### LinuxCBT Key Files Edition ###
Features:
1.Key files && directories that are present across-the-board on Linux systems
2.Pertains to security due to sensitive nature of files
Note:Files also pertain to directories (d ---------)
'/boot' - Present on all linux systems
Features:
1.Houses Kernel
2.INITRD || INITRAMFS - (Present on modern implementations)
3.GRUB & related files
4.Post-BIOS,'/boot' is consulted for various stages of boot
5.Typically is provisioned as a dedicated partition to ensure system boot
6.Traditionally,'/boot' or BOOT environment for various OSs have been abstracted|separated from other volumes,i.e,Windows (c:(os)...(Exchange || MS SQL) || etc.)
Files:
1.'config' - Kernel configuration options (Options used to compile Kernel)
'uname -a' - reveals kernel version which can be correlated to '/boot/{config*,init*,vmlinuz*}'
a.Text files
b.Contains options such as :'y' = static,'m' = modular support
2.'initrd || initramfs' - initial RAM Disk - loaded by GRUB to setup the environment
a.Used to load drivers to mount '/'(root)
Note:From a security respective,checksum 'config*' && 'init*' && 'vmlinuz* && System.map*'
3.'vmlinuz' - linux Kernel
a.MUST match 'initrd'
4.'System.map'
a. Symbols for image by Kernel modules
Note:'/boot' need NOT be separated from '/'
Note:Ensure that backup procedures ALWAYS include '/boot'
du -chs /boot/
### INIT ###
Features:
1.First User-Space process
2.PID=1
3.Parent of all User-Space processes on *Nix systems (linux | unix)
4.Loads User-Space environment
Files:
1.'/etc/inittab' - Primary configuration file - Read by '/sbin/init'
i.e,'id:5:initdefault:' - default Runlevel
2.'/etc/init.d/' - Houses Daemons | Services,interface configuration scripts,etc
Note:Similar to 'services.msc' on Windows
Note:Weather or not the services | daemon run in the current run-level is not important
Note:This is where third-party RC script should be played
3.'/etc/rc.*' - Run Control Scripts for appropriate run-levels
'runlevel' - confirms current and optionally previous runlevel
a.'/etc/rc.d/' - contains ALL K* S* scripts to be executed by 'rc' in this runlevel
b.'/etc/rc.d/rc' - script,which processes distinct runlevel K* & S* script
c.'/etc/rc.d/rc.sysinit' - items that should be run regardless of runlevel when system is invoked
d.'/etc/rc.d/rc.local' - place third-party programs here to be launched post-runlevel-invocation
Note:'sha256sum /etc/init.d/*' generates checksums for later references
Note:RPM DB provides checksums for installed files: i.e,'/sbin/init',however,if RPM DB is corrupted,then you may be trojaned without your knowledge
rpm -qf /sbin/init
Note:Various SYSTEM v systems will use different Daemon | service name,however,the startup is virtually the same
Note:Part of your checksums checks could also includes file size
Note:For security purposes,store your checksums on a remote system
Note:use BASH,Perl,Python,etc to take snapshots
Note:Consider taking snapshots manually to mitigate compromised system threats
Note:Mulicious,unauthorized user may compromised automated checksums check to publish to the aggregation system,data consistent with your expectation
Note:If your automate checksums check,consider manually spot-checking on a somewhat random basis the checksums that are generated
Note:Also ensure that you checksum the checksum-generation script,in the event unauthorized user change the behavior of the script
### Kernel Modules ###
Features:
1.Kernel modules for myriad(无数的)categories,CPU Frequency,Networking,Sound,etc
2.References via:'/lib/modules/`uname -r`'
3.Each accessible | available Kernel has its own '/lib/modules/`uname -r`'
'/lib/module/$(uname -r)'
a.'modules.alias' - shortcuts
b.'modules.dep' - Module dependencies - path are relative to '/lib/modules/$(uname -r)'
c.'kernel/*' - Categorical storeage of modules per Kernel version
lsmod - Reveals loaded models from '/proc/modules'
correlate loaded modules to :'/lib/modules/*'
find ./ -name cpufreq
'modinfo cpufreq_stats' - Return MORE information
'/etc/modprobe.d' - Configuration of specific module
dmesg
### '/proc/' ###
Features:
1.Run-time Kernel configuration options - '/proc'
2.Virtual in memory File System
3.User-space tools derive key information from:'/proc/'
df -h | grep proc
mount | grep proc
4.Stores PIDs of running processes i.e '/proc/PID' - '/proc/1'
5.contains many,in-memory zero-byte files files due to temporary
