https://community.splunk.com/t5/Deployment-Architecture/Most-critical-files-that-must-be-monitoring-on-Linux-in-terms-of/m-p/360580#M13309 <P>hey in addition to that :</P> <P>Linux Networks. The most important files to monitor (or exclude)<BR /> Linux. Files to INCLUDE in FIM:</P> <P>Root folder:<BR /> – monitor the permissions<BR /> Monitor the permissions, the access/modification time and the content of all files (except logs and cache files) in the following folders:<BR /> – /bin<BR /> – /sbin<BR /> – /usr/sbin<BR /> – /usr/bin.<BR /> – /usr/local/bin<BR /> – /usr/local/sbin<BR /> – /opt/bin<BR /> – /opt/sbin<BR /> – /lib<BR /> – /usr/lib<BR /> – /usr/local/lib<BR /> – /lib64<BR /> – /usr/lib64<BR /> – /root, /etc<BR /> Some Linux attacks try to gain privileges by modifying the configuration of your grub file, therefore it must be properly monitored /boot/grub/grub.conf<BR /> <A href="https://outpost24.com/blog/windows-linux-vulnerable-files">https://outpost24.com/blog/windows-linux-vulnerable-files</A></P> <P>Also, there is a good blog on Critical Linux Log Files You Must be Monitoring<BR /> <A href="https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/">https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/</A></P> <P>let me know if this helps!</P> Fri, 16 Mar 2018 08:10:09 GMT mayurr98 2018-03-16T08:10:09Z https://community.splunk.com/t5/Deployment-Architecture/Most-critical-files-that-must-be-monitoring-on-Linux-in-terms-of/m-p/360579#M13308 <P>Hi.<BR /> I mean any critical points of Linux, any files, or directory that must be monitoring to detect any suspicious activity.</P> <P>For example:<BR /> <STRONG>/tmp</STRONG><BR /> because many exploits in the Unix world rely on creating temporary files in the /tmp standard folder which are not always deleted after the system hack</P> <P><STRONG>/etc/passwd</STRONG> or /etc/shadow<BR /> because, sometimes hacker attacks may add a new user in /etc/passwd which can be remotely logged in a later date.</P> <P><STRONG>/etc/services</STRONG><BR /> Suspicious services added to /etc/services. Opening a backdoor in a Unix system is sometimes a matter of adding two text lines</P> <P><STRONG>crontab</STRONG> or <STRONG>/etc/init.d</STRONG> <BR /> It's good to detect any persistence</P> <P>If it has SSH running, then I would be monitoring /var/log/secure (or /var/log/auth.log) and alerting on brute force events. Or also have alerting on certain firewall logs. Example, when heartbleed came out, after patching I would set up log monitors for addresses attempting to exploit it.</P> <P>So, what about else? Of course I missed many and would be happy if you helped <BR /> If you will share any blogs, article, etc, will be cool.</P> Thu, 15 Mar 2018 17:37:38 GMT https://community.splunk.com/t5/Deployment-Architecture/Most-critical-files-that-must-be-monitoring-on-Linux-in-terms-of/m-p/360579#M13308 test_qweqwe 2018-03-15T17:37:38Z https://community.splunk.com/t5/Deployment-Architecture/Most-critical-files-that-must-be-monitoring-on-Linux-in-terms-of/m-p/360580#M13309 <P>hey in addition to that :</P> <P>Linux Networks. The most important files to monitor (or exclude)<BR /> Linux. Files to INCLUDE in FIM:</P> <P>Root folder:<BR /> – monitor the permissions<BR /> Monitor the permissions, the access/modification time and the content of all files (except logs and cache files) in the following folders:<BR /> – /bin<BR /> – /sbin<BR /> – /usr/sbin<BR /> – /usr/bin.<BR /> – /usr/local/bin<BR /> – /usr/local/sbin<BR /> – /opt/bin<BR /> – /opt/sbin<BR /> – /lib<BR /> – /usr/lib<BR /> – /usr/local/lib<BR /> – /lib64<BR /> – /usr/lib64<BR /> – /root, /etc<BR /> Some Linux attacks try to gain privileges by modifying the configuration of your grub file, therefore it must be properly monitored /boot/grub/grub.conf<BR /> <A href="https://outpost24.com/blog/windows-linux-vulnerable-files">https://outpost24.com/blog/windows-linux-vulnerable-files</A></P> <P>Also, there is a good blog on Critical Linux Log Files You Must be Monitoring<BR /> <A href="https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/">https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/</A></P> <P>let me know if this helps!</P> Fri, 16 Mar 2018 08:10:09 GMT https://community.splunk.com/t5/Deployment-Architecture/Most-critical-files-that-must-be-monitoring-on-Linux-in-terms-of/m-p/360580#M13309 mayurr98 2018-03-16T08:10:09Z https://community.splunk.com/t5/Deployment-Architecture/Most-critical-files-that-must-be-monitoring-on-Linux-in-terms-of/m-p/360581#M13310 <P>Hello. <BR /> I already got acquainted with these links, but thank for response! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> To be trust, my question is very blurry and it's hard to answer. Security forumes not helped me.</P> Fri, 16 Mar 2018 14:44:02 GMT https://community.splunk.com/t5/Deployment-Architecture/Most-critical-files-that-must-be-monitoring-on-Linux-in-terms-of/m-p/360581#M13310 test_qweqwe 2018-03-16T14:44:02Z