linuxcbt key files edition

5/21/2018 LinuxCBT Key Files Edition

1/11

1.Key files && directories that are present across-the-board on Linux systems 2.Pertains to security due to sensitive nature of files Note:Files also pertain to directories (d ---------)'/boot' - Present on all linux systemsFeatures: 1.Houses Kernel 2.INITRD || INITRAMFS - (Present on modern implementations) 3.GRUB & related files 4.Post-BIOS,'/boot' is consulted for various stages of boot

5.Typically is provisioned as a dedicated partition to ensure system boot 6.Traditionally,'/boot' or BOOT environment for various OSs have been abstracted|separated from other volumes,i.e,Windows (c:(os)...(Exchange || MS SQL) ||etc.) Files: 1.'config' - Kernel configuration options (Options used to compile Kernel) 'uname -a' - reveals kernel version which can be correlated to '/boot/{config*,init*,vmlinuz*}' a.Text files b.Contains options such as :'y' = static,'m' = modular support 2.'initrd || initramfs' - initial RAM Disk - loaded by GRUB to setup theenvironment

a.Used to load drivers to mount '/'(root) Note:From a security respective,checksum 'config*' && 'init*' && 'vmlinuz* && System.map*' 3.'vmlinuz' - linux Kernel a.MUST match 'initrd'

4.'System.map' a. Symbols for image by Kernel modules Note:'/boot' need NOT be separated from '/' Note:Ensure that backup procedures ALWAYS include '/boot' du -chs /boot/### INIT ###Features:

1.First User-Space process 2.PID=1 3.Parent of all User-Space processes on *Nix systems (linux | unix) 4.Loads User-Space environmentFiles: 1.'/etc/inittab' - Primary configuration file - Read by '/sbin/init' i.e,'id:5:initdefault:' - default Runlevel 2.'/etc/init.d/' - Houses Daemons | Services,interface configuration scripts,etc Note:Similar to 'services.msc' on Windows Note:Weather or not the services | daemon run in the current run-level is not important Note:This is where third-party RC script should be played

3.'/etc/rc.*' - Run Control Scripts for appropriate run-levels 'runlevel' - confirms current and optionally previous runlevel a.'/etc/rc.d/' - contains ALL K* S* scripts to be executed by 'rc' in thisrunlevel b.'/etc/rc.d/rc' - script,which processes distinct runlevel K* & S* script c.'/etc/rc.d/rc.sysinit' - items that should be run regardless of runlevelwhen system is invoked d.'/etc/rc.d/rc.local' - place third-party programs here to be launched post-runlevel-invocation Note:'sha256sum /etc/init.d/*' generates checksums for later references


2/11

Note:RPM DB provides checksums for installed files: i.e,'/sbin/init',however,if RPM DB is corrupted,then you may be trojaned without your knowledge rpm -qf /sbin/init Note:Various SYSTEM v systems will use different Daemon | service name,however,the startup is virtually the same Note:Part of your checksums checks could also includes file size Note:For security purposes,store your checksums on a remote system Note:use BASH,Perl,Python,etc to take snapshots Note:Consider taking snapshots manually to mitigate compromised system threats Note:Mulicious,unauthorized user may compromised automated checksums check t

o publish to the aggregation system,data consistent with your expectation Note:If your automate checksums check,consider manually spot-checking on a somewhat random basis the checksums that are generated Note:Also ensure that you checksum the checksum-generation script,in the event unauthorized user change the behavior of the script

### Kernel Modules ###Features: 1.Kernel modules for myriad()categories,CPU Frequency,Networking,Sound,etc 2.References via:'/lib/modules/`uname -r`' 3.Each accessible | available Kernel has its own '/lib/modules/`uname -r`'

'/lib/module/$(uname -r)'

a.'modules.alias' - shortcuts b.'modules.dep' - Module dependencies - path are relative to '/lib/modules/$(uname -r)' c.'kernel/*' - Categorical storeage of modules per Kernel version

lsmod - Reveals loaded models from '/proc/modules' correlate loaded modules to :'/lib/modules/*' find ./ -name cpufreq 'modinfo cpufreq_stats' - Return MORE information

'/etc/modprobe.d' - Configuration of specific module dmesg### '/proc/' ###

Features: 1.Run-time Kernel configuration options - '/proc' 2.Virtual in memory File System 3.User-space tools derive key information from:'/proc/' df -h | grep proc mount | grep proc 4.Stores PIDs of running processes i.e '/proc/PID' - '/proc/1' 5.contains many,in-memory zero-byte files files due to temporary