PID Directories
'cmdline' - returns most recent invocation of OS
i.e 'ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 rd_LVM_LV=VolGroup/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet'
i.e,Debian:'/proc/cmdline' - BOOT_IMAGE=/boot/vmlinuz-3.8.0-36-generic root=UUID=56a7fe0d-1d1c-4aa5-82ad-59dedb0177b3 ro
Note:You can review UUID or storage block
'devices' - reveals detected/supported devices
'filesystems' - returns kernel supported filesystems
'partitions' - returns know partitions on the system
fdisk -l
'swaps'
swapon --help
swapon -s
'cpuinfo' - use this to determine:
a.Number of present CPUs
b.Features supplied by the present CPUs
'meminfo' - returns memory configuration in detail
'/et/'- Network details
arp -a
arp -an
'/sys/' - reflect current usage of system resources in a number of categories,i.e,'net','audio','video',etc
grep proc /etc/fstab
Note:Ensure the integrity of '/etc/fstab' upon each system boot:i.e,ensure that :'/proc/' is loaded
### '/[usr][/local]sbin' ###
Features:
1.Mostly privileged binaries
2.Some binaries are executable by non-privileged users via 'SETUID'
3.'/usr/sbin/' - $SHELL tools || Daemons || Services
4.'/usr/[local]/sbin' - $SHELL tools || Daemons || Services - i.e,'amacron','ntpd','crond','sshd'
SETGID Examples:
1.'/usr/sbin/postpost[dq]*' - These files flagged SETGID ensure consistent permission(fore created files)
ps -ef | grep post
Examples of privileged binaries || scripts
1.'dhclient'
find /[usr[local]]/sbin
find / -name 'dhclient'
rpm -qf dhclient
find . -name 'dhc*'
2.'arp'
arp -an
3.'ifconfig'
dpkg -S `which ifconfig`
rpm -qf`which ifconfig`
rpm -ql net-tools
4.'route'
5.'ip[6]tables*'
6.'fdisk' - manipulate partition tables
fdisk -l
7.'parted'- manipulate partition tables
8.'lv* | pv* | vg*' - LVM Tools
9.'blkid' - UUID - Guard as well because corrupted 'blkid' could yield incorrect UUIDs that you may inadvertently use and corrupt your system
10.'mke2fs && mkfs.*'
Note Use a third-party tool such as AIDE to guard the integrity of these important files
11.'lsmod'
12.'modprob'
13.'adduser||useradd||usermod||userdel'
14.'reboot||shutdown||restart'
### System Control Configuration '/etc/sysctl.conf' ###
Features:
1.Alter the start-up || run-time Linux Kernel options '/proc/sys'
2.Facilitates run-time Kernel options manipulation:i.e,dynamic changes to Kernel akin to dynamic router changes
3.User-space tool:'sysctl' - to manipulate run-time Kernel options
Note:Ensure its (/sbin/sysctl) integrity(完整性,真实性)
4.global startup configuration file:'/etc/sysctl.conf'
Tasks:
1.Use 'sysctl' to dump variables
a.'sysctl -a' - enumerates Kernel run-time possibilities
2.Set some simple variables
hostname =f
a.'sysctl "kernel.domainname=linuxcbt.interal"'
b.'sysctl "kernelNaNy.max=8192"' = useful for very busy,shared servers
sysctl kernelNaNy.max
Example of exhausting(耗尽) PID Max:
$USER -> ptx/4 -> PID s->(Numerous PIDs) - i.e,Nessus,Nmap
Note:The Kernel will usually log messages: /var/log/messages && console (critical)
c.'sysctl "kernel.pid_max=65536"'
3.Ensure that tweaked variables persist:'/etc/sysctl.conf'
a
#LinuxcBT Classroom System Performance Kernel Tweaks
kernel.domainname = linuxcbt.internal
kernelNaNy.mx = 8192
kernel.pid_max = 65536
4.Ensure that values take effect immediately
a.'sysctl -p ' - reads of /etc/sysctl.conf
Note:Errors reading values should appear immediately on STDOUT
Note:System control (sysctl) influence,directly,and dynamically,the Kernel
Note:if '/etc/sysctl.conf' is corrupted,your Kernel will misbehave
Note:Inproper '/etc/sysctl.conf' - could result in:
1.Failure to boot the system,resulting in a Kernel Panic
2.Intermittent application behavior
3.Extremely slow application responses
4.Dropped connections TCP,UDP,SCTP && Application Level
Note:monitor '/etc/sysctl.conf' using appropriate integrity tools
### '/etc/[x]inetd.conf' ###
Features;
1.Auto-spawned services || daemons as needed
2.Reduces consumption of resources CPU | memory
3.Resource control
4.Forwarding of ports (XINETD)
5.Extends tradition '/etc/init.d' spawning of services || daemon
yum install xinetd
apt-get install xinetd
6.'/etc/xinetd.conf' - primary XINETD config File
7.'/etc/inetd.conf' - primary traditional inetd config file - Debian and derivatives
8.'/etc/xinetd.d' - This directory is read for individual XINETD-controlled services || daemon files
Tasks:
1.Explore typical XINETD setup
