1.

Key files && directories that are present across-the-board on Linux system
s
[Link] to security due to sensitive nature of files
Note:Files also pertain to directories (d ---------)
'/boot' - Present on all linux systems
Features:
[Link] Kernel
[Link] || INITRAMFS - (Present on modern implementations)
[Link] & related files
[Link]-BIOS,'/boot' is consulted for various stages of boot
[Link] is provisioned as a dedicated partition to ensure system boot
[Link],'/boot' or BOOT environment for various OSs have been abstra
cted|separated from other volumes,i.e,Windows (c:(os)...(Exchange || MS SQL) ||
etc.)
Files:
1.'config' - Kernel configuration options (Options used to compile Kerne
l)
'uname -a' - reveals kernel version which can be correlated to '/boo
t/{config*,init*,vmlinuz*}'
[Link] files
[Link] options such as :'y' = static,'m' = modular support
2.'initrd || initramfs' - initial RAM Disk - loaded by GRUB to setup the
environment
[Link] to load drivers to mount '/'(root)
Note:From a security respective,checksum 'config*' && 'init*' && 'vmlin
uz* && [Link]*'
3.'vmlinuz' - linux Kernel
[Link] match 'initrd'
4.'[Link]'
a. Symbols for image by Kernel modules
Note:'/boot' need NOT be separated from '/'
Note:Ensure that backup procedures ALWAYS include '/boot'
du -chs /boot/
### INIT ###
Features:
[Link] User-Space process
[Link]=1
[Link] of all User-Space processes on *Nix systems (linux | unix)
[Link] User-Space environment
Files:
1.'/etc/inittab' - Primary configuration file - Read by '/sbin/init'
i.e,'i[Link]initdefault:' - default Runlevel
2.'/etc/init.d/' - Houses Daemons | Services,interface configuration scripts
,etc
Note:Similar to '[Link]' on Windows
Note:Weather or not the services | daemon run in the current run-level is no
t important
Note:This is where third-party RC script should be played
3.'/etc/rc.*' - Run Control Scripts for appropriate run-levels
'runlevel' - confirms current and optionally previous runlevel
a.'/etc/rc.d/' - contains ALL K* S* scripts to be executed by 'rc' in this
runlevel
b.'/etc/rc.d/rc' - script,which processes distinct runlevel K* & S* script
c.'/etc/rc.d/[Link]' - items that should be run regardless of runlevel
when system is invoked
d.'/etc/rc.d/[Link]' - place third-party programs here to be launched pos
t-runlevel-invocation
Note:'sha256sum /etc/init.d/*' generates checksums for later references
Note:RPM DB provides checksums for installed files: i.e,'/sbin/init',howeve
r,if RPM DB is corrupted,then you may be trojaned without your knowledge
rpm -qf /sbin/init
Note:Various SYSTEM v systems will use different Daemon | service name,howev
er,the startup is virtually the same
Note:Part of your checksums checks could also includes file size
Note:For security purposes,store your checksums on a remote system
Note:use BASH,Perl,Python,etc to take snapshots
Note:Consider taking snapshots manually to mitigate compromised system thre
ats
Note:Mulicious,unauthorized user may compromised automated checksums check t
o publish to the aggregation system,data consistent with your expectation
Note:If your automate checksums check,consider manually spot-checking on a s
omewhat random basis the checksums that are generated
Note:Also ensure that you checksum the checksum-generation script,in the eve
nt unauthorized user change the behavior of the script
### Kernel Modules ###
Features:
[Link] modules for myriad()categories,CPU Frequency,Networking,Sound,etc
[Link] via:'/lib/modules/`uname -r`'
[Link] accessible | available Kernel has its own '/lib/modules/`uname -r`'
'/lib/module/$(uname -r)'
a.'[Link]' - shortcuts
b.'[Link]' - Module dependencies - path are relative to '/lib/modules/
$(uname -r)'
c.'kernel/*' - Categorical storeage of modules per Kernel version
lsmod - Reveals loaded models from '/proc/modules'
correlate loaded modules to :'/lib/modules/*'
find ./ -name cpufreq
'modinfo cpufreq_stats' - Return MORE information
'/etc/modprobe.d' - Configuration of specific module
dmesg
### '/proc/' ###
Features:
[Link]-time Kernel configuration options - '/proc'
