? Some daemons need root permissions to start. This happens for example when a daemon wants to bind to a low port (<1024). However running network based daemons with root permissions is considered to be a serious risk. In case of compromise of the process, an attacker has full access to the system.

Read the full article…

In-depth Linux Guide to Achieve PCI DSS Compliance and Certification

This is the technical Linux guide you need to achieve compliance with the PCI DSS standard. Become compliant and maintaining it, with Linux tips for configuration and auditing.

Summary of In-depth Linux Guide to Achieve PCI DSS Compliance and Certification

The standard itself is very detailed. Still, it sometimes unclear on what specifically to implement and when. This guide will help with translating the PCI standard to technical security controls on Linux systems. This document has the goal to help you further secure your network and pass the PCI DSS audit. It is important to note that this guide is a set of generic tips. Your IT environment might require additional security measures.

Read the full article…

Linux Audit: Auditing the Network Configuration

This article describes how to audit the network configuration of Unix and Linux based systems, with useful tips for auditors and system administrators.

Summary of Linux Audit: Auditing the Network Configuration

Within this article we have a look on how to audit and check the network configuration of Linux and other systems. The main focus is on gathering information and discover how systems are configured. By taking these steps we will do a manual audit. For efficiency reasons we suggest to use an automated tool like Lynis. Where to start? Each Linux distribution has their own way and files to configure the network.

Read the full article…

Linux server security: Three steps to secure each system

Article about Linux server security and guidance for securing your Linux systems. Focus on auditing, hardening and compliance, to improve security defenses.

Summary of Linux server security: Three steps to secure each system

Determining the level of Linux server security can only by measuring the actual implemented security safeguards. This process is called auditing and focuses on comparing common security measures with the ones implemented. While there is almost no system with all possible safeguards implemented, we still can determine how well (or badly) the system is protected. Security is about finding the weakest link(s) and associate risk with each weakness. Depending on the role of the system, sensitivity of data and possible threats, we can then select what security safeguards are appropriate.

Read the full article…

Linux vulnerabilities: from detection to treatment

How to deal with Linux vulnerabilities? This article shares the insights, methods, and tools to help with detection and prevention on Linux systems.

Summary of Linux vulnerabilities: from detection to treatment

If you worked with a computer the last decade, you know the importance of keeping your software up-to-date. Those who don’t, are stacking up vulnerabilities, waiting for them to being exploited by others. Although Linux and most software are open source and can be reviewed, security flaws in software packages remain. While it isn’t easy to close every vulnerability on your system, we can at least create a stable process around it.

Read the full article…

Lynis for Auditors: Linux and Unix auditing

Article about Linux / Unix auditing with a focus on the usage of Lynis for auditors. Simplifying the work of the auditor and increasing the quality of work.

Summary of Lynis for Auditors: Linux and Unix auditing

Auditing on Linux Although Unix and Linux based systems are not new, getting an extensive knowledge of the operating system takes years of practice. Even then, with all changes it might be hard to keep up, especially when being an auditor. Examples of these are the differences between package managers, the way services are started and where binaries or configuration files are located. But no worries, there is help! Why Lynis?

Read the full article…

Major release: Lynis 3.x

Learn about the most important changes that form the major 3.x release of the Lynis project, including security enhancements and new tests.

Summary of Major release: Lynis 3.x

After almost a year of work, we are excited to share news about the major 3.x release! It is major for multiple reasons, including the number of submissions from the community and some breaking changes. Some core functions have been rewritten and several new functions were added. Another important area for this release is security. Being a security tool, we want Lynis to be as safe as possible, even though shell script is not specifically known for that.

Read the full article…

PCI DSS (v3) for Linux: Auditing application processes (A.1.2.a)

PCI DSS v3 compliance (A.1.2.a) requires you to verify if no application processes are running as root. We audit these application processes and check the status of each.

Summary of PCI DSS (v3) for Linux: Auditing application processes (A.1.2.a)

A.1.2.a Verify the user ID of any application process is not a privileged user (root/admin). For Unix and Linux based systems, processes should run as a non-privileged user where possible. However to be able to start, a process is usually started with root permissions (uid 0). This is required to open the required sockets (e.g. bind to port 80). After the initial start, the process drops its privileges by switching to another user.

