Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

Published byPierce Norman Modified over 5 years ago

Similar presentations

Presentation on theme: "IS3440 Linux Security Unit 9 Linux System Logging and Monitoring"— Presentation transcript:

1 IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

2 Class Agenda 5/11/16 Covers Chapter 12 and 13 Unit 9 Quiz 4
Learning Objectives Discussion on Lab Activities. Lab will be perform in class. Break Times as per School Regulations. Reminder: Please try to complete the Projects. The Final project due on Unit 11. Final Exams on unit 11.

3 Learning Objective Establish a system baseline with monitoring and logging to detect anomalies.

4 Key Concepts Local and remote logging File and data integrity checkers
Tools to monitor open ports Security testing tools Linux system monitoring within a virtual machine (VM) environment

5 EXPLORE: CONCEPTS

6 Monitoring systems-Linux Audit system
Linux Audit system provides a way to track security-relevant information on your system. Audit generates log entries Determine the violation of the security policy Requirements of certifications or compliance

7 ⁠Use Cases of system audit
Track files and directory has been accessed, modified, executed. Generate logs entry when particular system call is used. Recording commands run by a user Recording security events Searching for events Running summary reports Monitoring network access

8 Audit Service Install the service with the yum install audit command.
Configure the service to run on boot with chkconfig auditd on. Use auditctl command to create audit rules. Use ausearch command to search for activity in the audit rules.

9 Logwatch is a customizable, pluggable log-monitoring system.
It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Logwatch is being used for Linux and many types of UNIX

10 Logwatch It is a program written in Perl scripting language that consolidates information from various log files and creates a report. In Fedora, it is installed by default and runs daily. Its main configuration file is /etc/logwatch/conf/logwatch.conf. Its configuration allows to set range of dates from the log files. By default, it reads logs from the previous day. The reporting level of activity can be set as low, medium, or high.

11 Used: analyzing security unusual activity in the syslog
Logcheck Logcheck is a software package that is designed to automatically run and check system log files for security violations and unusual activity. Used: analyzing security unusual activity in the syslog to monitoring Apache log files for errors caused by PHP scripts or other problems.

12 Logcheck It is used mostly on Debian-based systems, such as Ubuntu.
By default, it runs every hour and upon a reboot. Its main configuration file is /etc/logcheck/logcheck.conf. The log files to monitor are set in the /etc/logcheck/logcheck.logfiles file. It supports paranoid, server, and workstation levels of output.

13 File Integrity Checkers
11/15/2018 File Integrity Checkers Tripwire Advanced Intrusion Detection Environment (AIDE) Chkrootkit Rootkit Hunter (rkhunter) Tripwire Stores a security policy containing rules for all files to be checked. When a file changes, Tripwire compares it against the checksum and fires an alert. Advanced Intrusion Detection Environment (AIDE) Developed as a replacement for Tripwire Works within the same concept as Tripwire Chkrootkit Checks system binaries for modifications Checks other files as well for rootkits and worms known to Linux Rkhunter Checks for rootkits and other vulnerabilities (c) ITT Educational Services, Inc.

14 EXPLORE: PROCESSES

15 Enabling ModSecurity on Fedora
Step 1: Install ModSecurity by typing the following command: Optional Step: Define custom rules in addition to the base rules. Step 2: In a text editor, open the /etc/httpd/modsecurity.d/modsecurity_localrules.conf file. Step 3: Type custom rules. Step 4: Save and exit. Step 5: Start the Apache Web server using the following command: root]$ su -c 'yum install mod_security' root]$ su -c 'service httpd start'

16 EXPLORE: ROLES

17 Port Monitoring and Log Configuration
Indexes and monitors ports Investigates unauthorized ports Log configuration: Configures logs on local and remote logging servers and runs log scanners, such as logwatch

18 ModSecurity Filters each Hypertext Transfer Protocol (HTTP) request to the Apache Web server Reads the request header and body content to pass, allow, deny, redirect, and log HTTP request based on predefined rules

19 EXPLORE: CONTEXTS

20 Remote Monitoring and Logging
Used to consolidate monitoring and logging of all servers for easier and more effective monitoring of computer systems in a network Linux system administrator monitors from a central location Logging and monitoring server Linux system logs Firewall logs

21 EXPLORE: RATIONALE

22 Importance of a Baseline
It establishes anomalies. It ensures computer system availability with regards to an increased network traffic, hard drive usage, and potential hardware problems.

23 Host-Based Intrusion Detectors
Provide a solution to the “needle in the haystack” problem Provide a layer of security Help establish a baseline for files, processes, and ports

24 Summary In this presentation, the following concepts were covered:
Audit service, logwatch, and logcheck File integrity checkers Remote monitoring and logging Port monitoring, log configuration, and ModSecurity Importance of a baseline and host-based intrusion detectors

25 Assignments and Quiz Unit 9 Quiz 4 Lab 9.2 Implement Best Practices for Security Logging & Monitoring

Download ppt "IS3440 Linux Security Unit 9 Linux System Logging and Monitoring"

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.

1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.

Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from www.mandrake.com www.mandrake.com.

Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Presented by C.SARITHA ( 07R91A0568) INTRUSION DETECTION SYSYTEM.

Presented by C.SARITHA ( 07R91A0568) INTRUSION DETECTION SYSYTEM.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Linux Networking and Security Chapter 10 File Security.

Linux Networking and Security Chapter 10 File Security.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Linux Operations and Administration

Linux Operations and Administration
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Brad Baker CS526 May 7 th, 2008 5/7/2008 1. 1. Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
Module 14: Configuring Server Security Compliance

Module 14: Configuring Server Security Compliance
Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.

Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.

Similar presentations

Ads by Google