0

I am not a system engineer and not a security expert (I am more a software developer) but I am working on a project related to a SIEM installation (Wazuh). At the moment this installation have only a demo pourpose for a customer, in a second time a real scenario project will be implemented. This SIEM will monitor some CentOS 7 machines

I have the following doubt: we want to put under monitoring when some important files content changes.

I was thinking that for a first demo we can monitor events related these two use cases:

  • When the content of some configurations files changes.
  • When logs file size decreases (this could indicate tampering with the log files in order to eliminate information of an attack).

What do you think about? If it make sense can you suggest me a list of important configuration files and a list of important logs files that deserve to be monitored on a Linux system (in particular related to CentOS 7 system).

Moreover can you suggest me also some directory that have to be monitored in order to avoid for example that an attacker upload malicious files?

Improve this question
2
  • With log rotation the size of a log file may seem to have decreased
    – Bodo
    Commented Mar 2, 2021 at 17:09
  • @Bodo yes I know but at the moment it is only for demo pourpose, in a second time better approach will be found
    – AndreaNobili
    Commented Mar 2, 2021 at 17:14

1 Answer 1

Reset to default
1

On a default centos 7 install, you can monitor these files for tampering:

# logs
/var/log/secure
/var/log/messages
/var/log/audit/audit.log
# configs
/etc/audit/auditd.conf
/etc/ssh/sshd_config
/etc/sudoers

And some example folders to monitor where files could be uploaded:

# common web server root
/var/www/
/var/www/html/
# common FTP server folder
/ftp/
# root user home directory
/root/

This is not a comprehensive list, but it looks like you just wanted some examples.

Improve this answer
0

Not the answer you're looking for? Browse other questions tagged .