PID Directories 'cmdline' - returns most recent invocation of OS i.e 'ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 rd_LVM_LV=VolGroup/lv_root KEYBOA

RDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet' i.e,Debian:'/proc/cmdline' - BOOT_IMAGE=/boot/vmlinuz-3.8.0-36-generic root=UUID=56a7fe0d-1d1c-4aa5-82ad-59dedb0177b3 ro Note:You can review UUID or storage block

'devices' - reveals detected/supported devices 'filesystems' - returns kernel supported filesystems 'partitions' - returns know partitions on the system fdisk -l 'swaps'


3/11

swapon --help swapon -s 'cpuinfo' - use this to determine: a.Number of present CPUs b.Features supplied by the present CPUs 'meminfo' - returns memory configuration in detail '/et/'- Network details arp -a arp -an '/sys/' - reflect current usage of system resources in a number of categories,i.e,'net','audio','video',etc

grep proc /etc/fstab Note:Ensure the integrity of '/etc/fstab' upon each system boot:i.e,ensure that :'/proc/' is loaded

### '/[usr][/local]sbin' ###Features: 1.Mostly privileged binaries 2.Some binaries are executable by non-privileged users via 'SETUID' 3.'/usr/sbin/' - $SHELL tools || Daemons || Services 4.'/usr/[local]/sbin' - $SHELL tools || Daemons || Services - i.e,'amacron','ntpd','crond','sshd'

SETGID Examples:

1.'/usr/sbin/postpost[dq]*' - These files flagged SETGID ensure consistent permission(fore created files) ps -ef | grep post

Examples of privileged binaries || scripts1.'dhclient'find /[usr[local]]/sbin find / -name 'dhclient' rpm -qf dhclient find . -name 'dhc*'2.'arp' arp -an3.'ifconfig'

dpkg -S `which ifconfig` rpm -qf`which ifconfig` rpm -ql net-tools4.'route'5.'ip[6]tables*'6.'fdisk' - manipulate partition tables fdisk -l7.'parted'- manipulate partition tables8.'lv* | pv* | vg*' - LVM Tools9.'blkid' - UUID - Guard as well because corrupted 'blkid' could yield incorrect UUIDs that you may inadvertently use and corrupt your system10.'mke2fs && mkfs.*'Note Use a third-party tool such as AIDE to guard the integrity of these import

ant files11.'lsmod'12.'modprob'13.'adduser||useradd||usermod||userdel'14.'reboot||shutdown||restart'

### System Control Configuration '/etc/sysctl.conf' ###Features: 1.Alter the start-up || run-time Linux Kernel options '/proc/sys' 2.Facilitates run-time Kernel options manipulation:i.e,dynamic changes to Ke


4/11

rnel akin to dynamic router changes 3.User-space tool:'sysctl' - to manipulate run-time Kernel options Note:Ensure its (/sbin/sysctl) integrity(,) 4.global startup configuration file:'/etc/sysctl.conf'Tasks: 1.Use 'sysctl' to dump variables a.'sysctl -a' - enumerates Kernel run-time possibilities 2.Set some simple variables hostname =f a.'sysctl "kernel.domainname=linuxcbt.interal"' b.'sysctl "kernelNaNy.max=8192"' = useful for very busy,shared servers

sysctl kernelNaNy.maxExample of exhausting() PID Max: $USER -> ptx/4 -> PID s->(Numerous PIDs) - i.e,Nessus,Nmap Note:The Kernel will usually log messages: /var/log/messages && console (critical) c.'sysctl "kernel.pid_max=65536"' 3.Ensure that tweaked variables persist:'/etc/sysctl.conf' a #LinuxcBT Classroom System Performance Kernel Tweaks kernel.domainname = linuxcbt.internal kernelNaNy.mx = 8192 kernel.pid_max = 65536

4.Ensure that values take effect immediately a.'sysctl -p ' - reads of /etc/sysctl.conf Note:Errors reading values should appear immediately on STDOUT Note:System control (sysctl) influence,directly,and dynamically,the Kernel Note:if '/etc/sysctl.conf' is corrupted,your Kernel will misbehave Note:Inproper '/etc/sysctl.conf' - could result in: 1.Failure to boot the system,resulting in a Kernel Panic 2.Intermittent application behavior 3.Extremely slow application responses 4.Dropped connections TCP,UDP,SCTP && Application Level Note:monitor '/etc/sysctl.conf' using appropriate integrity tools

