On Fri, 24 Apr 2020 at 13:21, bruce <badouglas@gmail.com> wrote:

Hi/Morning.

This is a continuation of my looking to nail down what should be Monitored/Scanned to secure a Fed server/VM.

I've looked over a number of Monitor apps (Solarwinds/Nagios/Zabbix/etc). Can't really find a good list of the things that should be monitored, so I've compiled the following list.

Years ago I found that monitoring for attempts to access/probe ports from boxes I didn't manage was detecting compromised systems (mostly Windows). IT then installed tools to block attempts to access unauthorized ports or domains on the internet (and then take offending boxes off to be reimaged). I did have to document our need to access a few blacklisted sites (there is an industry of people filing complaints against legit sites for political reasons or because they had been fired from a company that used the site). That had the effect of greatly reducing the unwanted access attempts. It would be interesting to know what capabilities the open source have to watch for suspicious connection attempts.

I should also mention that the Usenix Association makes issues of their ";logon:" magazine public a year after publication. These contain reports from security interest groups, book reviews, and articles highlighting tools for security monitoring.

I'm thinking the monitoring/scanning process needs to check for,
or handle the following:
-user attempts to access a system/ssh interaction/- logins/access
there's a ddos on one of the VM/webapps
rootkit/file issue
possible intrusion attempts
-for ports
-for log files
-for user accounts
files/dirs -perms/user owner
log files
system/services -- required services running... invalid services disabled
cron
dirs/files/filesystem
website
db
config file issues
rootkit issues
malware issues
vulnerability issues -- vuls.io
selinux
partitions for the drive
firewall

mysqld

httpd

nfs

sshd

-php valid
-python valid
-package scan
-pip scan
-pecl scan
-should the libs be scanned?
-how to scan/check for/alert on invalid apps running?

config files -- valid/invalid

Feel free to add or comment on anything I've listed.

Once I narrow down the list, I'll figure out which tool/dashboard to use for the Monitoring/Scanning. I might have to also have a separate Dashboard (ELK?) to handle the log analysis/display.

Thanks

_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

George N. White III