What config files and logs files of a Linux system (CentOS 7) deserve to be monitored by a SIEM?

Question

I am not a security expert (I am more a software developer) and I am working on a project related to a SIEM installation (Wazuh). This installation is only a demo for a customer, in a second time a real scenario project will be implemented. This SIEM will monitor some CentOS 7 machines

I have the following doubt: we want to put under monitoring when some important file changes.

I was thinking that for a first demo we can monitor events related these two use cases:

• When the content of some configurations files changes.
• When logs file size decreases (this could indicate tampering with the log files in order to eliminate information of an attack).

What do you think about? If it make sense can you suggest me a list of important configuration files and a list of important logs files that deserve to be monitored on a Linux system (in particular related to CentOS 7 system).

Moreover can you suggest me also some directory that have to be monitored in order to avoid for example that an attacker upload malicious files?

Answer 1

Briefly: for collecting logs, you use WAZUH/OSSEC. For maximum control on tampering with your logs/configs/system, you use AuditD, and you collect its logs along with other.

Answer 2

I'll answer these backwards in order to hopefully make the reasoning clearer. With regards to the second question: the contents of local log files stored on disk should always be considered untrustworthy. Logs should be forwarded to a SIEM in real-time, precisely to avoid an attacker being able to cover their tracks. How you can accomplish this:

Traditionally, syslog daemons like rsyslog or syslog-ng would dump system logs under /var/log. However, CentOS 7 uses systemd as its init system and thus journald for syslog. What you will want to do is integrate with journald such that its logs are forwarded to the SIEM. There are several options to do this, such as systemd-netlogd (this solution is unofficially endorsed by Lennart Poettering). You can read about other options for accomplishing this here, here or here. Most SIEMs will accept RFC5424-style syslog over UDP port 514.

To accomplish the first, you will need a File Integrity Monitoring tool. The open source standard is OSSEC (wiki, site, source). Similar to the above, alerts should be sent to the SIEM as they are generated, rather than being stored on disk - the documentation how to do that is here.

OSSEC already comes with a large suite of predefined profiles for monitoring security-sensitive locations and other possibly interesting security events. Beyond the defaults, you will want to have a security professional further configure it for specific events or changes they are interested in, and you will also want to have a developer on the project in question work with that professional to also configure it for sensitive modifications specific to the that project. Plus, it looks better to the client to present a solution which is specific to their project, rather than just a generic one for monitoring an arbitrary CentOS system.

If required, there are also commercial FIM solutions, such as Carbon Black that you may look into.