Re: system monitoring/security - possibly off topic
On Wed, Apr 22, 2020 at 10:45 AM bruce wrote: > > > > . > . > . > Hey Mauricio, > > researching Security Onion, never hear of "zeek' >> You might have heard of it in its old name, bro. https://securityonion.readthedocs.io/en/latest/zeek.html >> >>> zeek? Security Onion? > > > I'm putting together a list of tools that would run on the "client" server, > but I'm tying to wrap my head around how all of the resulting data would be > aggregated, and displayed by a master dashboad app. I've seen OpenVAS and a > few other apps that appear to offer the ability to import security data, and > to display it. > > Any thoughts on this? > Security onion is but a bunch of tools whose output is then aggregated and spewed into an elastic stack-based interface. From there you can make pretty graphs (hello, Kibana), create alerts, and then send email alerts. You can run it off a vm if you want or a physical box; memory (think 10GB+) and diskspace is what it likes. Which tools to run on the servers you want to monitor? Go to the url I gave and see what each tool does. You should also be able to ask your network appliances what's up and then feed that to the onionbox; monitoring everything in your servers will make them very unhappy, your network unhappy, and the storage used to store its data unhappy. Start small. If you ever used Splunk, it is the same thing but without the price. Both excel on helping you make question to the collected data about what happened (sometimes WTF is going on if the event is still taking place). Other programs are AIDE or tripwire (they do the same); do check exactly what they do before mindlessly deploying or you will have a lot of people pissed at you. > thanks > > . > . > . > ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: system monitoring/security - possibly off topic
. . . Hey Mauricio, researching Security Onion, never hear of "zeek' > >>> zeek? Security Onion? > I'm putting together a list of scanning tools that would run on the "client" server, but I'm tying to wrap my head around how all of the resulting data would be aggregated, and displayed by a master dashboad app. I've seen OpenVAS and a few other apps that appear to offer the ability to import security data, and to display it. Any thoughts on this? thanks . . . ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: system monitoring/security - possibly off topic
On Tue, Apr 21, 2020 at 12:23 PM bruce wrote: > > Hey Ed. > > Thanks for the reply. > > Regarding the security/monitoring issue. > > Here's my use case: > > I'm looking to have multiple servers. > Servers would be running different apps for different purposes. > All Servers running Fed > -DB Server -mysql/mariadb > -Server running webapps/httpd > -Servers running compute operations > > All servers configured to run ssh - sshd_config properly configured to limit > access > All servers configured to run with minimal ports turned on > All servers with selinux > > My goal would be to have a monitoring/security server/webapp > that allows a user to quickly "see" if there's an issue > with any of the servers/processes > > I think it makes sense to check/monitor/be alerted if: > > -there's a user attempt to access > -there's a ddos on one of the webapps > -there's a root/file issue > -there's a port access issue > -possible intrusion attempts > -weird services used > -any others??? > > > possible software/apps to be installed for security > --rkhunter > --failtoban > --selinux > --clamav -- although not sure the proect would need a mail server/platform > --logMonitoring app (which one) > --app to check file/dir/user settings (which one) > --scanning app/service (which one) > ---for ports > ---for services > ---for log files > ---for user accounts > > > I think it makes sense to try to define, or get my head around the things > that should be checked out or monitored. Once I get these things nailed down, > I can figureout the "best" process to be able to monitor the items, as well > as display them in some sort of dashboard. > > > I've looked over a number of different sites for rhel/ubuntu/fedora/etc.. > Most of the sites discuss hardening ssh, as well as looking over the > services/ports, and managing the users/files/dirs. > > I'm thinking the things to check for:: > > Users/User Accounts > logins/access > ports > services/processes > files/dirs -perms/user owner > log files > Any other things that should be checked/examined/considered? > > Once I can get a good list of high level things to check for/secure, I can > figure out the tools to use, as well as how to roll all of this up to some > sort of dashboard. > > So my thought process will be: > 1) Identify the high level things to check for/secure/monitor