### LinuxCBT Key Files Edition ###

### LinuxCBT Key Files Edition ###
Features:
    1.Key files && directories that are present across-the-board on Linux systems
    2.Pertains to security due to sensitive nature of files
    Note:Files also pertain to directories (d ---------)
'/boot' - Present on all linux systems
Features:
    1.Houses Kernel
    2.INITRD || INITRAMFS - (Present on modern implementations)
    3.GRUB & related files
    4.Post-BIOS,'/boot' is consulted for various stages of boot
    5.Typically is provisioned as a dedicated partition to ensure system boot
    6.Traditionally,'/boot' or BOOT environment for various OSs have been abstracted|separated from other volumes,i.e,Windows (c:(os)...(Exchange || MS SQL) || etc.)
    Files:
        1.'config' - Kernel configuration options (Options used to compile Kernel)
            'uname -a' - reveals kernel version which can be correlated to '/boot/{config*,init*,vmlinuz*}'
         a.Text files
         b.Contains options such as :'y' = static,'m' = modular support
        2.'initrd || initramfs' - initial RAM Disk - loaded by GRUB to setup the environment
         a.Used to load drivers to mount '/'(root)
         Note:From a security respective,checksum 'config*' && 'init*' && 'vmlinuz* && System.map*'
        3.'vmlinuz' - linux Kernel
         a.MUST match 'initrd'

        4.'System.map'
         a. Symbols for image by Kernel modules
        Note:'/boot' need NOT be separated from '/'
        Note:Ensure that backup procedures ALWAYS include '/boot'
            du -chs /boot/
### INIT ###
Features:
    1.First User-Space process
    2.PID=1
    3.Parent of all User-Space processes on *Nix systems (linux | unix)
    4.Loads User-Space environment
Files:
    1.'/etc/inittab' - Primary configuration file - Read by '/sbin/init'
     i.e,'id:5:initdefault:' - default Runlevel
    2.'/etc/init.d/' - Houses Daemons | Services,interface configuration scripts,etc
    Note:Similar to 'services.msc' on Windows
    Note:Weather or not the services | daemon run in the current run-level is not important
    Note:This is where third-party RC script should be played
    3.'/etc/rc.*' - Run Control Scripts for appropriate run-levels
    'runlevel' - confirms current and optionally previous runlevel
     a.'/etc/rc.d/' - contains ALL K* S* scripts to be executed by 'rc' in this runlevel
     b.'/etc/rc.d/rc' - script,which processes distinct runlevel K* & S* script
     c.'/etc/rc.d/rc.sysinit' - items that should be run regardless of runlevel when system is invoked
     d.'/etc/rc.d/rc.local' - place third-party programs here to be launched post-runlevel-invocation
     Note:'sha256sum /etc/init.d/*'  generates checksums for later references
     Note:RPM DB provides checksums for installed files: i.e,'/sbin/init',however,if RPM DB is corrupted,then you may be trojaned without your knowledge
      rpm -qf /sbin/init
    Note:Various SYSTEM v systems will use different Daemon | service name,however,the startup is virtually the same
    Note:Part of your checksums checks could also includes file size
    Note:For security purposes,store your checksums on a remote system
    Note:use BASH,Perl,Python,etc to take snapshots
    Note:Consider taking  snapshots manually to mitigate compromised system threats
    Note:Mulicious,unauthorized user may compromised automated checksums check to publish to the aggregation system,data consistent with your expectation
    Note:If your automate checksums check,consider manually spot-checking on a somewhat random basis the checksums that are generated
    Note:Also ensure that you checksum the checksum-generation script,in the event unauthorized user change the behavior of the script

### Kernel Modules ###
Features:
    1.Kernel modules for myriad(无数的)categories,CPU Frequency,Networking,Sound,etc
    2.References via:'/lib/modules/`uname -r`'
    3.Each accessible | available Kernel has its own '/lib/modules/`uname -r`'

    '/lib/module/$(uname -r)'
     a.'modules.alias' - shortcuts
     b.'modules.dep' - Module dependencies - path are relative to '/lib/modules/$(uname -r)'
     c.'kernel/*' - Categorical storeage of modules per Kernel version

     lsmod - Reveals loaded models from '/proc/modules'
     correlate loaded modules to :'/lib/modules/*'
      find ./ -name cpufreq
    'modinfo cpufreq_stats' - Return MORE information

