Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

Similar presentations


Presentation on theme: "IS3440 Linux Security Unit 9 Linux System Logging and Monitoring"— Presentation transcript:

1 IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

2 Class Agenda 5/11/16 Covers Chapter 12 and 13 Unit 9 Quiz 4
Learning Objectives Discussion on Lab Activities. Lab will be perform in class. Break Times as per School Regulations. Reminder: Please try to complete the Projects. The Final project due on Unit 11. Final Exams on unit 11.

3 Learning Objective Establish a system baseline with monitoring and logging to detect anomalies.

4 Key Concepts Local and remote logging File and data integrity checkers
Tools to monitor open ports Security testing tools Linux system monitoring within a virtual machine (VM) environment

5 EXPLORE: CONCEPTS

6 Monitoring systems-Linux Audit system
Linux Audit system provides a way to track security-relevant information on your system. Audit generates log entries Determine the violation of the security policy Requirements of certifications or compliance

7 ⁠Use Cases of system audit
Track files and directory has been accessed, modified, executed. Generate logs entry when particular system call is used. Recording commands run by a user Recording security events Searching for events Running summary reports Monitoring network access

8 Audit Service Install the service with the yum install audit command.
Configure the service to run on boot with chkconfig auditd on. Use auditctl command to create audit rules. Use ausearch command to search for activity in the audit rules.

9 Logwatch is a customizable, pluggable log-monitoring system.
It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Logwatch is being used for Linux and many types of UNIX

10 Logwatch It is a program written in Perl scripting language that consolidates information from various log files and creates a report. In Fedora, it is installed by default and runs daily. Its main configuration file is /etc/logwatch/conf/logwatch.conf. Its configuration allows to set range of dates from the log files. By default, it reads logs from the previous day. The reporting level of activity can be set as low, medium, or high.

11 Used: analyzing security unusual activity in the syslog
Logcheck Logcheck is a software package that is designed to automatically run and check system log files for security violations and unusual activity. Used: analyzing security unusual activity in the syslog to monitoring Apache log files for errors caused by PHP scripts or other problems.

12 Logcheck It is used mostly on Debian-based systems, such as Ubuntu.
By default, it runs every hour and upon a reboot. Its main configuration file is /etc/logcheck/logcheck.conf. The log files to monitor are set in the /etc/logcheck/logcheck.logfiles file. It supports paranoid, server, and workstation levels of output.

13 File Integrity Checkers
11/15/2018 File Integrity Checkers Tripwire Advanced Intrusion Detection Environment (AIDE) Chkrootkit Rootkit Hunter (rkhunter) Tripwire Stores a security policy containing rules for all files to be checked. When a file changes, Tripwire compares it against the checksum and fires an alert. Advanced Intrusion Detection Environment (AIDE) Developed as a replacement for Tripwire Works within the same concept as Tripwire Chkrootkit Checks system binaries for modifications Checks other files as well for rootkits and worms known to Linux Rkhunter Checks for rootkits and other vulnerabilities (c) ITT Educational Services, Inc.

14 EXPLORE: PROCESSES

15 Enabling ModSecurity on Fedora
Step 1: Install ModSecurity by typing the following command: Optional Step: Define custom rules in addition to the base rules. Step 2: In a text editor, open the /etc/httpd/modsecurity.d/modsecurity_localrules.conf file. Step 3: Type custom rules. Step 4: Save and exit. Step 5: Start the Apache Web server using the following command: root]$ su -c 'yum install mod_security' root]$ su -c 'service httpd start'

16 EXPLORE: ROLES

17 Port Monitoring and Log Configuration
Indexes and monitors ports Investigates unauthorized ports Log configuration: Configures logs on local and remote logging servers and runs log scanners, such as logwatch

18 ModSecurity Filters each Hypertext Transfer Protocol (HTTP) request to the Apache Web server Reads the request header and body content to pass, allow, deny, redirect, and log HTTP request based on predefined rules

19 EXPLORE: CONTEXTS

20 Remote Monitoring and Logging
Used to consolidate monitoring and logging of all servers for easier and more effective monitoring of computer systems in a network Linux system administrator monitors from a central location Logging and monitoring server Linux system logs Firewall logs

21 EXPLORE: RATIONALE

22 Importance of a Baseline
It establishes anomalies. It ensures computer system availability with regards to an increased network traffic, hard drive usage, and potential hardware problems.

23 Host-Based Intrusion Detectors
Provide a solution to the “needle in the haystack” problem Provide a layer of security Help establish a baseline for files, processes, and ports

24 Summary In this presentation, the following concepts were covered:
Audit service, logwatch, and logcheck File integrity checkers Remote monitoring and logging Port monitoring, log configuration, and ModSecurity Importance of a baseline and host-based intrusion detectors

25 Assignments and Quiz Unit 9 Quiz 4 Lab 9.2 Implement Best Practices for Security Logging & Monitoring


Download ppt "IS3440 Linux Security Unit 9 Linux System Logging and Monitoring"

Similar presentations


Ads by Google