https://www.cisecurity.org/cis-benchmarks
This is useful too and much easier to implement than just going by NIST. Thanks for the tip on OSQuery, I ran it on a Linux system and a Mac and it appears powerful and useful. Michael Lazin .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι. On Tue, Mar 12, 2024 at 7:45 PM r3doubt <r3do...@r3doubt.io> wrote: > I have found rkhunter useful, especially for quick triage or auditing and > hardening to create a baseline configuration. I wouldn't rely on static > signatures for any sort of malware analysis or DFIR, regardless of OS or > product. > > For a continuous monitoring EDR use case, I would recommend two free and > open-source solutions, as an alternative to commercial offerings. I have > found OSQuery to be a pretty useful tool on MacOS and Linux, giving me some > of the same EDR via native logs I get using Sysmon and Windows Event Logs > on Windows boxes. For dealing with "live off the land" style intrusions, > this type of data is crucial for EDR. OSQuery will look at things like > syslog, but will limit the info reported to a DIF on changes to certain > logs or settings which are stored in SQL style relational DB. You can set > custom monitoring in a syntax similar to SQL. I've been a "certified > product engineer" for major vendors, and even contributed to some of their > work on things like security orchestration, but you can't "buy" security, > regardless of the product, comes down to putting in the work. > > You can also install an instance of Security Onion, and run it as either a > distributed instance for enterprise use, or in the standalone mode for the > student, hobbyist, SoHo network. It can be set to pull your native logs > from Linux, and do a lot of ingest and normalization for you, giving you a > pretty nice dashboard and SOC environment based in Kibana (it runs on ELK > stack). It can also work, out of the box, with OSQuery on your Linux > endpoints. > > Don't forget about NIST either. NIST, CISA, NSA, and GCHQ (UK) have all > put out various public hardening guides and even open-sourced auditing and > hardening scripts for Linux / Unix systems to help automate configurations. > > -R3doubt > > On Tue, Mar 12, 2024 at 7:17 PM Michael Lazin <microla...@gmail.com> > wrote: > >> Commercial EDR solutions like SentinelOne and Crowdstrike are better for >> business users who need protection against advanced threat actors, I know >> both use AWS IP addresses to report to an AI backend. The AI engine is >> really just using statistical analysis. Chkrootkit is another free >> offering but I think rkhunter is better as far as free tools. >> >> Michael Lazin >> >> .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι. >> >> >> On Tue, Mar 12, 2024 at 6:25 PM <calm.luck8...@fastmail.com> wrote: >> >>> What are people using instead? >>> _______________________________________________ >>> Rkhunter-users mailing list >>> Rkhunter-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/rkhunter-users >>> >> _______________________________________________ >> Rkhunter-users mailing list >> Rkhunter-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/rkhunter-users >> >
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