### '/etc/[x]inetd.conf' ###

Features; 1.Auto-spawned services || daemons as needed 2.Reduces consumption of resources CPU | memory 3.Resource control 4.Forwarding of ports (XINETD) 5.Extends tradition '/etc/init.d' spawning of services || daemon yum install xinetd apt-get install xinetd 6.'/etc/xinetd.conf' - primary XINETD config File 7.'/etc/inetd.conf' - primary traditional inetd config file - Debian and derivatives 8.'/etc/xinetd.d' - This directory is read for individual XINETD-controlledservices || daemon files

Tasks: 1.Explore typical XINETD setup a.'/etc/xinetd.conf' - primary config b.'/etc/xinetd.d/' - primary config container for individual services || daemons Note:It is up to you to ensure that 'XINETD' && IENTD services are disabledas needed yum search tftp yum install tftp-server


5/11

apt-get install tftpd Note:'grep disable /etc/xinet.d/*' - to determine enabled services Note:This will not include services that are described sans:'disabled = yes' Note:'netstat -nutlp | grep xinetd' - reveals XINETD-controlled services Note:Importance:Trojans,unauthorized processes can be easily invoked via XINETD Note:Because XINETD is more advanced than INETD,look out for services that really forward ports in '/etc/xinetd.d' Note:YOu should also remove superfluous XINETD files from :'/etc/xinetd.d' i.e,small TCP/IP services 2.Explore typical INETD setup

a.'/etc/inetd.conf' - primary configuration file Note:INETD-system tend to lump ALL services || daemons into 1 monolithic()s Note:INETD systems will load services || daemons from :'/etc/inetd.conf' that are NOT uncommented Note:Like with XINETD,small TCP/UDP services are referenced,but commented,in'/etc/inetd.conf' Note:Consider removing small TCP/UDP services from '/etc/inetd.conf'

b.Disable TFTP c.Disable Samba SWAT d.Disable ALL-mail-retrieval protocols invoke.rc.d openbsd-inetd restart

Note:If all services managed by: XINETD|INETD are disabled,the service to invoke,which releases/avails resources Note:Both XINETD|INETD control traditional inetd services i.e,SSHD,etc Note:Debian-derived systems ALSO support XINETD,however,INETD is the traditional super-server Note:There is a conversion process required to go from :INETD to XINETD

e.Remove distinct services || daemons entries for small TCP/IP services from:'/etc/inetd.conf' e1.'/etc/init.d/openbsd-inetd restart' Note:The various areas covered thus-far,are ALL vectors of attack to compromise you system### /etc/{passwd,shadow} ###

Features: 1.Store accounts DBs 2.used even with LDAP usage,i.e,daemons| services | root | default non-privileged user(linuxcbt) 3.'login.defs'Tasks: 1.Peruse both files a.'/etc/passwd' root:x:0:0:root:/root:/usr/bin/zsh 1.username 2.references of shadow 3.uid 4.gid

5.user's description - usually a full name 6.home directory 7.user's shell sshd:x:116:65534::/var/run/sshd:/usr/sbin/nologin cat /etc/shells Note:Check '/etc/shells' to determine permitted $SHELLS Note:Check,aside from daemons | services accounts,that each user has a $HOMEdirectory Note:$USERs sans $HOME directories will often be relegated() to '/',unless tenveloping daemon | service prohibits() this


6/11

b.'/etc/shadow' - contains 1 entry per entry in '/etc/passwd' Note:look for mismatches Note:If using LDAP,check LDAP DB for other account mismatches Note:LDAP can be corrupted via corrupt sources files:/etc/{passwd,shadow} Note:LDAP data can be corrupted from any host with connectivity c.'/etc/login.defs' - Contains default user accounts policies c1.Tighten default policy userdel -r username groupdel groupname c2.Ensure that SHA256 or higher us in-use

getet Note:Use 'getent passwd' to dump possible sources of user accounts for yoursystem getent group getent gshadow### Pluggable Authentication Modules(PAM) ###Features: 1.Centralized AUTH,Account,Session services 2.Abstracts programs i.e,SSH,Samba,Telnet,FTP,etc,from having to implement similar services 3.Extensible i.e,LDAP,AD,MySQL,PostgreSQL,etc 4.Stack of modules required for AUTH,ACCOUNT,SESSION,PASSWARDKey files:

