Hey.
Not willing to step on toes. Is asking for opinions on tools to do system/security monitoring off topic? Been doing research, thought I'd ask here as well - if it's acceptable?
thanks
On 2020-04-21 21:33, bruce wrote:
Not willing to step on toes. Is asking for opinions on tools to do system/security monitoring off topic? Been doing research, thought I'd ask here as well - if it's acceptable?
Not off topic at all.
Fedora supplies tools used in the area. So, all you would need do is to outline your goals, what you've learned in your research, and how you'd like to get help from the community.
Hey Ed.
Thanks for the reply.
Regarding the security/monitoring issue.
Here's my use case:
I'm looking to have multiple servers. Servers would be running different apps for different purposes. All Servers running Fed -DB Server -mysql/mariadb -Server running webapps/httpd -Servers running compute operations
All servers configured to run ssh - sshd_config properly configured to limit access All servers configured to run with minimal ports turned on All servers with selinux
My goal would be to have a monitoring/security server/webapp that allows a user to quickly "see" if there's an issue with any of the servers/processes
I think it makes sense to check/monitor/be alerted if:
-there's a user attempt to access -there's a ddos on one of the webapps -there's a root/file issue -there's a port access issue -possible intrusion attempts -weird services used -any others???
possible software/apps to be installed for security --rkhunter --failtoban --selinux --clamav -- although not sure the proect would need a mail server/platform --logMonitoring app (which one) --app to check file/dir/user settings (which one) --scanning app/service (which one) ---for ports ---for services ---for log files ---for user accounts
I think it makes sense to try to define, or get my head around the things that should be checked out or monitored. Once I get these things nailed down, I can figureout the "best" process to be able to monitor the items, as well as display them in some sort of dashboard.
I've looked over a number of different sites for rhel/ubuntu/fedora/etc.. Most of the sites discuss hardening ssh, as well as looking over the services/ports, and managing the users/files/dirs.
I'm thinking the things to check for::
Users/User Accounts logins/access ports services/processes files/dirs -perms/user owner log files Any other things that should be checked/examined/considered?????
Once I can get a good list of high level things to check for/secure, I can figure out the tools to use, as well as how to roll all of this up to some sort of dashboard.
So my thought process will be: 1) Identify the high level things to check for/secure/monitor for the given Server Type 2) Identify the tools to run the scans for the Server Type 3) Figure out how to roll the results for each server to a "central monitoring/dashboard process"
Does this make sense?
Thoughts/comments welcome
On Tue, Apr 21, 2020 at 9:49 AM Ed Greshko ed.greshko@greshko.com wrote:
On 2020-04-21 21:33, bruce wrote:
Not willing to step on toes. Is asking for opinions on tools to do
system/security monitoring off topic? Been doing research, thought I'd ask here as well - if it's acceptable?
Not off topic at all.
Fedora supplies tools used in the area. So, all you would need do is to outline your goals, what you've learned in your research, and how you'd like to get help from the community.
-- The key to getting good answers is to ask good questions. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On Tue, Apr 21, 2020 at 12:23 PM bruce badouglas@gmail.com wrote:
Hey Ed.
Thanks for the reply.
Regarding the security/monitoring issue.
Here's my use case:
I'm looking to have multiple servers. Servers would be running different apps for different purposes. All Servers running Fed -DB Server -mysql/mariadb -Server running webapps/httpd -Servers running compute operations
All servers configured to run ssh - sshd_config properly configured to limit access All servers configured to run with minimal ports turned on All servers with selinux
My goal would be to have a monitoring/security server/webapp that allows a user to quickly "see" if there's an issue with any of the servers/processes
I think it makes sense to check/monitor/be alerted if:
-there's a user attempt to access -there's a ddos on one of the webapps -there's a root/file issue -there's a port access issue -possible intrusion attempts -weird services used -any others???
possible software/apps to be installed for security --rkhunter --failtoban --selinux --clamav -- although not sure the proect would need a mail server/platform --logMonitoring app (which one) --app to check file/dir/user settings (which one) --scanning app/service (which one) ---for ports ---for services ---for log files ---for user accounts
I think it makes sense to try to define, or get my head around the things that should be checked out or monitored. Once I get these things nailed down, I can figureout the "best" process to be able to monitor the items, as well as display them in some sort of dashboard.
I've looked over a number of different sites for rhel/ubuntu/fedora/etc.. Most of the sites discuss hardening ssh, as well as looking over the services/ports, and managing the users/files/dirs.
I'm thinking the things to check for::
Users/User Accounts logins/access ports services/processes files/dirs -perms/user owner log files Any other things that should be checked/examined/considered?????
Once I can get a good list of high level things to check for/secure, I can figure out the tools to use, as well as how to roll all of this up to some sort of dashboard.
So my thought process will be:
- Identify the high level things to check for/secure/monitor for the given Server Type
- Identify the tools to run the scans for the Server Type
- Figure out how to roll the results for each server to a "central monitoring/dashboard process"
Does this make sense?
Thoughts/comments welcome
zeek? Security Onion?
On Tue, Apr 21, 2020 at 9:49 AM Ed Greshko ed.greshko@greshko.com wrote:
On 2020-04-21 21:33, bruce wrote:
Not willing to step on toes. Is asking for opinions on tools to do system/security monitoring off topic? Been doing research, thought I'd ask here as well - if it's acceptable?
Not off topic at all.
Fedora supplies tools used in the area. So, all you would need do is to outline your goals, what you've learned in your research, and how you'd like to get help from the community.
-- The key to getting good answers is to ask good questions. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
. . . Hey Mauricio,
researching Security Onion, never hear of "zeek'
zeek? Security Onion?
I'm putting together a list of scanning tools that would run on the "client" server, but I'm tying to wrap my head around how all of the resulting data would be aggregated, and displayed by a master dashboad app. I've seen OpenVAS and a few other apps that appear to offer the ability to import security data, and to display it.
Any thoughts on this?
thanks
. . .
On Wed, Apr 22, 2020 at 10:45 AM bruce badouglas@gmail.com wrote:
. . . Hey Mauricio,
researching Security Onion, never hear of "zeek'
You might have heard of it in its old name, bro. https://securityonion.readthedocs.io/en/latest/zeek.html
zeek? Security Onion?I'm putting together a list of tools that would run on the "client" server, but I'm tying to wrap my head around how all of the resulting data would be aggregated, and displayed by a master dashboad app. I've seen OpenVAS and a few other apps that appear to offer the ability to import security data, and to display it.
Any thoughts on this?
Security onion is but a bunch of tools whose output is then aggregated and spewed into an elastic stack-based interface. From there you can make pretty graphs (hello, Kibana), create alerts, and then send email alerts. You can run it off a vm if you want or a physical box; memory (think 10GB+) and diskspace is what it likes.
Which tools to run on the servers you want to monitor? Go to the url I gave and see what each tool does. You should also be able to ask your network appliances what's up and then feed that to the onionbox; monitoring everything in your servers will make them very unhappy, your network unhappy, and the storage used to store its data unhappy. Start small.
If you ever used Splunk, it is the same thing but without the price. Both excel on helping you make question to the collected data about what happened (sometimes WTF is going on if the event is still taking place).
Other programs are AIDE or tripwire (they do the same); do check exactly what they do before mindlessly deploying or you will have a lot of people pissed at you.
thanks
. . .
-
bruce -
Ed Greshko -
Mauricio Tavares