[Link] in memory File System
[Link]-space tools derive key information from:'/proc/'
df -h | grep proc
mount | grep proc
[Link] PIDs of running processes i.e '/proc/PID' - '/proc/1'
[Link] many,in-memory zero-byte files files due to temporary
PID Directories
'cmdline' - returns most recent invocation of OS
i.e 'ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS.UTF-8 rd_NO_MD rd_LVM_L
V=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 rd_LVM_LV=VolGroup/lv_root KEYBOA
RDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet'
i.e,Debian:'/proc/cmdline' - BOOT_IMAGE=/boot/vmlinuz-3.8.0-36-generic root=
UUID=56a7fe0d-1d1c-4aa5-82ad-59dedb0177b3 ro
Note:You can review UUID or storage block
'devices' - reveals detected/supported devices
'filesystems' - returns kernel supported filesystems
'partitions' - returns know partitions on the system
fdisk -l
'swaps'
swapon --help
swapon -s
'cpuinfo' - use this to determine:
[Link] of present CPUs
[Link] supplied by the present CPUs
'meminfo' - returns memory configuration in detail
'/et/'- Network details
arp -a
arp -an
'/sys/' - reflect current usage of system resources in a number of categorie
s,i.e,'net','audio','video',etc
grep proc /etc/fstab
Note:Ensure the integrity of '/etc/fstab' upon each system boot:i.e,ensure t
hat :'/proc/' is loaded
### '/[usr][/local]sbin' ###
Features:
[Link] privileged binaries
[Link] binaries are executable by non-privileged users via 'SETUID'
3.'/usr/sbin/' - $SHELL tools || Daemons || Services
4.'/usr/[local]/sbin' - $SHELL tools || Daemons || Services - i.e,'amacron',
'ntpd','crond','sshd'
SETGID Examples:
1.'/usr/sbin/postpost[dq]*' - These files flagged SETGID ensure consistent p
ermission(fore created files)
ps -ef | grep post
Examples of privileged binaries || scripts
1.'dhclient'
find /[usr[local]]/sbin
find / -name 'dhclient'
rpm -qf dhclient
find . -name 'dhc*'
2.'arp'
arp -an
3.'ifconfig'
dpkg -S `which ifconfig`
rpm -qf`which ifconfig`
rpm -ql net-tools
4.'route'
5.'ip[6]tables*'
6.'fdisk' - manipulate partition tables
fdisk -l
7.'parted'- manipulate partition tables
8.'lv* | pv* | vg*' - LVM Tools
9.'blkid' - UUID - Guard as well because corrupted 'blkid' could yield incorrec
t UUIDs that you may inadvertently use and corrupt your system
10.'mke2fs && mkfs.*'
Note Use a third-party tool such as AIDE to guard the integrity of these import
ant files
11.'lsmod'
12.'modprob'
13.'adduser||useradd||usermod||userdel'
14.'reboot||shutdown||restart'
### System Control Configuration '/etc/[Link]' ###
Features:
[Link] the start-up || run-time Linux Kernel options '/proc/sys'
[Link] run-time Kernel options manipulation:i.e,dynamic changes to Ke
rnel akin to dynamic router changes
[Link]-space tool:'sysctl' - to manipulate run-time Kernel options
Note:Ensure its (/sbin/sysctl) integrity(,)
[Link] startup configuration file:'/etc/[Link]'
Tasks:
[Link] 'sysctl' to dump variables
a.'sysctl -a' - enumerates Kernel run-time possibilities
[Link] some simple variables
hostname =f
a.'sysctl "[Link]=[Link]"'
b.'sysctl "[Link]=8192"' = useful for very busy,shared servers
sysctl [Link]
Example of exhausting() PID Max:
$USER -> ptx/4 -> PID s->(Numerous PIDs) - i.e,Nessus,Nmap
Note:The Kernel will usually log messages: /var/log/messages && console (cri
tical)
c.'sysctl "kernel.pid_max=65536"'
[Link] that tweaked variables persist:'/etc/[Link]'
a
#LinuxcBT Classroom System Performance Kernel Tweaks
[Link] = [Link]
[Link] = 8192
kernel.pid_max = 65536
[Link] that values take effect immediately
a.'sysctl -p ' - reads of /etc/[Link]
Note:Errors reading values should appear immediately on STDOUT
Note:System control (sysctl) influence,directly,and dynamically,the Kernel
Note:if '/etc/[Link]' is corrupted,your Kernel will misbehave
Note:Inproper '/etc/[Link]' - could result in:
[Link] to boot the system,resulting in a Kernel Panic
[Link] application behavior
[Link] slow application responses
[Link] connections TCP,UDP,SCTP && Application Level
Note:monitor '/etc/[Link]' using appropriate integrity tools
