Many information security leaders have significant deployments on open-source operating systems based on the Linux kernel, and for good reason. Linux distributions like Debian and Ubuntu have a reputation for visibility and security at a price that's impossible to beat – they're 100% free.
Even enterprise-ready subscription-based distributions like Rhel typically cost much less than a proprietary solution with similar capabilities. But Linux itself isn't free from security vulnerabilities, and security leaders need to take concrete steps to protect Linux systems from cyberattacks.
Linux stores a timeline of events involving its server, kernel, and applications. These logs record activities like logins, password changes, file modifications, and more. Logs contain raw data describing what happened to a specific system at a specific time. If the data surrounding these events indicate a potential security breach, they become incidents that require investigation.
The strengths and weaknesses of your organization's security posture are reflected in this log data. The problem is that most information security teams generate more log data than they can efficiently process. Security information and event management (SIEM) platforms help security teams prioritize and interpret log data more effectively.
Most Linux log directories fit into one of four primary categories:
Linux allows users to view log data directly through its command line interface. There is more than one way to view log data through the command line:
Of these options, Auditd presents the most modern approach for handling security incident investigations. It is native to the Linux kernel and provides visibility into three distinct areas – system calls, file access, and pre-configured auditable events.
These three event categories enable analysts to audit many different types of activities in Linux, including authentications, abnormal application terminations, program executions, and more. When the audit rules are triggered, the Linux Audit System outputs a record describing the activity.
This record can provide ample data for investigating security incidents and identifying attacks. Optimizing this capability requires writing custom rules to generate more descriptive logs than the system default. The Linux Auditing System supports more than 200 audit event fields, enabling analysts to describe log events with precision.
The audit package contains pre-configured rule files based on four different certification standards. Depending on your organization's specific needs, one of these rule files may be an appropriate starting point for building a custom ruleset:
Once Linux has an appropriate set of audit rules to follow, viewing the logs those rules generate is simple. By default, Linux stores them in /var/log/audit/audit.log, but the resulting file is too dense to be useful in a time-critical security context. Most users prefer native audit record query commands like ausearch, aureport, and the audisp-remote plugin.
Centralized analysis through a log management system or a SIEM platform is also possible. It might be necessary to employ a job scheduling utility to periodically send local audit logs to the platform. Alternately, hosts that generate audit logs could write directly to an event streaming tool like Apache Kafka.
The following is a quick list of Linux log files Exabeam users frequently use when conducting incident investigations:
Security analysts using Exabeam to investigate Linux system events should use these log files to examine user and terminal IDs, login attempts, and system configuration changes. Analysts must have visibility into running executable processes on the machine and be able to view security-related events (like the activation or de-activation of cybersecurity tools) in real-time.
As an experienced managed detection and response provider, Lumif is well-equipped to help enterprise IT leaders determine the level of logging ideal for an optimal security posture. Rely on our expertise to specify which log events should generate security alerts, and what level of priority each alert should have.
Speak with a Lumifi expert and learn how you can protect Linux systems from cyberattacks.