1.'/etc/pam.conf' Note:Some system:i.e,Redhat ad derivatives may not have a general:'/etc/pam.conf',however,look for:'/etc/pam.d/' with numerous per application:i.e,'SSH' Note:Debian 6x has:'/etc/pam.conf' AND '/etc/pam.d/' Note.PAM relies upon distinct libraries beneath the platform-specific library directory Note:i.e,for x86_64:'/lib64/security' Note:PAM,like PHP and other program,supports 'include' directive to incorporate the PAM stack from other files Note:PAM also ensues via the 'su' PAM stack that the environment is properlyconfigured on a per-user basis,i.e,if logged in as 'root','/sbin/;'/usr/local/sbin;/usr/sbin' are added to you $PATH Note:Upgrades | security patches may change the contents of '/etc/pam.d' and

force into action Note:This may mean generating a new set of checksums Note:/etc/security/pam_env.conf - consulted by ANY processes,i.e,gdm,sshd,etc,that relied upon general AUTH to the system. Note:SYSLOG route | handles PAM log entries,i.e,on CentOS && RH:/var/log/secure.log or Debian:/var/log/auth.log

### '/etc/{hosts,protocols,services}' ###Features: 1.Layer 4 - Layer 3 resolution - i.e,'linuxcbtrouter1.linuxcbt.internal' ->192.168.75.1 ->MAC 2.Protocols naming,i.e,IP[0],TCP(6),UDP(17) - '/etc/protocols'

3.Well-known services translations:'/etc/services',i.e,ssh -> tcp/22

Basic '/etc/hosts' for TCP/IP-complaint system:#IPv4127.0.0.1 localhost localhost.localdomain linuxcbtcent1 linuxcbtcent1.linuxcbt.internal#IPv6::1 localhost localhost.localdomain linuxcbtcent1 linuxcbtcent1.linuxcbt.internal#Routable Addresses


7/11

#RFC 1918 Address 192.168.75.0/24192.168.75.105 site1.liuxcbt.internal192.168.75.105 site2.liuxcbt.internalTasks 1.Corrupt '/etc/hosts' a.place incorrect for www.linuxcbt.com Note:Many malware() packages will corrupt '/etc/hosts' to redirect traff Note:Most target malware sites will resemble authentic site Note:Insofar as L4 to L3 resolution is concerned,'/etc/hosts' is usually consulted prior to DNS 2.corrupt '/etc/protocols'

Note:If '/etc/protocols' are corrupted,package handling could,in theory be also corrupted 3.corrupte '/etc/services' Note:If '/etc/services' is corrupt,packet-interpretation and handing could also go awny

Note:The port-range is 2**16,however,'/etc/services' sha256sum /etc/{hosts,services,protocols} NOTE:Another example of corrupted '/etc/hosts' ,is the redirection of BackupEvec client/server communications via incorrect:IPv[46] Note:malware Typically hits'/etc/hosts' Note:If you detect mismatches in packet analyses programs,i.e,TCPDump,WireShar,Snort,NMap,Nessus,etc,then consult'/etc/{protocols,services}

### Name Services Switch Configuration (NSSWITCH) ###Features: 1.Name services resolution order 2.Indicates various databases to be used for lookup of various data i.e,l4-l3 names are resolved using NSSWITCH i.e,User accounts DB location is indicates via NSSWITCH 3.Centralized name resolution service: resolver 4.Polls name=value pairs from target DBs 5.Abstracts applications from having to maintain resolution services:akin toPAM i.e,ping www.linuxcbt.com -> NSSWITCH ->hosts: files dns Note:The 'hosts' DB type is consulted when tools such as 'ping','traceroute'

,web browser,etc,require l4(host name)-l3(IPv[46]) translations Note:'/etc/hosts' is he ky files for 'hosts' resolution

6.NSSWITCH facilitates redundant means of resoving targetsTasks: 1.Explore '/etc/nsswitch.conf' configuration Note:NIS(plus) are still supported,but rather somewhat deprecated due to:LDAP & DNS a l :Artive Directory(AD) a.NIS b.DNS - considerable support - glue of internet 2.Reorder '/etc/nsswitch.conf' and evaluate a.'hosts dns files' - causes name resolver to use DNS first b.ping www3.linuxcbt.com