### '/etc/[x][Link]' ###
Features;
[Link]-spawned services || daemons as needed
[Link] consumption of resources CPU | memory
[Link] control
[Link] of ports (XINETD)
[Link] tradition '/etc/init.d' spawning of services || daemon
yum install xinetd
apt-get install xinetd
6.'/etc/[Link]' - primary XINETD config File
7.'/etc/[Link]' - primary traditional inetd config file - Debian and der
ivatives
8.'/etc/xinetd.d' - This directory is read for individual XINETD-controlled
services || daemon files
Tasks:
[Link] typical XINETD setup
a.'/etc/[Link]' - primary config
b.'/etc/xinetd.d/' - primary config container for individual services || da
emons
Note:It is up to you to ensure that 'XINETD' && IENTD services are disabled
as needed
yum search tftp
yum install tftp-server
apt-get install tftpd
Note:'grep disable /etc/xinet.d/*' - to determine enabled services
Note:This will not include services that are described sans:'disabled = yes'
Note:'netstat -nutlp | grep xinetd' - reveals XINETD-controlled services
Note:Importance:Trojans,unauthorized processes can be easily invoked via XIN
ETD
Note:Because XINETD is more advanced than INETD,look out for services that r
eally forward ports in '/etc/xinetd.d'
Note:YOu should also remove superfluous XINETD files from :'/etc/xinetd.d' i
.e,small TCP/IP services
[Link] typical INETD setup
a.'/etc/[Link]' - primary configuration file
Note:INETD-system tend to lump ALL services || daemons into 1 monolithic() file
s
Note:INETD systems will load services || daemons from :'/etc/[Link]' tha
t are NOT uncommented
Note:Like with XINETD,small TCP/UDP services are referenced,but commented,in
'/etc/[Link]'
Note:Consider removing small TCP/UDP services from '/etc/[Link]'
[Link] TFTP
[Link] Samba SWAT
[Link] ALL-mail-retrieval protocols
[Link].d openbsd-inetd restart
Note:If all services managed by: XINETD|INETD are disabled,the service to in
voke,which releases/avails resources
Note:Both XINETD|INETD control traditional inetd services i.e,SSHD,etc
Note:Debian-derived systems ALSO support XINETD,however,INETD is the traditi
onal super-server
Note:There is a conversion process required to go from :INETD to XINETD
[Link] distinct services || daemons entries for small TCP/IP services from
:'/etc/[Link]'
e1.'/etc/init.d/openbsd-inetd restart'
Note:The various areas covered thus-far,are ALL vectors of attack to comprom
ise you system
### /etc/{passwd,shadow} ###
Features:
[Link] accounts DBs
[Link] even with LDAP usage,i.e,daemons| services | root | default non-privi
leged user(linuxcbt)
3.'[Link]'
Tasks:
[Link] both files
a.'/etc/passwd'
root:x:0:0:root:/root:/usr/bin/zsh
[Link]
[Link] of shadow
[Link]
[Link]
[Link]'s description - usually a full name
[Link] directory
[Link]'s shell
sshd:x:116:65534::/var/run/sshd:/usr/sbin/nologin
cat /etc/shells
Note:Check '/etc/shells' to determine permitted $SHELLS
Note:Check,aside from daemons | services accounts,that each user has a $HOME
directory
Note:$USERs sans $HOME directories will often be relegated() to '/',unless the
enveloping daemon | service prohibits() this
b.'/etc/shadow' - contains 1 entry per entry in '/etc/passwd'
Note:look for mismatches
Note:If using LDAP,check LDAP DB for other account mismatches
Note:LDAP can be corrupted via corrupt sources files:/etc/{passwd,shadow}
Note:LDAP data can be corrupted from any host with connectivity
c.'/etc/[Link]' - Contains default user accounts policies
[Link] default policy
userdel -r username
groupdel groupname
[Link] that SHA256 or higher us in-use
getet
Note:Use 'getent passwd' to dump possible sources of user accounts for your
system
getent group
getent gshadow
### Pluggable Authentication Modules(PAM) ###
Features:
[Link] AUTH,Account,Session services
[Link] programs i.e,SSH,Samba,Telnet,FTP,etc,from having to implement s
imilar services
[Link] i.e,LDAP,AD,MySQL,PostgreSQL,etc
[Link] of modules required for AUTH,ACCOUNT,SESSION,PASSWARD
Key files:
1.'/etc/[Link]'
Note:Some system:i.e,Redhat ad derivatives may not have a general:'/etc/pam.