    '/etc/modprobe.d' - Configuration of specific module
     dmesg
### '/proc/' ###
Features:
    1.Run-time Kernel configuration options - '/proc'
    2.Virtual in memory File System
    3.User-space tools derive key information from:'/proc/'
        df -h | grep proc
        mount | grep proc
    4.Stores PIDs of running processes i.e '/proc/PID' - '/proc/1'
    5.contains many,in-memory zero-byte files files due to temporary

    PID Directories
    'cmdline' - returns most recent invocation of OS
    i.e 'ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16  rd_LVM_LV=VolGroup/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet'
    i.e,Debian:'/proc/cmdline' - BOOT_IMAGE=/boot/vmlinuz-3.8.0-36-generic root=UUID=56a7fe0d-1d1c-4aa5-82ad-59dedb0177b3 ro
    Note:You can review UUID or storage block

    'devices' - reveals detected/supported devices
    'filesystems' - returns kernel supported filesystems
    'partitions' -  returns know partitions on the system
        fdisk -l
    'swaps'
        swapon --help
        swapon -s
    'cpuinfo' - use this to determine:
     a.Number of present  CPUs
     b.Features supplied by the present CPUs
    'meminfo' - returns memory configuration in detail
    '/et/'- Network details
        arp -a
        arp -an
    '/sys/' - reflect current usage of system resources in a number of categories,i.e,'net','audio','video',etc
        grep proc /etc/fstab
    Note:Ensure the integrity of '/etc/fstab' upon each system boot:i.e,ensure that :'/proc/' is loaded

### '/[usr][/local]sbin' ###
Features:
    1.Mostly privileged binaries
    2.Some binaries are executable by non-privileged users via 'SETUID'
    3.'/usr/sbin/' - $SHELL tools || Daemons || Services
    4.'/usr/[local]/sbin' - $SHELL tools || Daemons || Services - i.e,'amacron','ntpd','crond','sshd'

SETGID Examples:
    1.'/usr/sbin/postpost[dq]*' - These files flagged SETGID ensure consistent permission(fore created files)
    ps -ef | grep post

Examples of privileged binaries || scripts
 1.'dhclient'
find /[usr[local]]/sbin
    find / -name 'dhclient'
    rpm -qf dhclient
    find . -name 'dhc*'
 2.'arp'
    arp -an
 3.'ifconfig'
    dpkg -S `which ifconfig`
    rpm -qf`which ifconfig`
    rpm -ql net-tools
 4.'route'
 5.'ip[6]tables*'
 6.'fdisk' - manipulate partition tables
    fdisk -l
 7.'parted'- manipulate partition tables
 8.'lv* | pv* | vg*' - LVM Tools
 9.'blkid' - UUID - Guard as well because corrupted 'blkid' could yield incorrect UUIDs that you may inadvertently use and corrupt your system
 10.'mke2fs && mkfs.*'
 Note Use a third-party tool such as AIDE to guard the integrity of these important files
 11.'lsmod'
 12.'modprob'
 13.'adduser||useradd||usermod||userdel'
 14.'reboot||shutdown||restart'

### System Control Configuration '/etc/sysctl.conf' ###
Features:
    1.Alter the start-up || run-time Linux Kernel options '/proc/sys'
    2.Facilitates run-time Kernel options manipulation:i.e,dynamic changes to Kernel akin to dynamic router changes
    3.User-space tool:'sysctl' - to manipulate run-time Kernel options
    Note:Ensure its (/sbin/sysctl) integrity(完整性,真实性)
    4.global startup configuration file:'/etc/sysctl.conf'
Tasks:
    1.Use 'sysctl' to dump variables
     a.'sysctl -a' - enumerates Kernel run-time possibilities
    2.Set some simple variables
        hostname =f
     a.'sysctl "kernel.domainname=linuxcbt.interal"'
     b.'sysctl "kernelNaNy.max=8192"' = useful for very busy,shared servers
        sysctl kernelNaNy.max
Example of exhausting(耗尽) PID Max:
    $USER -> ptx/4 -> PID s->(Numerous PIDs) - i.e,Nessus,Nmap
    Note:The Kernel will usually log messages: /var/log/messages && console (critical)
     c.'sysctl "kernel.pid_max=65536"'
    3.Ensure that tweaked variables persist:'/etc/sysctl.conf'
     a
    #LinuxcBT Classroom System Performance Kernel Tweaks
    kernel.domainname = linuxcbt.internal
    kernelNaNy.mx = 8192
    kernel.pid_max = 65536

