/var/log
ð§
/etc/rsyslog.conf
- see the log owners, what specific logs are logging and where the additional configurations are stored.
cd rsyslog.d && less 50-default.conf
- to see additional configurations: what specific logs are logging, how they are called and where to find them.
sudo less syslog
- most of the system logs.
auth.log
- authorization messages
kern.log
- kernel messages
To configure what is being logged, how and when, go to /etc/audit
. apt-cache search auditd
(if it’s not installed). nano audit.rules
files to open. Config example:
-w /etc/shadow
to keep track of the users added/deleted/modified.w
- watch file:-p
- watch for permission;wa
- look for writes;-k <name>
- give the name of this log entries.
a always,exit
- look for actions:- generate alerts
always
; - look for specific syscall
-S clock_settime
; -k <name
- give the name of this log entries, for example,timechange
.
- generate alerts
To start auditing, run the daemon: service auditd start
. The results are stored in /etc/audit.log
.
Sysmon for Linux
eBPF -> sysinternalsEBPF
(based on libbpf
). eBPF allows programs to run in a sandbox within OS. Microsoft has customised it and sysinternalsEBPF
was created to monitor security events on Linux.
https://github.com/Sysinternals/SysmonForLinux, eForensics Magazine, Linux Forensics and Security, Enhance Visibility And detection On Linux With Sysmon, by Sergio Figueiredo.