conf',however,look for:'/etc/pam.d/' with numerous per application:i.e,'SSH'
Note:Debian 6x has:'/etc/[Link]' AND '/etc/pam.d/'
[Link] relies upon distinct libraries beneath the platform-specific librar
y directory
Note:i.e,for x86_64:'/lib64/security'
Note:PAM,like PHP and other program,supports 'include' directive to incorpor
ate the PAM stack from other files
Note:PAM also ensues via the 'su' PAM stack that the environment is properly
configured on a per-user basis,i.e,if logged in as 'root','/sbin/;'/usr/local/s
bin;/usr/sbin' are added to you $PATH
Note:Upgrades | security patches may change the contents of '/etc/pam.d' and
force into action
Note:This may mean generating a new set of checksums
Note:/etc/security/pam_env.conf - consulted by ANY processes,i.e,gdm,sshd,et
c,that relied upon general AUTH to the system.
Note:SYSLOG route | handles PAM log entries,i.e,on CentOS && RH:/var/log/sec
[Link] or Debian:/var/log/[Link]
### '/etc/{hosts,protocols,services}' ###
Features:
[Link] 4 - Layer 3 resolution - i.e,'[Link]' ->
[Link]
->MAC
[Link] naming,i.e,IP[0],TCP(6),UDP(17) - '/etc/protocols'
[Link]-known services translations:'/etc/services',i.e,ssh -> tcp/22
Basic '/etc/hosts' for TCP/IP-complaint system:
#IPv4
[Link] localhost [Link] linuxcbtcent1 [Link].i
nternal
#IPv6
::1 localhost [Link] linuxcbtcent1 [Link].i
nternal
#Routable Addresses
#RFC 1918 Address [Link]/24
[Link] [Link]
[Link] [Link]
Tasks
[Link] '/etc/hosts'
[Link] incorrect for [Link]
Note:Many malware() packages will corrupt '/etc/hosts' to redirect traffic
Note:Most target malware sites will resemble authentic site
Note:Insofar as L4 to L3 resolution is concerned,'/etc/hosts' is usually con
sulted prior to DNS
[Link] '/etc/protocols'
Note:If '/etc/protocols' are corrupted,package handling could,in theory be a
lso corrupted
[Link] '/etc/services'
Note:If '/etc/services' is corrupt,packet-interpretation and handing could a
lso go awny
Note:The port-range is 2**16,however,'/etc/services'
sha256sum /etc/{hosts,services,protocols}
NOTE:Another example of corrupted '/etc/hosts' ,is the redirection of Backup
Evec client/server communications via incorrect:IPv[46]
Note:malware Typically hits'/etc/hosts'
Note:If you detect mismatches in packet analyses programs,i.e,TCPDump,WireSh
ar,Snort,NMap,Nessus,etc,then consult'/etc/{protocols,services}
### Name Services Switch Configuration (NSSWITCH) ###
Features:
[Link] services resolution order
[Link] various databases to be used for lookup of various data
i.e,l4-l3 names are resolved using NSSWITCH
i.e,User accounts DB location is indicates via NSSWITCH
[Link] name resolution service: resolver
[Link] name=value pairs from target DBs
[Link] applications from having to maintain resolution services:akin to
PAM
i.e,ping [Link] -> NSSWITCH ->hosts: files dns
Note:The 'hosts' DB type is consulted when tools such as 'ping','traceroute'
,web browser,etc,require l4(host name)-l3(IPv[46]) translations
Note:'/etc/hosts' is he ky files for 'hosts' resolution
[Link] facilitates redundant means of resoving targets
Tasks:
[Link] '/etc/[Link]' configuration
Note:NIS(plus) are still supported,but rather somewhat deprecated due to:LDA
P & DNS a l :Artive Directory(AD)
[Link]
[Link] - considerable support - glue of internet
[Link] '/etc/[Link]' and evaluate
a.'hosts dns files' - causes name resolver to use DNS first
[Link] [Link]
Note:'files' references tends to be consistent across distributions of linux
| unix due to regularly
cat /etc/ethers
cat /etc/networks
Note:If your system is configured or use LDAP AUTH,then '/etc/nsswitch' will
be updated insofar as:
passwd files
shadow files
group files
Note:That usage of LDAP does NOT disable local 'files' reference
Note:Insofar,as malware is concerned,watch:
passwd files
shadow files
group files
hosts files dns
NSSWITCH is used by virtually ALL *Nix applications to resolve key DBs
host [Link]
### DNS Client Resolution ###
Features:
[Link]:'/etc/[Link]' - located on ALL *Nix systems
[Link] Client resolver lookup file