    4.Ensure that values take effect immediately
     a.'sysctl -p ' - reads of /etc/sysctl.conf
     Note:Errors reading values should appear immediately on STDOUT
    Note:System control (sysctl) influence,directly,and dynamically,the Kernel
    Note:if '/etc/sysctl.conf' is corrupted,your Kernel will misbehave
    Note:Inproper '/etc/sysctl.conf' - could result in:
     1.Failure to boot the system,resulting in a Kernel Panic
     2.Intermittent application behavior
     3.Extremely slow application responses
     4.Dropped connections TCP,UDP,SCTP && Application Level
    Note:monitor '/etc/sysctl.conf' using appropriate integrity tools

### '/etc/[x]inetd.conf' ###
Features;
    1.Auto-spawned services || daemons as needed
    2.Reduces consumption of resources CPU | memory
    3.Resource control
    4.Forwarding of ports (XINETD)
    5.Extends tradition '/etc/init.d' spawning of services || daemon
        yum install xinetd
        apt-get install xinetd
    6.'/etc/xinetd.conf' - primary XINETD config File
    7.'/etc/inetd.conf' - primary traditional inetd config file - Debian and derivatives
    8.'/etc/xinetd.d' - This directory is read for individual XINETD-controlled services || daemon files

Tasks:
    1.Explore typical XINETD setup
     a.'/etc/xinetd.conf' - primary config
     b.'/etc/xinetd.d/' - primary config container for individual services || daemons
     Note:It is up to you to ensure that 'XINETD' && IENTD services are disabled as needed
    yum search tftp
    yum install tftp-server
    apt-get install tftpd
    Note:'grep disable /etc/xinet.d/*' - to determine enabled services
    Note:This will not include services that are described sans:'disabled = yes'
    Note:'netstat -nutlp | grep xinetd' - reveals XINETD-controlled services
    Note:Importance:Trojans,unauthorized processes can be easily invoked via XINETD
    Note:Because XINETD is more advanced than INETD,look out for services that really forward ports in '/etc/xinetd.d'
    Note:YOu should also remove superfluous XINETD files from :'/etc/xinetd.d' i.e,small TCP/IP services
    2.Explore typical INETD setup
     a.'/etc/inetd.conf' - primary configuration file
    Note:INETD-system tend to lump ALL services || daemons into 1 monolithic(巨大的) files
    Note:INETD systems will load services || daemons from :'/etc/inetd.conf' that are NOT uncommented
    Note:Like with XINETD,small TCP/UDP services are referenced,but commented,in '/etc/inetd.conf'
    Note:Consider removing small TCP/UDP services from '/etc/inetd.conf'

     b.Disable TFTP
     c.Disable Samba SWAT
     d.Disable ALL-mail-retrieval protocols
        invoke.rc.d openbsd-inetd restart
    Note:If all services managed by: XINETD|INETD are disabled,the service to invoke,which releases/avails resources
    Note:Both XINETD|INETD control traditional inetd services i.e,SSHD,etc
    Note:Debian-derived systems ALSO support XINETD,however,INETD is the traditional super-server
    Note:There is a conversion process required to go from :INETD to XINETD

