/var/log ð§
/etc/rsyslog.conf - see the log owners, what specific logs are logging and where the additional configurations are stored.
cd rsyslog.d && less 50-default.conf - to see additional configurations: what specific logs are logging, how they are called and where to find them.
sudo less syslog - most of the system logs.
auth.log - authorization messages
kern.log - kernel messages
To configure what is being logged, how and when, go to /etc/audit. apt-cache search auditd (if it’s not installed). nano audit.rules files to open. Config example:
-w /etc/shadowto keep track of the users added/deleted/modified.w- watch file:-p- watch for permission;wa- look for writes;-k <name>- give the name of this log entries.
a always,exit- look for actions:- generate alerts
always; - look for specific syscall
-S clock_settime; -k <name- give the name of this log entries, for example,timechange.
- generate alerts
To start auditing, run the daemon: service auditd start. The results are stored in /etc/audit.log.
Sysmon for Linux
eBPF -> sysinternalsEBPF (based on libbpf). eBPF allows programs to run in a sandbox within OS. Microsoft has customised it and sysinternalsEBPF was created to monitor security events on Linux.
https://github.com/Sysinternals/SysmonForLinux, eForensics Magazine, Linux Forensics and Security, Enhance Visibility And detection On Linux With Sysmon, by Sergio Figueiredo.