[Link] by DNS Client,dig,nslookup,web browser,lynx,curl,lftp,etc
4.L4 lookup servers are placed here normally using IPv[46] addresses
[Link]-configured if using DHCP client
[Link] configured IPv[46] system must also configure '/etc/[Link]'
manually
Tasks:
[Link] '/etc/[Link]'
search [Link] # This domain is appended to DNS Client req
uests if FQDN is omitted by user,i.e,'dig linuxcbtcent1' - NOT FQDN,DNS Client w
ill rewrite to 'dig [Link]'
nameserver [Link] # indicates PRIMARY DNS server to consult
Note:If '/etc/[Link]' is corrupted,DNS client requests can easily be re-rer
outed to rogue() DNS servers,rendering illegitimate() responses
dig @[Link] [Link]
Note:Some malware will remove your normal DNS servers in:'/etc/[Link]',
in exchange for polluted DNS Servers
Note:while other malware,will simply include polluted DNS servers as default
servers,leaving your original entries as subsequent entries
Note:By default,DNS client resolvers will bypass'/etc/hosts' and use servers
specified in '/etc/[Link]'
Note:This does NOT include applications such as web browser,will always cons
ults the order in '/etc/[Link]'
[Link] Queries:
[Link] @[Link] [Link] - forces DNS Client resolution off server:8
.8.8.8
b.'dig [Link]' - users default DNS Server prescribed in '/etc/res
[Link]'
Suggesting:
Internally(),direct DNS traffic to internal,company-managed,DNS servers,and s
ubsequently(),forward unfulfilled(|) requests to internet DNS server,i.e,ISP
m
Client -> Internal DNS Server(s) -> ISP Server -> Public Servers(Google 8.8
.8.8|[Link]) -> Root DNS Servers
[Link] Debian APT '[Link]' File
'deb [Link] squeeze/updates main contrib'
dig [Link]
dig [Link](L4) -> [Link](L3)
If L3 Server address is poisoned,then NEW rogue target server,COULD supply o
ur APT framework with rogue,malicious,and|or compromised packages
Note:Try to ensure that PROD systems have consistent '/etc/[Link]' file
s
### User Profiles ###
Features:
[Link] to aggregate and present a consistent user experience across:icons
,files,colors,etc
[Link] $SHELl= BASH
Files:
1.'/etc/bashrc,profile,profile.d,shells,skel'
a.'/etc/profile' - system-wide $SHELL file,that configures initial environm
ent
echo $HISTSIZE
echo $HISTFILESIZE
echo $PS1
echo $PATH
echo $LOGNAME
echo $USER
b.'etc/profile.d' - contains $SHELL includes:i.e,coloration, of 'ls' output
c.'/etc/shells' - This file dictates allowable $SHELLs
Note:Ensure that '/etc/shells' does not contain unknown ,unidentified $SHEL
Ls
d.'/etc/skel' - used to provision new users
2.'~/.bash_history' - Guard contents,because passwords,credentials may be pr
esent
Note:Consider purging the contents of '~/.bash_history' to a facility such a
s '/dev/null'
Note:consider reducing the history size to a small number:i.e,'10'
3.'$HOME/bin' - This is a per-user executable directory,Monitor this directo
ry for potential,rogue processes
4.'~/.vnc' - This directory houses files associated with VNC access
a.'xstartup' - executable file that is invoked when a new VNC/GNOME/KDE ses
sion is created
Note:This features is akin to :Windows->startup group - It will cause appli
cations to launch upon invocation
netstat -ntl | grep 591
5.'password' - ensure this file exists,if VNC is in use
### CRON ###
Features:
[Link] automation
Example of misuse:
[Link] client poisoning
[Link] package (RPM|APT) is installed
[Link] process is invoked via CRON,regularly
[Link] becomes a member of a BotNet
Key Files:
1.'/etc/crontab' - System Cron Tables - defines basis of operation
2.'/etc/cron.d' - Default jobs are called,Varies by Distro,However,concepts
are similar
Note:these entries are NOT executables,however,simply included as part of la
rger CRON config
Note:If you notice executable items in '/etc/cron.d',something is amiss
3.'/usr/sbin/crond' - CROND process - checksum this
rpm -qf 0anacron
4.'/etc/[Link]' - jobs that are executable(scripts),and run hourly
Note:Normally,CRON jobs are not binaries,if you see files that run as jobs a
nd are represented as binaries,have a deeper look.