Note:'files' references tends to be consistent across distributions of linux| unix due to regularly cat /etc/ethers cat /etc/networks Note:If your system is configured or use LDAP AUTH,then '/etc/nsswitch' willbe updated insofar as: passwd files shadow files group files Note:That usage of LDAP does NOT disable local 'files' reference


8/11

Note:Insofar,as malware is concerned,watch: passwd files shadow files group files hosts files dns NSSWITCH is used by virtually ALL *Nix applications to resolve key DBs host www.google.com

### DNS Client Resolution ###Features: 1.file:'/etc/resolv.conf' - located on ALL *Nix systems

2.DNS Client resolver lookup file 3.Consulted by DNS Client,dig,nslookup,web browser,lynx,curl,lftp,etc 4.L4 lookup servers are placed here normally using IPv[46] addresses 5.Auto-configured if using DHCP client 6.Manually configured IPv[46] system must also configure '/etc/resolv.conf'manually

Tasks: 1.Explore '/etc/resolv.conf' search localhost.localdomain # This domain is appended to DNS Client requests if FQDN is omitted by user,i.e,'dig linuxcbtcent1' - NOT FQDN,DNS Client will rewrite to 'dig linuxcbtcent1.linuxcbt.internal' nameserver 192.168.1.1 # indicates PRIMARY DNS server to consult

Note:If '/etc/resolv.conf' is corrupted,DNS client requests can easily be re-rerouted to rogue() DNS servers,rendering illegitimate() responses dig @8.8.8.8 www.linuxcbt.com

Note:Some malware will remove your normal DNS servers in:'/etc/resolv.conf',in exchange for polluted DNS Servers Note:while other malware,will simply include polluted DNS servers as defaultservers,leaving your original entries as subsequent entries Note:By default,DNS client resolvers will bypass'/etc/hosts' and use serversspecified in '/etc/resolv.conf' Note:This does NOT include applications such as web browser,will always consults the order in '/etc/nsswitch.conf'

2.Perform Queries: a.dig @8.8.8.8 www.linuxcbt.com - forces DNS Client resolution off server:8.8.8.8 b.'dig www.linuxcbt.com' - users default DNS Server prescribed in '/etc/resolv.conf' Suggesting: Internally(),direct DNS traffic to internal,company-managed,DNS servers,andubsequently(),forward unfulfilled(|) requests to internet DNS servm Client -> Internal DNS Server(s) -> ISP Server -> Public Servers(Google 8.8.8.8|8.4.4.4) -> Root DNS Servers

3.Example Debian APT 'sources.list' File 'deb http://security.debian.org/ squeeze/updates main contrib' dig security.debian.org dig security.debian.org(L4) -> 149.20.20.6(L3) If L3 Server address is poisoned,then NEW rogue target server,COULD supply our APT framework with rogue,malicious,and|or compromised packages Note:Try to ensure that PROD systems have consistent '/etc/resolv.conf' files

###User Profiles ###


9/11

Features: 1.Ability to aggregate and present a consistent user experience across:icons,files,colors,etc 2.Default $SHELl= BASHFiles: 1.'/etc/bashrc,profile,profile.d,shells,skel' a.'/etc/profile' - system-wide $SHELL file,that configures initial environment echo $HISTSIZE echo $HISTFILESIZE echo $PS1

echo $PATH echo $LOGNAME echo $USER b.'etc/profile.d' - contains $SHELL includes:i.e,coloration, of 'ls' output c.'/etc/shells' - This file dictates allowable $SHELLs Note:Ensure that '/etc/shells' does not contain unknown ,unidentified $SHELLs

d.'/etc/skel' - used to provision new users

2.'~/.bash_history' - Guard contents,because passwords,credentials may be present Note:Consider purging the contents of '~/.bash_history' to a facility such a

s '/dev/null' Note:consider reducing the history size to a small number:i.e,'10'

3.'$HOME/bin' - This is a per-user executable directory,Monitor this directory for potential,rogue processes

4.'~/.vnc' - This directory houses files associated with VNC access a.'xstartup' - executable file that is invoked when a new VNC/GNOME/KDE session is created Note:This features is akin to :Windows->startup group - It will cause applications to launch upon invocation netstat -ntl | grep 591 5.'password' - ensure this file exists,if VNC is in use

