Search Results - Displaying Results
Search ClearCenter.com

ClearSDN Overview - Remote Security Audit

Article Index
ClearSDN Overview
ClearSDN Topology
Intrusion Detection - Prevention Update Service
Remote Security Audit
System Monitor
Dynamic/Managed VPN
Remote Server Backup
Bandwidth Monitor
Dynamic DNS
Anti SPAM/Virus
Content Filter Updates
DNS - Domain Management
ClearSDN Dashboard
All Pages
Page 4 of 13

Remote Security Audit

ClearSDN can communicate with your local ClearOS server and conduct regular audits to detect errors, software revisions, bugs and irregularities.  An automated ClearSDN Security Audit can give you peace of mind knowing that there is a consistent effort to detect and alert problems on the network. Remote Security Audits can also help to ensure compliance obligations are achieved.

Requirements

The Web Services software module must be running and firewall open

Activation

  • Login to your account
  • Click on Systems in the top navigation bar
  • Select the target system from the list of active systems in your account
  • Click on Security Audits in the menu

Configuration

To enable the Security Audits service, simply select on and click on the update button.

Status Reports

You will receive an e-mail when the security audit detects a change on your system. If no system changes are detected, you will not receive any reports.

How It Works

The goal of the security audit is to pick up clues that typically result from a server being compromised. This can be determined by:
  • Detecting changes in critical files and directories
  • Checking for a change in the number of hidden files and directories
  • Monitoring the inventory of setuid/setguids files
  • Detecting a change in the number of superuser accounts
  • Auditing the number of accounts without passwords
On a daily basis, the security audit will
  • Connect to your system
  • Make sure the audit tools have not been tampered with
  • Signal the system to run the audit
  • Wait for the audit to complete
  • Save a simple hash of the results in our database

Detecting File Changes with Aide

The Security Audit uses Aide (an open source file integrity database) to create a snapshot of important system files. The database contains file permissions, modification times, file size, etc. You can take a look at this database on your machine (usually in /usr/local/suva/suvlets/net/clearcenter/SecurityAudit/db/aide.db).

Thankfully, we do not need to store the entire file offline... all we do is compute a hash (a unique identifier) of the file and send this result back to our database. On the next system check, this hash is checked to make sure nothing has tampered with the Aide database.

The Aide software (which is also checked for tampering) can then run its normal audit knowing that the database is intact. Other system checks use the same model.

Give It a Test... Wait at least 24 hours for the security audit to run at least once. You can then "tamper" with one of your system files. For instance run the touch command on /usr/bin/last. (This command simply changes the timestamp on the file). You will receive an alert on the next audit.


 
TryBuy
Advert