Read the full article…

PCI DSS (v3) Linux: Logging of administrative actions with root privileges (10.2.2)

PCI DSS requires logging of administrative actions, including commands executed by the root user or using sudo. Learn how to set up accounting and auditing.

Summary of PCI DSS (v3) Linux: Logging of administrative actions with root privileges (10.2.2)

Companies who need to comply with the PCI DSS standard need to log all actions which are executed by the root user or those accounts with similar administrative privileges. 10.2.2 Verify all actions taken by any individual with root or administrative privileges are logged. The Linux kernel allows the monitoring of executed commands. This monitoring and logging can be done with the Linux audit framework. Using this framework, we can monitor the right system calls and create an audit trail.

Read the full article…

Security Audits – How to Prioritize Audit Findings

After extensive auditing and analysis of the results, the time is there to prioritize audit findings. Learn how to do this by looking at impact, urgency and effort.

Summary of Security Audits – How to Prioritize Audit Findings

Technical audits or vulnerability scans will reveal a lot of findings. They can be overwhelmed and forcing the reviewer to freeze, not knowing where to start. To overcome this issue, we should prioritize the findings and determine the consequences of each finding for our company. While an open directory listing on a web server might in one situation not be preferred, it would make sense for others. It is the context which makes a finding “serious” or completely harmless.

Read the full article…

Security Defenses to Fortify your Linux Systems

Your Linux systems should be protected against common security attacks. By using 4 common techniques, we can fortify our systems like a real fortress.

Summary of Security Defenses to Fortify your Linux Systems

Create a Linux security fortress; implementing security defenses using towers, bridges, and guards. Still many companies have difficulties implementing basic security measures. Even after years of websites being defaced, and customer records stolen, the same mistakes are made over and over again. While this all might sound like an unsolvable situation, information security is getting attention from more people. If you are responsible for the system management of Linux systems, ignoring security is no longer an option.

Read the full article…

Tiger is History, Long Live Modern Alternatives!

The tiger tool was known for a long time to help with auditing Unix-based systems. Fortunately there are new tools that are better maintained.

Summary of Tiger is History, Long Live Modern Alternatives!

Recently I saw some tweets showing up from an old friend: Tiger. Surprised to see it being promoted, as I know the tool for years, but never seen any new releases in the last years. Both are actually a shame. An outdated tool is usually of lower value. Promoting old tools might actually disappoint others and harm the initial trust in the software. History of Tiger In its day, the tool was quite good.

Read the full article…

Using Open Source Auditing Tools as alternative to CIS Benchmarks

Hardening guides, and the CIS benchmarks in particular, are a great resource to check your system for possible weaknesses and conduct system hardening. But who has the time to read it cover to...

Summary of Using Open Source Auditing Tools as alternative to CIS Benchmarks

An alternative to CIS Benchmarks and hardening guides Hardening guides, and the CIS benchmarks in particular, are a great resource to check your system for possible weaknesses and conduct system hardening. But who has the time to read it cover to cover, and apply every single step? In this article, we have a look at the alternative: open source auditing tools. Time.. Hardening is a time-consuming task. As security specialists, we know that.

Read the full article…

Vulnerability Scanning: The Destiny to Disappointment?

Vulnerability management is an important process to deal with vulnerabilities in software and hardware. At the same time it can become challenging very quickly.

Summary of Vulnerability Scanning: The Destiny to Disappointment?

Our digital world is full of hardware and software components. The big difference between the two is the quality. When hardware ships with defects, people will return it and talk badly about it. For software it is fine if things are not perfect from the beginning. It can be improved upon in steps, until most of its users are happy with it. Developers of this software often are some level of pressure.

Read the full article…

What is a security audit?

This article describes what a security audit is and why or when to use it. System audits also apply to Linux systems as part of technical auditing.

Summary of What is a security audit?

In the world of compliance, reported break-ins on the news and many security incidents, it’s common to see a security audit showing up sooner or later. Still, many people in our field don’t like them. But what is a security audit and why should we actually embrace them? Why audit? Auditing has a simple goal: check if something is configured according to best practices, a baseline or a preferred state. In an ideal situation these values are all the same and part of a properly taken decision.

Read the full article…