a.'/etc/xinetd.conf' - primary config
b.'/etc/xinetd.d/' - primary config container for individual services || daemons
Note:It is up to you to ensure that 'XINETD' && IENTD services are disabled as needed
yum search tftp
yum install tftp-server
apt-get install tftpd
Note:'grep disable /etc/xinet.d/*' - to determine enabled services
Note:This will not include services that are described sans:'disabled = yes'
Note:'netstat -nutlp | grep xinetd' - reveals XINETD-controlled services
Note:Importance:Trojans,unauthorized processes can be easily invoked via XINETD
Note:Because XINETD is more advanced than INETD,look out for services that really forward ports in '/etc/xinetd.d'
Note:YOu should also remove superfluous XINETD files from :'/etc/xinetd.d' i.e,small TCP/IP services
2.Explore typical INETD setup
a.'/etc/inetd.conf' - primary configuration file
Note:INETD-system tend to lump ALL services || daemons into 1 monolithic(巨大的) files
Note:INETD systems will load services || daemons from :'/etc/inetd.conf' that are NOT uncommented
Note:Like with XINETD,small TCP/UDP services are referenced,but commented,in '/etc/inetd.conf'
Note:Consider removing small TCP/UDP services from '/etc/inetd.conf'
b.Disable TFTP
c.Disable Samba SWAT
d.Disable ALL-mail-retrieval protocols
invoke.rc.d openbsd-inetd restart
Note:If all services managed by: XINETD|INETD are disabled,the service to invoke,which releases/avails resources
Note:Both XINETD|INETD control traditional inetd services i.e,SSHD,etc
Note:Debian-derived systems ALSO support XINETD,however,INETD is the traditional super-server
Note:There is a conversion process required to go from :INETD to XINETD
e.Remove distinct services || daemons entries for small TCP/IP services from :'/etc/inetd.conf'
e1.'/etc/init.d/openbsd-inetd restart'
Note:The various areas covered thus-far,are ALL vectors of attack to compromise you system
### /etc/{passwd,shadow} ###
Features:
1.Store accounts DBs
2.used even with LDAP usage,i.e,daemons| services | root | default non-privileged user(linuxcbt)
3.'login.defs'
Tasks:
1.Peruse both files
a.'/etc/passwd'
root:x:0:0:root:/root:/usr/bin/zsh
1.username
2.references of shadow
3.uid
4.gid
5.user's description - usually a full name
6.home directory
7.user's shell
sshd:x:116:65534::/var/run/sshd:/usr/sbin/nologin
cat /etc/shells
Note:Check '/etc/shells' to determine permitted $SHELLS
Note:Check,aside from daemons | services accounts,that each user has a $HOME directory
Note:$USERs sans $HOME directories will often be relegated(转移) to '/',unless the enveloping daemon | service prohibits(不允许) this
b.'/etc/shadow' - contains 1 entry per entry in '/etc/passwd'
Note:look for mismatches
Note:If using LDAP,check LDAP DB for other account mismatches
Note:LDAP can be corrupted via corrupt sources files:/etc/{passwd,shadow}
Note:LDAP data can be corrupted from any host with connectivity
c.'/etc/login.defs' - Contains default user accounts policies
c1.Tighten default policy
userdel -r username
groupdel groupname
c2.Ensure that SHA256 or higher us in-use
getet
Note:Use 'getent passwd' to dump possible sources of user accounts for your system
getent group
getent gshadow
### Pluggable Authentication Modules(PAM) ###
Features:
1.Centralized AUTH,Account,Session services
2.Abstracts programs i.e,SSH,Samba,Telnet,FTP,etc,from having to implement similar services
3.Extensible i.e,LDAP,AD,MySQL,PostgreSQL,etc
4.Stack of modules required for AUTH,ACCOUNT,SESSION,PASSWARD
Key files:
1.'/etc/pam.conf'
Note:Some system:i.e,Redhat ad derivatives may not have a general:'/etc/pam.conf',however,look for:'/etc/pam.d/' with numerous per application:i.e,'SSH'
Note:Debian 6x has:'/etc/pam.conf' AND '/etc/pam.d/'
Note.PAM relies upon distinct libraries beneath the platform-specific library directory
Note:i.e,for x86_64:'/lib64/security'
Note:PAM,like PHP and other program,supports 'include' directive to incorporate the PAM stack from other files
Note:PAM also ensues via the 'su' PAM stack that the environment is properly configured on a per-user basis,i.e,if logged in as 'root','/sbin/;'/usr/local/sbin;/usr/sbin' are added to you $PATH
Note:Upgrades | security patches may change the contents of '/etc/pam.d' and force into action
Note:This may mean generating a new set of checksums
Note:/etc/security/pam_env.conf - consulted by ANY processes,i.e,gdm,sshd,etc,that relied upon general AUTH to the system.
