Ubuntu Security :: OSSEC Realtime File Monitoring Setup
Oct 15, 2010
I am striving to setup OSSEC to monitor some specific files for realtime changes! Is this possible? I can't really find a lot of info from their Documentation
Some Examples:
/etc/myfile.txt is deleted. I need this to be reported.
/etc/myfile.txt is created again so I need this to be reported again!
This has to happen instantly though, because the file might be deleted and created again many times in a short period of time.. Another one...
/etc/passwd is touched (accessed) even if there is no changes! Can this be reported as well?
View 2 Replies
ADVERTISEMENT
Mar 7, 2010
Can ossec be run from ubuntu with less notifications to mail only intrusions. i really dont wish to be notified of every single thing that goes on in my system. i only want to be notified of intrusions and anything else that would be of serious concern. can anyone tell me what setting i can do to achieve the goal in mind ?
View 3 Replies
View Related
Apr 29, 2010
OSSEC is detecting a trojaned version of /bin/login on a Lucid clean install.[FAILED]: Trojaned version of file '/bin/login' detected. Signature used:bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|s ukasuk' (Generic).
View 1 Replies
View Related
Oct 1, 2010
At our company we have a central server with client files. This server has a SSH server installed, and through Nautilus all employees can access the files. However, I have a few questions:
1. Most employees need access to all folders, because they might use them at some point in time. However, I want to make sure they are not accessing things they do not need. How can I do this? For instance, if somebody copies all of the folders to his/her computer, I want to be able to see this in some sort of log. Can this be done? Copying and accessing in general is what is of my concern.
2. Some employees only need access to specific folders. Can this be easily configured with SFTP?
3. Some also use SSH and type commands which I want to check every now and then (e.g. to make sure an intern is not again copying information or accessing folders they should not be in). What is a good way to do this?
View 7 Replies
View Related
May 23, 2010
i have installed Ossec and save it on my sql database but the timestamp of alert is not human readable, how to make it readable ? is there algorithm to make it readable?
View 1 Replies
View Related
Jan 5, 2010
This might be a very stupid questions, but I'm wondering if anyone can tell me if there are any antivirus software for Linux?I know that it normally is not something that is needed, but in the company where I work they have a policy saying that every OS must have a realtime anti virus program installed on the pc's with automatic updates.
View 14 Replies
View Related
Jan 7, 2010
Been messing around with Ubuntu 9.1 for the last few weeks and am loving it so far. Been trying to get in the terminal and learn a little something, to no avail. LOL I have been googling and searching the site today for info on networking. My Linux box is a desktop, with my main HDD mounted with music, and movies and some other stuff. My intent is to network the two laptops in the house (Windows XP and Windows 7) to the Linux box so I can listen to my music and watch movies when not in the office. I have found some info, mostly involving Samba, and plan to install Samba tonight and fiddle with it. My issue was with security. I have read a few posts and they talk about the fact that if you share files in this manner, the set up is not secure at all. Is this something i should really be concerned about? If the folders I share only have my music and videos in them,
View 4 Replies
View Related
May 15, 2010
jump into a Linux class in college with only 3 weeks left in the course. I thought I would be able to catch on, and go figure, it didn't exactly happen that way. I was given an assignment to do, and I am so far lost it isn't even funny. I need to create a directory structure, set up file security, create a step by step instruction manual on how to copy/delete said files, and create a guide to common Linux commands. How would I create these files in root and share them with the other users? and where can I find a list of common commands and their functions?
View 5 Replies
View Related
Sep 1, 2010
In my network Nagios server running on Ubuntu server and working fine. I am able to monitor servers in local network through plugin and SNMP. Now I want to monitor some servers which are located remote location(network) and they haven't real IP(all are behind route/firewall). I can allocate real IP to nagios server if require. How can I monitor those servers?
View 7 Replies
View Related
Nov 2, 2010
I have a remote directory shared over NFS called tech with perms set as 0750 and owner set to root:tech. I have 2 groups: tech, and techAdmin. tech can read and execute within tech/. techAdmin can read, write, execute. I have 4 users: user1, user2, user3, user4. user1 and user2 is a member of techAdmin, user3 and user4 are members of tech. simple so far...but wait here's the problem. If user1 creates a file inside tech, user2 cant read or modify it because user1 owns it. Here's a few sites that reference this problem:
[code]....
View 4 Replies
View Related
Jan 31, 2010
Is there a program that monitors and displays 'who' is on your wireless Internet signal that one may not be aware of? Like, the ability to see when someone that you don't know is accessing your locked wireless?
View 9 Replies
View Related
Dec 15, 2010
I've firewall machine customers connect on it then connect to one of another 3 machines as root through ssh key , is there any way to know which user connect to which machine and what command that he has executed without using script command ?