### CRON ###Features: 1.Process automationExample of misuse: 1.DNS client poisoning 2.Bad package (RPM|APT) is installed 3.Rogue process is invoked via CRON,regularly 4.Host becomes a member of a BotNetKey Files: 1.'/etc/crontab' - System Cron Tables - defines basis of operation 2.'/etc/cron.d' - Default jobs are called,Varies by Distro,However,conceptsare similar

Note:these entries are NOT executables,however,simply included as part of larger CRON config Note:If you notice executable items in '/etc/cron.d',something is amiss 3.'/usr/sbin/crond' - CROND process - checksum this rpm -qf 0anacron 4.'/etc/cron.hourly' - jobs that are executable(scripts),and run hourly Note:Normally,CRON jobs are not binaries,if you see files that run as jobs and are represented as binaries,have a deeper look. 5.Ensure the integrity of :'/bin/run-parts' - this utility runs N number ofscripts from a directory


10/11

rpm -qa | grep cron 6.'/usr/bin/crontab' - checksum as well as this could submitted jobs 7.'/var/spool/cron' - Check for unrelated user jobs - look for unresolved IDs 'ls -l /var/spool/cron' 8.Ensure the integrity of 'crond' itself using 'rpm' i.e,'rpm -Vvf `which crond`' Note:Perform these checks before system enters:PROD,and during PROD.

### DNS Server Configuration ###( TODO Learn bind)Features: 1.Glue of the Internet

2.L4-L3 conversionsTasks: 1.Explore environment a.'/etc/bind' - Debian b.'/etc/named' - && '/var/named' - CentOS | RedHat Note:Ensure that you have a baseline netstat -nump c.'/etc/bind/named.*' - Both OSs - Ensure zones listed are ones that you areresponsible for 2.Follow each Zone file to source file on FS and examine dig @localhost hostname 3.Also run random queries occasionally to ensure the validate of DNS records 4.Ensure that RFC-1912 && RFC-1918 zones,if defined,are accurate

Note:ALL named.* files that are included are part of a monolithic() configon (1-big config),which means you are at liberty to place any zone config (descriptor) anywhere 5.Ensure ROOT servers are accurate:'/var/named/named.ca' on RedHat derived system 6.Ensure that you constantly look for: a.Unauthorized zones b.Changes to existing zones c.Invalid records,i.e,pointers to unauthorized IP addresses[4|y] d.Incomplete records,i.e,present IPv4 and missing IPv6 records e.Missing reverse entries - this causes some applications to break

### Syslog ###

Features: 1.Logs key system information from programs,services,daemons,kernel,etc 2.Optionally logs information from remote,Syslog aware systems:devices | routers,switches,firewalls,etc

Explore Syslog Environment 1.'lib/[64]/rsyslog/*' - contains modules to extends - RedHat|CentOS 2.'/usr/lib/rsyslog/*' - Debian 3.'/usr/sbin/rsyslogd' - Debian && '/sbin/rsyslogd' -RedHat | CentOS Comment Tcp || UDP listeners if NOT in use - Syslog does not offer AUTH security by default Note:This means,once clients have network access to the rsyslog server, theycan ,if configured with appropriate facility and|or level send messages to SYSL

OG #Hypothetical() Case Rogue ,infected,Windows machine on-the-wire,sends considerable SYSLOG data to your rsyslog instance,For this reason,consider provision dedicated '/var'per HOST # Provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514

# Provides TCP syslog reception


11/11

#$ModLoad imtcp #$InputTCPServerRun 514 rpm -ql rsyslog Suggesting: Consider restricting TCP:514 AND |OR UDP 514 via IPTables AND | OR External firewall iptables -l Ensure that you have a comprehensive list of supported Syslog: 1.Facilitates:local,user,mail,kern,cron,auth|priv 2.Levels:debug -> emerg Note:Ensure that you organizational security policy details accepted Syslog

configuration,This help to mitigate(

) problems,nerves(

),anxieties(

),wheny() i.e,DDOS attacks generate enormous of data on a number of levels that impact*Nix systtem: 1.NIDS Systems parsing gigabit traffic 2.Syslog must capture requests incomming from NIDS,edge processes,and otherwise

linuxcbt key files edition

Documents