RedHat: Monitor specific security events and send notifications about them
 

Hello everyone,

I'll try to make this short. I'm using RedHat RHEL 4 on all the machines in my network. What I need to do is monitor specific security events on my network and notify a single machine/application when they happen. The events will include:

- Log in failure (especially multiple failures in a short period of time)
- Direct root login attempts (successful and failed)
- The use of the -su command
- Denial of Service attacks
- Distributed Denial of Service attacks
- When someone attempts to scan for open ports (ETTERCAP??)
- When a new MAC address is found
- Modifications and deletion of certain files and directories (GAMIN??)
- Power downs and reboots
- When a drive is added or removed

So basically, when any of these events happen, I just need a notification sent to the main machine. I found a few ideas as you can see in the parenthesis after a couple of them.

Any help/suggestions/suggested packages/etc. in any area mentioned would be HUGELY appreciated. I'll continue to search for ideas as well. Please yell at me if I need to provide more information...

Well, I've got Fedora, and RH is based on that. In the root acct, if I go into mail (mailx) I see emails from the logwatch tool which seem to cover some of those.
Maybe you could get it to cc the remote as well.
See also syslog, tripwire.
In fact, this should prob be moved to the security forum for better responses. Ask the mods via the 'Report' button on your post.
Good luck
:)

Thanks for the suggestions
 

Chris,

Thanks so much for the suggestions. I'll look into them and sorry for the post being in the wrong area, I thought I was posting in the security forum!! Thanks again!

Monitor specific security events and send notifications about them
 

Hello everyone,

I'll try to make this short. I'm using RedHat RHEL 4 on all the machines in my network. What I need to do is monitor specific security events on my network and notify a single machine/application when they happen. The events will include:

- Log in failure (especially multiple failures in a short period of time)
- Direct root login attempts (successful and failed)
- The use of the -su command
- Denial of Service attacks
- Distributed Denial of Service attacks
- When someone attempts to scan for open ports (ETTERCAP??)
- When a new MAC address is found
- Modifications and deletion of certain files and directories (GAMIN??)
- Power downs and reboots
- When a drive is added or removed

So basically, when any of these events happen, I just need a notification sent to the main machine that monitors the network. I'm not sure if there are applications I can use, built in features of the OS, etc. I found a few ideas as you can see in the parenthesis after a couple of them.

Any help/suggestions/suggested packages/etc. in any area mentioned would be HUGELY appreciated. I'll continue to search for ideas as well. Please yell at me if I need to provide more information...

- Log in failure # per-daemon or in syslog (PAM).
- Direct root login attempts # in syslog (PAM)
- The use of the -su command # in syslog (PAM), depending on RH version apparently can be mitigated with like pam_script
- Denial of Service attacks # IDS
- Distributed Denial of Service attacks # IDS
- When someone attempts to scan for open ports # IDS
- When a new MAC address is found # arpwatch
- Modifications and deletion of certain files and directories # Dnotify in Linux 2.4, Inotify in kernel 2.6 but "better": Auditd (depending on which and how many files)
- Power downs and reboots # last, gets syslogged
- When a drive is added or removed # depends on what you need to see HW inventory, hotswap?, USB/Firewire plugin events?... define.

Some processes can deal with notifications themselves, some have plugins to allow that and in any other case any text that can be logged can be filtered for using regexes, meaning any action-capable (sys)log watcher like SEC can handle that. You've got a lot of options, it just depends on what and how you want it.

Actually, thinking about it, as you've got RH, you may find that the SELinux SW can be used

Have you checked Snort? It's a network-based intrusion detection system (NIDS). It'll do a lot of what you want but some of your requirements are host-based (HIDS). You may need to try Samhain or something similar to monitor host logs. You'll need to probably use both NIDS and HIDS technologies, as one won't do all your requirements, but both combined should be able to do it.

You've a big project on your hands, BTW. :)

Moved: This thread is more suitable in <security> and has been moved accordingly to help your thread/question get the exposure it deserves.

Thanks for all the help...
 

I really appreciate the help from you guys...I'll try out some stuff and see what happens...

Rob