Intrusion Detection

How to see the file type?

Learn how to determine the details of most types of files on Linux, together with the understanding how these tools do their job.

Summary

Did you come across a file, but don’t know what type it is? Let’s learn how to analyze it.

The unknown file

You may encounter a file on your system with known contents or goal. Usually, the first thing we do is then use cat to show the contents, or execute it. While that makes sense, it may be dangerous to do. It might be a piece of malware, disrupt your screen output or even hang the terminal. Here is a better way to do it, using the file command. Great for forensics, malware analysis, intrusion detection, and normal day-to-day system administration.

Detecting Linux rootkits

In this article about intrusion detection we have a look at Linux rootkits, what they do and how to detect them.

Summary

Malware, or malicious software is also an issue on Linux systems. Let’s have a look into this threat and what actions you can take.

What is a rootkit?

A rootkit is a set of tools with the goal to hide its presence and to continue providing system access to an attacker. The word rootkit comes from the root user, which is the administrator account on Linux systems and Unix-clones. The kit refers to a toolkit, or a set of tools.

Configuring and auditing Linux systems with Audit daemon

Guide for auditing Linux systems by using the audit daemon and related utilities. This powerful audit framework has many possibilities for auditing Linux.

Summary

The Linux Audit Daemon is a framework to allow auditing events on a Linux system. Within this article we will have a look at installation, configuration and using the framework to perform Linux system and security auditing.

Auditing goals

By using a powerful audit framework, the system can track many event types to monitor and audit the system. Examples include:

  • Audit file access and modification
    • See who changed a particular file
    • Detect unauthorized changes
  • Monitoring of system calls and functions
  • Detect anomalies like crashing processes
  • Set tripwires for intrusion detection purposes
  • Record commands used by individual users

Components

The framework itself has several components:

How to deal with a compromised Linux system

Is your Linux system compromised or does it run suspicious processes? Learn how to investigate the system and create an action plan.

Summary

Learn the steps to take when you suspect that your Linux system is compromised.