AUDITD BY EXAMPLE - MONITORING PROCESS EXECUTION
A fellow Brakeing Down Security slacker, Ceafin asked a fun question question to the group at large.
TRACKING DOWN SILENT SELINUX DENIES
The Setup Let’s paint a picture of a fun scenario. In my home lab I run a mix of CentOS and Windows. Windows for Active Directory and those Windows specific apps, CentOS for most everything else. For CentOS systems I use Spacewalk as an inventory and patch distribution system. While Spacewalk is pretty dang heavy for such a simple workflow it at least keeps me tuned into what is likely to be found in production environments. Rather than using local accounts in Spacewalk I configured it to use PAM, which in turn uses pam_krb5 connected to my lab’s Windows domain.
AUDITD BY EXAMPLE - TRACKING FILE CHANGES
ServerFault user ewwhite describes a rather interesting situation regarding application distribution wherein code must be compiled in production. In short he wants to keep track of changes to a specific directory path and send alerts via email.
UPGRADING TO GRAYLOG 1.0 GA
A few things to keep in mind. First a name change. During the 0.X versions the software was called Graylog2. Starting with the release of 1.0 the name was changed go Graylog. I’m pretty happy about the change. Graylog2 was a bit of a mouthful and including version numbers in package names has always annoyed me anyway. However, changing the version number makes the upgrade a bit harder.
A RETENTION COMPLICATION
After going through the retention schedule exercise on our infrastructure log management system I ran into a bit of an interesting situation. First, some background.
BETTER USE OF OFFICE 365 AS A SMART HOST WITH POSTFIX
A while ago I wrote a post on how I managed to get my systems integrated with Office365 to send email notifications. At the time the method I used worked well enough but it was annoying. Every system had to log in individually which meant the username and password had to be distributed to every system. Certainly not my favorite thing.
RUNNING SSH ON NON-DEFAULT PORTS
Earlier this week I saw this tweet. There are a few topics that seem to come up with some regularity and running applications on non-standard points is definitely one of them. Like everyone else I have some opinions.
MY THOUGHTS ON RETENTION
Sometimes I feel like Records Retention is the red-headed step child. It’s obviously important, almost every regulation that covers us talks about it to one extent or another. There’s a base assumption under the major frameworks that retention is happening1. Having a policy around records management is even a requirement under SOX, and for certain classifications of data under PCI-DSS and HIPAA. Despite all this, based on my experience, retention schedules are often amongst the last policies to be built and the least likely to be enforced.
SECCUBUS ON UBUNTU - THE MISSING MANUAL
My tool of choice for vulnerability scanning has always been Nessus, going all the way back to when it was properly OpenSource and the ‘Experimental Checks’ checkbox was a sure fire way to crash your target. Since going full commercial it’s only gotten better and the current interface is very clean and polished. The biggest downside being that each scan is treated as a stand-alone unit so the application itself can’t do any kind of trending or inter-scan analysis. The company does provide a tool that does exactly this but monies. Compared to many tools it’s still somewhat cheap, but I can still think of many places I would rather spend the funds.
MIGRATING GRAYLOG SERVERS - PART 6 - LESSONS LEARNED
This is the sixth and final post in a multi-part series where I explore the process of transforming an existing Graylog install into a resilient and scalable multi-site installation. Start here for Part 1.