Monitoring

Revision as of 16:28, 18 May 2014 by Hugh (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

For both dedicated and VPS systems, monitoring should form a core component of a system's security policy. Monitoring can help detect when a security breach has happened, or when one is about to happen.

There are many ways that a system can be monitored - a very popular option for large deployments of servers is Nagios. The deployment and configuration of systems as complicated as Nagios is outside of the scope of this document.

Email

Email is, when used properly, a powerful tool for alerting administrators to anomalies within their systems. For this reason, it is important to set up proper local mail sending from your servers. This means that the command echo "test" | mail -s "Testing mail" youremail@some.site should send valid email to your email address (even if this mail goes to your spam folder).

Local monitoring

Tiger

The tiger package is a powerful (if not slightly dated) monitoring tool for Linux systems. It should be run on new servers to patch any default vulnerabilities or security issues, and after this point it should be configured to send email via the tigercron facility. This will run tiger scans regularly and will email administrators with warnings about changes in system state. This could, for example, warn administrators of ports that have recently started listening, suspicious processes that are running or users whose accounts have not been used in long periods of time.

Lynis

lynis is a tool that is quite similar to Tiger but is somewhat more comprehensive and is frequently updated. It should be run on an occasional basis or on new systems to check for any configuration íssues.

Updates

For some systems and setups, using automatic updates via the system's package manager may not be an optimal configuration option, due to specific configuration requirements, a desire to keep particular versions of software installed or fears over services reliability. To deal with scenarios like this, administrators should configure email alerts that warn when new packages are installed, particularly critical security updates.

The configuration of these tools varies by OS, but for example the apticron package offers this capability to a suitable level by default.

Hardware warnings

For users running dedicated hardware, it is vital that administrators be informed of issues related to hardware failure - particularly hard drive failure. Most Linux distributions will be using the mdraid system for sofware raid and administrators should ensure that their email address is properly configured in mdadm.conf and that the mdadm command's test mode delivers mail successfully.