Events
Audit security events on Unix systems
Protecting computer networks consists of implementing preventative measures, including system auditing. Let's have a look how this relates to Linux.
Summary
Protecting computer networks consists of implementing preventative measures, but especially properly implementing detection methods. These digital tripwires can be used for intrusion detection, or proper handling security events on Unix systems.
Security events
First we have to define a few events which are or can be security related. To get easily started, we focus on 3 tips to implement security events on Unix systems.
1. File changes
Some files you don’t want to change that often, like your DNS resolvers (/etc/resolv.conf). An unexpected change to this file could indicate compromise. Similar of your password file, if the only user is your account and that of the root user.
Configuration and collecting of Linux audit events
Guide to setup central audit logging for your Linux based systems, with the use of the powerful Linux audit framework. No single audit log should get lost!
Summary
This guide is to help our users of the Lynis Enterprise Suite to configure a central node to receive Linux audit events. It provides some pointers on how to do a quick set-up, to store and forward events. This information is very valuable for forensic investigations and intrusion detection.
Configure the server
First start by configuring the server. Since this is a central log host, it should have enough disk capacity and enough bandwidth to sustain peaks.