Note:SYSLOG route | handles PAM log entries,i.e,on CentOS && RH:/var/log/secure.log or Debian:/var/log/auth.log
### '/etc/{hosts,protocols,services}' ###
Features:
1.Layer 4 - Layer 3 resolution - i.e,'linuxcbtrouter1.linuxcbt.internal' -> 192.168.75.1
->MAC
2.Protocols naming,i.e,IP[0],TCP(6),UDP(17) - '/etc/protocols'
3.Well-known services translations:'/etc/services',i.e,ssh -> tcp/22
Basic '/etc/hosts' for TCP/IP-complaint system:
#IPv4
127.0.0.1 localhost localhost.localdomain linuxcbtcent1 linuxcbtcent1.linuxcbt.internal
#IPv6
::1 localhost localhost.localdomain linuxcbtcent1 linuxcbtcent1.linuxcbt.internal
#Routable Addresses
#RFC 1918 Address 192.168.75.0/24
192.168.75.105 site1.liuxcbt.internal
192.168.75.105 site2.liuxcbt.internal
Tasks
1.Corrupt '/etc/hosts'
a.place incorrect for www.linuxcbt.com
Note:Many malware(恶意软件) packages will corrupt '/etc/hosts' to redirect traffic
Note:Most target malware sites will resemble authentic site
Note:Insofar as L4 to L3 resolution is concerned,'/etc/hosts' is usually consulted prior to DNS
2.corrupt '/etc/protocols'
Note:If '/etc/protocols' are corrupted,package handling could,in theory be also corrupted
3.corrupte '/etc/services'
Note:If '/etc/services' is corrupt,packet-interpretation and handing could also go awny
Note:The port-range is 2**16,however,'/etc/services'
sha256sum /etc/{hosts,services,protocols}
NOTE:Another example of corrupted '/etc/hosts' ,is the redirection of BackupEvec client/server communications via incorrect:IPv[46]
Note:malware Typically hits'/etc/hosts'
Note:If you detect mismatches in packet analyses programs,i.e,TCPDump,WireShar,Snort,NMap,Nessus,etc,then consult'/etc/{protocols,services}
### Name Services Switch Configuration (NSSWITCH) ###
Features:
1.Name services resolution order
2.Indicates various databases to be used for lookup of various data
i.e,l4-l3 names are resolved using NSSWITCH
i.e,User accounts DB location is indicates via NSSWITCH
3.Centralized name resolution service: resolver
4.Polls name=value pairs from target DBs
5.Abstracts applications from having to maintain resolution services:akin to PAM
i.e,ping www.linuxcbt.com -> NSSWITCH ->hosts: files dns
Note:The 'hosts' DB type is consulted when tools such as 'ping','traceroute',web browser,etc,require l4(host name)-l3(IPv[46]) translations
Note:'/etc/hosts' is he ky files for 'hosts' resolution
6.NSSWITCH facilitates redundant means of resoving targets
Tasks:
1.Explore '/etc/nsswitch.conf' configuration
Note:NIS(plus) are still supported,but rather somewhat deprecated due to:LDAP & DNS a l :Artive Directory(AD)
a.NIS
b.DNS - considerable support - glue of internet
2.Reorder '/etc/nsswitch.conf' and evaluate
a.'hosts dns files' - causes name resolver to use DNS first
b.ping www3.linuxcbt.com
Note:'files' references tends to be consistent across distributions of linux | unix due to regularly
cat /etc/ethers
cat /etc/networks
Note:If your system is configured or use LDAP AUTH,then '/etc/nsswitch' will be updated insofar as:
passwd files
shadow files
group files
Note:That usage of LDAP does NOT disable local 'files' reference
Note:Insofar,as malware is concerned,watch:
passwd files
shadow files
group files
hosts files dns
NSSWITCH is used by virtually ALL *Nix applications to resolve key DBs
host www.google.com
### DNS Client Resolution ###
Features:
1.file:'/etc/resolv.conf' - located on ALL *Nix systems
2.DNS Client resolver lookup file
3.Consulted by DNS Client,dig,nslookup,web browser,lynx,curl,lftp,etc
4.L4 lookup servers are placed here normally using IPv[46] addresses
5.Auto-configured if using DHCP client
6.Manually configured IPv[46] system must also configure '/etc/resolv.conf' manually
Tasks:
1.Explore '/etc/resolv.conf'