    e.Remove distinct services || daemons entries for small TCP/IP services from :'/etc/inetd.conf'
     e1.'/etc/init.d/openbsd-inetd restart'
    Note:The various areas covered thus-far,are ALL vectors of attack to compromise you system
### /etc/{passwd,shadow} ###
Features:
    1.Store accounts DBs
    2.used even with LDAP usage,i.e,daemons| services | root | default non-privileged user(linuxcbt)
    3.'login.defs'
Tasks:
    1.Peruse both files
     a.'/etc/passwd'
        root:x:0:0:root:/root:/usr/bin/zsh
        1.username
        2.references of shadow
        3.uid
        4.gid
        5.user's description - usually a full name
        6.home directory
        7.user's shell
    sshd:x:116:65534::/var/run/sshd:/usr/sbin/nologin
        cat /etc/shells
    Note:Check '/etc/shells' to determine permitted $SHELLS
    Note:Check,aside from daemons | services accounts,that each user has a $HOME directory
    Note:$USERs sans $HOME directories will often be relegated(转移) to '/',unless the enveloping daemon | service prohibits(不允许) this

     b.'/etc/shadow' - contains 1 entry per entry in '/etc/passwd'
    Note:look for mismatches
    Note:If using LDAP,check LDAP DB for other account mismatches
    Note:LDAP can be corrupted via corrupt sources files:/etc/{passwd,shadow}
    Note:LDAP data can be corrupted from any host with connectivity
     c.'/etc/login.defs' - Contains default user accounts policies
      c1.Tighten default policy
        userdel -r username
        groupdel groupname
      c2.Ensure that SHA256 or higher us in-use
        getet
    Note:Use 'getent passwd' to dump possible sources of user accounts for your system
        getent group
        getent gshadow
### Pluggable Authentication Modules(PAM) ###
Features:
    1.Centralized AUTH,Account,Session services
    2.Abstracts programs i.e,SSH,Samba,Telnet,FTP,etc,from having to implement similar services
    3.Extensible i.e,LDAP,AD,MySQL,PostgreSQL,etc
    4.Stack of modules required for AUTH,ACCOUNT,SESSION,PASSWARD
Key files:
    1.'/etc/pam.conf'
    Note:Some system:i.e,Redhat ad derivatives may not have a general:'/etc/pam.conf',however,look for:'/etc/pam.d/' with numerous per application:i.e,'SSH'
    Note:Debian 6x has:'/etc/pam.conf' AND '/etc/pam.d/'
    Note.PAM relies upon distinct libraries beneath the platform-specific library directory
    Note:i.e,for x86_64:'/lib64/security'
    Note:PAM,like PHP and other program,supports 'include' directive to incorporate the PAM stack from other files
    Note:PAM also ensues via the 'su' PAM stack that the environment is properly configured on a per-user basis,i.e,if logged in as 'root','/sbin/;'/usr/local/sbin;/usr/sbin' are added to you $PATH
    Note:Upgrades | security patches may change the contents of '/etc/pam.d' and force into action
    Note:This may mean generating a new set of checksums
    Note:/etc/security/pam_env.conf - consulted by ANY processes,i.e,gdm,sshd,etc,that relied upon general AUTH to the system.
    Note:SYSLOG route | handles PAM log entries,i.e,on CentOS && RH:/var/log/secure.log or Debian:/var/log/auth.log

### '/etc/{hosts,protocols,services}' ###
Features:
    1.Layer 4 - Layer 3 resolution - i.e,'linuxcbtrouter1.linuxcbt.internal' -> 192.168.75.1
    ->MAC
    2.Protocols naming,i.e,IP[0],TCP(6),UDP(17) - '/etc/protocols'
    3.Well-known services translations:'/etc/services',i.e,ssh -> tcp/22

Basic '/etc/hosts' for TCP/IP-complaint system:
#IPv4
127.0.0.1 localhost localhost.localdomain linuxcbtcent1 linuxcbtcent1.linuxcbt.internal
#IPv6
::1       localhost localhost.localdomain linuxcbtcent1 linuxcbtcent1.linuxcbt.internal
#Routable  Addresses
#RFC 1918 Address 192.168.75.0/24
192.168.75.105 site1.liuxcbt.internal
192.168.75.105 site2.liuxcbt.internal
Tasks
    1.Corrupt '/etc/hosts'
     a.place incorrect for www.linuxcbt.com
    Note:Many malware(恶意软件) packages will corrupt '/etc/hosts' to redirect traffic
    Note:Most target malware sites will resemble authentic site
    Note:Insofar as L4 to L3 resolution is concerned,'/etc/hosts' is usually consulted prior to DNS
    2.corrupt '/etc/protocols'
    Note:If '/etc/protocols' are corrupted,package handling could,in theory be also corrupted
    3.corrupte '/etc/services'
    Note:If '/etc/services' is corrupt,packet-interpretation and handing could also go awny