[Link] the integrity of :'/bin/run-parts' - this utility runs N number of
scripts from a directory
rpm -qa | grep cron
6.'/usr/bin/crontab' - checksum as well as this could submitted jobs
7.'/var/spool/cron' - Check for unrelated user jobs - look for unresolved ID
s 'ls -l /var/spool/cron'
[Link] the integrity of 'crond' itself using 'rpm' i.e,'rpm -Vvf `which cr
ond`'
Note:Perform these checks before system enters:PROD,and during PROD.
### DNS Server Configuration ###( TODO Learn bind)
Features:
[Link] of the Internet
2.L4-L3 conversions
Tasks:
[Link] environment
a.'/etc/bind' - Debian
b.'/etc/named' - && '/var/named' - CentOS | RedHat
Note:Ensure that you have a baseline
netstat -nump
c.'/etc/bind/named.*' - Both OSs - Ensure zones listed are ones that you are
responsible for
[Link] each Zone file to source file on FS and examine
dig @localhost hostname
[Link] run random queries occasionally to ensure the validate of DNS records
[Link] that RFC-1912 && RFC-1918 zones,if defined,are accurate
Note:ALL named.* files that are included are part of a monolithic() configurati
on (1-big config),which means you are at liberty to place any zone config (descr
iptor) anywhere
[Link] ROOT servers are accurate:'/var/named/[Link]' on RedHat derived s
ystem
[Link] that you constantly look for:
[Link] zones
[Link] to existing zones
[Link] records,i.e,pointers to unauthorized IP addresses[4|y]
[Link] records,i.e,present IPv4 and missing IPv6 records
[Link] reverse entries - this causes some applications to break
### Syslog ###
Features:
[Link] key system information from programs,services,daemons,kernel,etc
[Link] logs information from remote,Syslog aware systems:devices | rou
ters,switches,firewalls,etc
Explore Syslog Environment
1.'lib/[64]/rsyslog/*' - contains modules to extends - RedHat|CentOS
2.'/usr/lib/rsyslog/*' - Debian
3.'/usr/sbin/rsyslogd' - Debian && '/sbin/rsyslogd' -RedHat | CentOS
Comment Tcp || UDP listeners if NOT in use - Syslog does not offer AUTH secu
rity by default
Note:This means,once clients have network access to the rsyslog server, they
can ,if configured with appropriate facility and|or level send messages to SYSL
OG
#Hypothetical() Case
Rogue ,infected,Windows machine on-the-wire,sends considerable SYSLOG da
ta to your rsyslog instance,For this reason,consider provision dedicated '/var'
per HOST
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
rpm -ql rsyslog
Suggesting:
Consider restricting TCP:514 AND |OR UDP 514 via IPTables AND | OR Exter
nal firewall
iptables -l
Ensure that you have a comprehensive list of supported Syslog:
[Link]:local,user,mail,kern,cron,auth|priv
[Link]:debug -> emerg
Note:Ensure that you organizational security policy details accepted Syslog
configuration,This help to mitigate() problems,nerves(),anxieties(),when things go
y()
i.e,DDOS attacks generate enormous of data on a number of levels that impact
*Nix systtem:
[Link] Systems parsing gigabit traffic
[Link] must capture requests incomming from NIDS,edge processes,and otherw
ise