for the given > Server Type > 2) Identify the tools to run the scans for the Server Type > 3) Figure out how to roll the results for each server to a "central > monitoring/dashboard process" > > Does this make sense? > > Thoughts/comments welcome > zeek? Security Onion? > > On Tue, Apr 21, 2020 at 9:49 AM Ed Greshko wrote: >> >> On 2020-04-21 21:33, bruce wrote: >> > Not willing to step on toes. Is asking for opinions on tools to do >> > system/security monitoring off topic? Been doing research, thought I'd ask >> > here as well - if it's acceptable? >> >> Not off topic at all. >> >> Fedora supplies tools used in the area. So, all you would need do is to >> outline your goals, what you've learned >> in your research, and how you'd like to get help from the community. >> >> -- >> The key to getting good answers is to ask good questions. >> ___ >> users mailing list -- users@lists.fedoraproject.org >> To unsubscribe send an email to users-le...@lists.fedoraproject.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org > > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: system monitoring/security - possibly off topic
Hey Ed. Thanks for the reply. Regarding the security/monitoring issue. Here's my use case: I'm looking to have multiple servers. Servers would be running different apps for different purposes. All Servers running Fed -DB Server -mysql/mariadb -Server running webapps/httpd -Servers running compute operations All servers configured to run ssh - sshd_config properly configured to limit access All servers configured to run with minimal ports turned on All servers with selinux My goal would be to have a monitoring/security server/webapp that allows a user to quickly "see" if there's an issue with any of the servers/processes I think it makes sense to check/monitor/be alerted if: -there's a user attempt to access -there's a ddos on one of the webapps -there's a root/file issue -there's a port access issue -possible intrusion attempts -weird services used -any others??? possible software/apps to be installed for security --rkhunter --failtoban --selinux --clamav -- although not sure the proect would need a mail server/platform --logMonitoring app (which one) --app to check file/dir/user settings (which one) --scanning app/service (which one) ---for ports ---for services ---for log files ---for user accounts I think it makes sense to try to define, or get my head around the things that should be checked out or monitored. Once I get these things nailed down, I can figureout the "best" process to be able to monitor the items, as well as display them in some sort of dashboard. I've looked over a number of different sites for rhel/ubuntu/fedora/etc.. Most of the sites discuss hardening ssh, as well as looking over the services/ports, and managing the users/files/dirs. I'm thinking the things to check for:: Users/User Accounts logins/access ports services/processes files/dirs -perms/user owner log files Any other things that should be checked/examined/considered? Once I can get a good list of high level things to check for/secure, I can figure out the tools to use, as well as how to roll all of this up to some sort of dashboard. So my thought process will be: 1) Identify the high level things to check for/secure/monitor for the given Server Type 2) Identify the tools to run the scans for the Server Type 3) Figure out how to roll the results for each server to a "central monitoring/dashboard process" Does this make sense? Thoughts/comments welcome On Tue, Apr 21, 2020 at 9:49 AM Ed Greshko wrote: > On 2020-04-21 21:33, bruce wrote: > > Not willing to step on toes. Is asking for opinions on tools to do > system/security monitoring off topic? Been doing research, thought I'd ask > here as well - if it's acceptable? > > Not off topic at all. > > Fedora supplies tools used in the area. So, all you would need do is to > outline your goals, what you've learned > in your research, and how you'd like to get help from the community. > > -- > The key to getting good answers is to ask good questions. > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org > ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: system monitoring/security - possibly off topic
On 2020-04-21 21:33, bruce wrote: > Not willing to step on toes. Is asking for opinions on tools to do > system/security monitoring off topic? Been doing research, thought I'd ask > here as well - if it's acceptable? Not off topic at all. Fedora supplies tools used in the area. So, all you would need do is to outline your goals, what you've learned in your research, and how you'd like to get help from the community. -- The key to getting good answers is to ask good questions. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
