-
-
Notifications
You must be signed in to change notification settings - Fork 59
Tutorial SensorClientFIFO LinuxSecurityMonitoring
This tutorial describes how you can monitor your Linux system for suspicious behavior to detect malware or other malicious behavior of an attacker on your system. For this, AlertR is used as notification channel to inform you of an suspicious event. To monitor your Linux system, a collection of Linux Security and Monitoring Scripts are used. For this to work, we assume you have set up the AlertR Server and the AlertR Sensor Client FIFO. Tutorials to set them up are linked.
The following gives you a short example on how to configure the AlertR Sensor Client FIFO with a collection of Linux Security and Monitoring Scripts. The configuration for the security and monitoring scripts has to be individually fine-tuned for your Linux environment and hence are not handled in detail in this tutorial.
TODO graphic representation or better description how LSMS connects to AlertR
This tutorial assumes the Alert Levels configured in the AlertR Server tutorial. The client will use the following for its configuration:
| Alert Level | Name | Profiles | Functionality |
|---|---|---|---|
| 3 | Urgent Notification | Activated, Deactivated | Used to directly notify the user regardless of the used System Profile. |
Alert Level 3 is used for sensors that trigger a Sensor Alert that needs direct attention by the user. These sensors should notify the user immediately. This Alert Level is member of every System Profile and thus triggers always.
The following describes the configuration of the AlertR Sensor Client FIFO as well as a set up of a collection of Linux Security and Monitoring Scripts. It shows a basic configuration that can be used as a template for own installations.
To receive security events by the security and monitoring scripts, a FIFO file is used as communication interface. The following shows a basic configuration of a sensor for the AlertR Sensor Client FIFO instance:
[...]
<sensors>
<sensor>
<general
id="0"
description="Linux Security Event"
alertDelay="0"
triggerAlert="True"
triggerAlertNormal="True" />
<alertLevel>3</alertLevel>
<fifo
umask="0000"
fifoFile="./security_event.fifo"
dataType="0" />
</sensor>
</sensors>
[...]
This configuration sets up a FIFO file called security_event.fifo in the directory in which the AlertR client is installed. Using the basic tutorial for the AlertR Sensor Client FIFO as base for this example, the FIFO file will be placed at /home/alertr/sensorClientFIFO/security_event.fifo. The sensor is configured to create Sensor Alert events for triggered as well as normal states, since we want to let the security scripts handle for which state they create Sensor Alerts. The data type of the sensor is set to 0 (None) which means that this sensor does not hold any data.
TODO