View 1 Replies
View Related
Nov 30, 2010
How do I monitor who is ssh'ing into a box (SLES) as well as failed attempts? How can I log their IP addresses, even if they're not in DNS?/var/log/messages I see their hostname but no IP address
View 13 Replies
View Related
May 9, 2010
I was reading a magazine article today which was a discussion of internet detective work for tracking down ip addresses which attempt an ssh login to your machine. I have never really paid much attention to network security since I only run a small home network. I have WPA encryption and a firewall on my router. But while reading this article, I remembered that I myself has seen log files in the past that inidicated someone somewhere had attempted to log into my machine (attempts all failed). This had happened a few times, but I never really considered it a threat.
But, the more I read about home computers becoming "zombies" for criminals, I guess I am getting a little paranoid in my old age, particularly since my wife does quite a bit of business on the net with credit cards. I have four computers connected to the net and each other on this network, and would like to be able to easily detect attempted log ins and deal with them quickly.
So my reason for posting is to ask if someone could recommend a novice-friendly application for monitoring traffic to check this intermittently. I have read bodhi.zazen's excellent tutorial on snort, but I it appears to be written for large lan's or web servers and is over-kill for a small home network.
View 8 Replies
View Related
Sep 30, 2010
I'm going to start monitoring our Linux servers with a log management/correlation tool to take a proactive approach to the security of our systems.
Right now I'm going to search for log events that include the following:
Any other commands or logs that would be good to correlate or be alerted on when a potential breach or suspicous activity is happening on the box? Logging cleared, permission changes on accounts or particular files or directories? What would you want to see while monioring your servers?
View 3 Replies
View Related
Nov 7, 2010
have around 20-30 HP and Dell Hardware where we have attached Pen Drive. There is no Rack-lock facility. A misuse of Pen Drive is reported and it happens every alternative day that someone unplug and theft the drive attached.There is no camera facility to monitor.I have a plan to write a script which will login to every machine through ILO and watch the USB availability. In case anyone dettach the USB, a mail will be sent to the administrator and thereby the steps could be taken.Does this idea look feasible.
View 13 Replies
View Related
Apr 19, 2011
I've spent days trying to setup access properly from a public address to a monitoring server that works fine locally. Everything works from public access until I try to link to a CVS repository. The rancid CVS repository is set up as a separate server (virtualhost). It appears the referring link causes a DNS error (105: Server Not Found) when the CVS repository server is accessed from the public address. Things work fine when accessing via localhost.
Localhost link:
[URL]
Public link: (this results in 105 error caused by redirection (bold portion of link))
[URL]
Code:
Virtualhost config:
LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so
JkWorkersFile /etc/apache2/workers.properties
JkLogFile /var/log/apache2/mod_jk.log
[code]....
View 2 Replies
View Related
Feb 9, 2011
I am currently running a 64-bit Fedora 14 server which hosts a game server, a voice server, and remote desktop functionality, each on a distinct TCP port. I am currently using the built-in firewall to deny all traffic other than ICMP ping/pong and TCP traffic on those specific ports.I am looking for a graphical application which will let me monitor any connections being made to my server in order to keep an eye out for possible security concerns. To be more specific, I'd like to be able to see the source IP addresses, TCP/UDP ports, and individual bandwidth in use by external connections being made to the server, along with any other information that might be helpful in identifying a possible intrusion attempt.
View 3 Replies
View Related
Feb 9, 2010
is someone can guide the best open source tools to monitor as webbase,gui,shell prompt
View 1 Replies
View Related
Mar 11, 2011
i have installed ubuntu on vmware and just finished networking part after some trouble.now i need to install the osses hids the most recent release.i need to know what are all the prerequisites and the procedure,i am very much new to the ubuntu or anyother linux based platform,
View 1 Replies
View Related
Jun 25, 2011
I am looking for a file monitor to tell me when a file was attempted to be accessed, but was denied. A windows equivalent could be the auditing feature in server 2k3. I don't know which account or which file is attempting to access or be accessed, but I was hoping something built into Linux would support some sort of file auditing for security purposes.
View 2 Replies
View Related
Feb 3, 2010
Is there a way to delete files on the commandline that uses the KDE-Wastebin?It appears that I never ever need the KDE4 Wastebin for files that I deleted through Konqueror or Dolphin. It is only when I delete files on the konsole with rm that I wish I could undelete them. It always happens like that, mostly by being in the wrong directory or using a wildcard when I should not have. (I don't have any erroneous deleted file right now, and I do have plenty of backups, but I just wonder whether there is something better than rm to use generally on the commandline.)