search localhost.localdomain # This domain is appended to DNS Client requests if FQDN is omitted by user,i.e,'dig linuxcbtcent1' - NOT FQDN,DNS Client will rewrite to 'dig linuxcbtcent1.linuxcbt.internal'
nameserver 192.168.1.1 # indicates PRIMARY DNS server to consult
Note:If '/etc/resolv.conf' is corrupted,DNS client requests can easily be re-rerouted to rogue(欺骗) DNS servers,rendering illegitimate(非法的) responses
dig @8.8.8.8 www.linuxcbt.com
Note:Some malware will remove your normal DNS servers in:'/etc/resolv.conf',in exchange for polluted DNS Servers
Note:while other malware,will simply include polluted DNS servers as default servers,leaving your original entries as subsequent entries
Note:By default,DNS client resolvers will bypass'/etc/hosts' and use servers specified in '/etc/resolv.conf'
Note:This does NOT include applications such as web browser,will always consults the order in '/etc/nsswitch.conf'
2.Perform Queries:
a.dig @8.8.8.8 www.linuxcbt.com - forces DNS Client resolution off server:8.8.8.8
b.'dig www.linuxcbt.com' - users default DNS Server prescribed in '/etc/resolv.conf'
Suggesting:
Internally(内部),direct DNS traffic to internal,company-managed,DNS servers,and subsequently(其次),forward unfulfilled(无法使用|处理的) requests to internet DNS server,i.e,ISP,then upstream
Client -> Internal DNS Server(s) -> ISP Server -> Public Servers(Google 8.8.8.8|8.4.4.4) -> Root DNS Servers
3.Example Debian APT 'sources.list' File
'deb http://security.debian.org/ squeeze/updates main contrib'
dig security.debian.org
dig security.debian.org(L4) -> 149.20.20.6(L3)
If L3 Server address is poisoned,then NEW rogue target server,COULD supply our APT framework with rogue,malicious,and|or compromised packages
Note:Try to ensure that PROD systems have consistent '/etc/resolv.conf' files
### User Profiles ###
Features:
1.Ability to aggregate and present a consistent user experience across:icons,files,colors,etc
2.Default $SHELl= BASH
Files:
1.'/etc/bashrc,profile,profile.d,shells,skel'
a.'/etc/profile' - system-wide $SHELL file,that configures initial environment
echo $HISTSIZE
echo $HISTFILESIZE
echo $PS1
echo $PATH
echo $LOGNAME
echo $USER
b.'etc/profile.d' - contains $SHELL includes:i.e,coloration, of 'ls' output
c.'/etc/shells' - This file dictates allowable $SHELLs
Note:Ensure that '/etc/shells' does not contain unknown ,unidentified $SHELLs
d.'/etc/skel' - used to provision new users
2.'~/.bash_history' - Guard contents,because passwords,credentials may be present
Note:Consider purging the contents of '~/.bash_history' to a facility such as '/dev/null'
Note:consider reducing the history size to a small number:i.e,'10'
3.'$HOME/bin' - This is a per-user executable directory,Monitor this directory for potential,rogue processes
4.'~/.vnc' - This directory houses files associated with VNC access
a.'xstartup' - executable file that is invoked when a new VNC/GNOME/KDE session is created
Note:This features is akin to :Windows->startup group - It will cause applications to launch upon invocation
netstat -ntl | grep 591
5.'password' - ensure this file exists,if VNC is in use
### CRON ###
Features:
1.Process automation
Example of misuse:
1.DNS client poisoning
2.Bad package (RPM|APT) is installed
3.Rogue process is invoked via CRON,regularly
4.Host becomes a member of a BotNet
Key Files:
1.'/etc/crontab' - System Cron Tables - defines basis of operation
2.'/etc/cron.d' - Default jobs are called,Varies by Distro,However,concepts are similar
Note:these entries are NOT executables,however,simply included as part of larger CRON config
Note:If you notice executable items in '/etc/cron.d',something is amiss
3.'/usr/sbin/crond' - CROND process - checksum this
rpm -qf 0anacron
4.'/etc/cron.hourly' - jobs that are executable(scripts),and run hourly
Note:Normally,CRON jobs are not binaries,if you see files that run as jobs and are represented as binaries,have a deeper look.
