Hi/Morning.
This is a continuation of my looking to nail down what should be Monitored/Scanned to secure a Fed server/VM.
I've looked over a number of Monitor apps (Solarwinds/Nagios/Zabbix/etc). Can't really find a good list of the things that should be monitored, so I've compiled the following list.
I'm thinking the monitoring/scanning process needs to check for, or handle the following: -user attempts to access a system/ssh interaction/- logins/access there's a ddos on one of the VM/webapps rootkit/file issue possible intrusion attempts -for ports -for log files -for user accounts files/dirs -perms/user owner log files system/services -- required services running... invalid services disabled cron dirs/files/filesystem website db config file issues rootkit issues malware issues vulnerability issues -- vuls.io selinux partitions for the drive firewall
mysqld
httpd
nfs
sshd
-php valid -python valid -package scan -pip scan -pecl scan -should the libs be scanned? -how to scan/check for/alert on invalid apps running?
config files -- valid/invalid
Feel free to add or comment on anything I've listed.
Once I narrow down the list, I'll figure out which tool/dashboard to use for the Monitoring/Scanning. I might have to also have a separate Dashboard (ELK?) to handle the log analysis/display.
Thanks