View 9 Replies
View Related
Jan 9, 2010
Trying to figure out which Intrusion Detection System would be best for me. I've got a CentOs 5 / Linux / Apache system. If you've got experience with either (or both ) , please let me know your thoughts. I'm looking for the one thats not as technical, And a bit more user friendly I guess.
View 4 Replies
View Related
Sep 16, 2010
I'm running a Debian/Samba PDC on a Windows network. We desire to monitor a few network shares, so that whenever a change is made to a file in those, we have a log of who did it and when. Some capability of seeing what the change was, or a way of reverting it, would be nice luxuries. But username and timestamp are most important, if possible.
On the debian forums, someone advised using Tripwire for this purpose. didn't give much other advice about it so I kind of struck out on my own researching tripwire. got it installed, played wth it, and found it problematic, to say the least. It seems a bit much on the complexity and security side, and it seems more oriented towards maintaining system integrity, than monitoring documents. So far I've not managed to get a policy update working on account of a cascade of errors about a few hundred files under /proc disappearing, despite no changes to the system.so I'm wondering if anyone here has advice.
1. Does debian have this sort of functionality built in? is there a system log I can parse to get this information?
2. Is tripwire the right application for our purpose?
3. Is there anything better suited, more user-friendly or more parsimonious. I don't need something to monitor all system files, guard against intrusion, and make me cups of tea, just to monitor a few folders that I specify
View 4 Replies
View Related
Sep 15, 2010
Is there a clever way to monitor the progress (as percentage or hash) of copying a large file (using pv could be an option)?Like monitoring the progress of a copy command such as this:Code:cp linux.iso /tmp/
View 2 Replies
View Related
May 21, 2011
I have an application which generate logs like this
Code:
2011-05-17 13:21:27 - Msg 2402
File loading terminated.
File information: 3 records in input file found
3 records processed
0 records skipped
Load statistics: 3 messages loaded correctly
0 messages ignored
0 messages with errors
Details:
Destination OK ignored errors correct incorrect not sel. other
house Server (def 3 0 0 0 2 1 0
2011-05-17 13:21:27 - Msg 2410
Archiving information: File /path/to/xxx.txt
was archived as /path/to/xxx.txt.
Now I want to monitor this "house Server (def" and send alert based on 3 0 0 0 2 1 0
say if [ $5 -gt 0 || $6 -gt 0 ]; then
<send email>
View 6 Replies
View Related
Apr 5, 2011
Is there any way to make program in linux machine to make report when some files have been copy to another directory or machine and knows the users who copy the files, I am planning to make this program in c, honestly first time I want to make in python when I know about pyinotify and how easy to monitoring the file in machine, but the problem is I cannot integrate that script python to know the users who do that except for the one who create the file.
View 4 Replies
View Related
Dec 6, 2010
I am just out of curiosity working with honeypot and found there are two way for arpd to route the unused IP to honeypot with blackhole and arp spoofing.Now to test, I am arp spoofing 5 machines from 192.168.100.41 to .45 and also honeypot is monitoring this range too. But I have setup a real machine with webserver in between this range and gave IP address 192.168.100.45.Now logically as arp and honeypot both are monitoring this range so they capture this request as below from log:
PHP Code:
arpd[1690]: arpd_lookup: no entry for 192.168.100.45
arpd[1690]: arpd_send: who-has 192.168.100.45 tell 192.168.100.10
arpd[1690]: arpd_send: who-has 192.168.100.45 tell 192.168.100.10
arpd[1690]: arp reply 192.168.100.45 is-at 08:00:27:00:76:e5
arpd[1690]: arp reply 192.168.100.45 is-at 08:00:27:00:76:e5
code....
Now arpd is redirecting the traffic to honeypot machine as there is a real system with real MAC address. But from 192.168.200.10 I can also view the webpage of 192.168.100.45 machine. But most of the time it says "Connection Timed out".
Should it be acting like this or it shouldn't be showing me the webpage at all?
View 1 Replies
View Related
Jan 27, 2011
We are looking to monitor and log selected application file systems for file create/modify/delete changes that will also include, user account that changed/deleted the file, file name and date and time of event. Everything I have looked at does not seem to provide all of the information that we need.Inotify seems to monitor modify/create/delete but does not seem to provide the user account. Auditd seems to monitor modify/create/append with user account, but not deletes.We need to provide this information to auditing for Sarbane Oxley compliance.
View 3 Replies
View Related
Apr 27, 2011
i am trying to install openbravo on my server.I have installed all the pre-requisites as ANT, JDK(though i installed JRE).
Everything goes fine untill the ant setup and then running the setup-prerequisites...file (don't remember the exact name).
As soon as i issue ant install.source it ends up with some errors..
View 2 Replies
View Related