5.Ensure the integrity of :'/bin/run-parts' - this utility runs N number of scripts from a directory
rpm -qa | grep cron
6.'/usr/bin/crontab' - checksum as well as this could submitted jobs
7.'/var/spool/cron' - Check for unrelated user jobs - look for unresolved IDs 'ls -l /var/spool/cron'
8.Ensure the integrity of 'crond' itself using 'rpm' i.e,'rpm -Vvf `which crond`'
Note:Perform these checks before system enters:PROD,and during PROD.
### DNS Server Configuration ###( TODO Learn bind)
Features:
1.Glue of the Internet
2.L4-L3 conversions
Tasks:
1.Explore environment
a.'/etc/bind' - Debian
b.'/etc/named' - && '/var/named' - CentOS | RedHat
Note:Ensure that you have a baseline
netstat -nump
c.'/etc/bind/named.*' - Both OSs - Ensure zones listed are ones that you are responsible for
2.Follow each Zone file to source file on FS and examine
dig @localhost hostname
3.Also run random queries occasionally to ensure the validate of DNS records
4.Ensure that RFC-1912 && RFC-1918 zones,if defined,are accurate
Note:ALL named.* files that are included are part of a monolithic(庞大的) configuration (1-big config),which means you are at liberty to place any zone config (descriptor) anywhere
5.Ensure ROOT servers are accurate:'/var/named/named.ca' on RedHat derived system
6.Ensure that you constantly look for:
a.Unauthorized zones
b.Changes to existing zones
c.Invalid records,i.e,pointers to unauthorized IP addresses[4|y]
d.Incomplete records,i.e,present IPv4 and missing IPv6 records
e.Missing reverse entries - this causes some applications to break
### Syslog ###
Features:
1.Logs key system information from programs,services,daemons,kernel,etc
2.Optionally logs information from remote,Syslog aware systems:devices | routers,switches,firewalls,etc
Explore Syslog Environment
1.'lib/[64]/rsyslog/*' - contains modules to extends - RedHat|CentOS
2.'/usr/lib/rsyslog/*' - Debian
3.'/usr/sbin/rsyslogd' - Debian && '/sbin/rsyslogd' -RedHat | CentOS
Comment Tcp || UDP listeners if NOT in use - Syslog does not offer AUTH security by default
Note:This means,once clients have network access to the rsyslog server, they can ,if configured with appropriate facility and|or level send messages to SYSLOG
#Hypothetical(假设) Case
Rogue ,infected,Windows machine on-the-wire,sends considerable SYSLOG data to your rsyslog instance,For this reason,consider provision dedicated '/var' per HOST
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
rpm -ql rsyslog
Suggesting:
Consider restricting TCP:514 AND |OR UDP 514 via IPTables AND | OR External firewall
iptables -l
Ensure that you have a comprehensive list of supported Syslog:
1.Facilitates:local,user,mail,kern,cron,auth|priv
2.Levels:debug -> emerg
Note:Ensure that you organizational security policy details accepted Syslog configuration,This help to mitigate(减轻) problems,nerves(紧张),anxieties(焦虑),when things go awry(错误)
i.e,DDOS attacks generate enormous of data on a number of levels that impact *Nix systtem:
1.NIDS Systems parsing gigabit traffic
2.Syslog must capture requests incomming from NIDS,edge processes,and otherwise