    Note:The port-range is 2**16,however,'/etc/services'
        sha256sum /etc/{hosts,services,protocols}
    NOTE:Another example of corrupted '/etc/hosts' ,is the redirection of BackupEvec client/server communications via incorrect:IPv[46]
    Note:malware Typically hits'/etc/hosts'
    Note:If you detect mismatches in packet analyses programs,i.e,TCPDump,WireShar,Snort,NMap,Nessus,etc,then consult'/etc/{protocols,services}

### Name Services Switch Configuration (NSSWITCH) ###
Features:
    1.Name services resolution order
    2.Indicates various databases to be used for lookup of various data
        i.e,l4-l3 names are resolved using NSSWITCH
        i.e,User accounts DB location is indicates via NSSWITCH
    3.Centralized name resolution service: resolver
    4.Polls name=value pairs from target DBs
    5.Abstracts applications from having to maintain resolution services:akin to PAM
    i.e,ping www.linuxcbt.com -> NSSWITCH ->hosts:  files   dns
    Note:The 'hosts' DB type is consulted when tools such as 'ping','traceroute',web browser,etc,require l4(host name)-l3(IPv[46]) translations
    Note:'/etc/hosts' is he ky files for 'hosts' resolution

    6.NSSWITCH facilitates redundant means of resoving targets
Tasks:
    1.Explore '/etc/nsswitch.conf' configuration
    Note:NIS(plus) are still supported,but rather somewhat deprecated due to:LDAP & DNS a l :Artive Directory(AD)
     a.NIS
     b.DNS - considerable support - glue of internet
    2.Reorder '/etc/nsswitch.conf' and evaluate
     a.'hosts dns files' - causes name resolver to use DNS first
     b.ping www3.linuxcbt.com
    Note:'files' references tends to be consistent across distributions of linux | unix due to regularly
        cat /etc/ethers
        cat /etc/networks
    Note:If your system is configured or use LDAP AUTH,then '/etc/nsswitch' will be updated insofar as:
        passwd  files
        shadow  files
        group   files
    Note:That usage of LDAP does NOT disable local 'files' reference
    Note:Insofar,as malware is concerned,watch:
        passwd files
        shadow files
        group  files
        hosts  files dns
    NSSWITCH is used by virtually ALL *Nix applications to resolve key DBs
        host www.google.com

### DNS Client Resolution ###
Features:
    1.file:'/etc/resolv.conf' - located on ALL *Nix systems
    2.DNS Client resolver lookup file
    3.Consulted by DNS Client,dig,nslookup,web browser,lynx,curl,lftp,etc
    4.L4 lookup servers are placed here normally using IPv[46] addresses
    5.Auto-configured if using DHCP client
    6.Manually configured IPv[46] system must also configure '/etc/resolv.conf' manually

Tasks:
    1.Explore '/etc/resolv.conf'
        search localhost.localdomain # This domain is appended to DNS Client requests if FQDN is omitted by user,i.e,'dig linuxcbtcent1' - NOT FQDN,DNS Client will rewrite to 'dig linuxcbtcent1.linuxcbt.internal'
        nameserver 192.168.1.1 # indicates PRIMARY DNS server to consult

Note:If '/etc/resolv.conf' is corrupted,DNS client requests can easily be re-rerouted to rogue(欺骗) DNS servers,rendering illegitimate(非法的) responses
    dig @8.8.8.8 www.linuxcbt.com

    Note:Some malware will remove your normal DNS servers in:'/etc/resolv.conf',in exchange for polluted DNS Servers
    Note:while other malware,will simply include polluted DNS servers as default servers,leaving your original entries as subsequent entries
    Note:By default,DNS client resolvers will bypass'/etc/hosts' and use servers specified in '/etc/resolv.conf'
    Note:This does NOT include applications such as web browser,will always consults the order in '/etc/nsswitch.conf'

    2.Perform Queries:
     a.dig @8.8.8.8 www.linuxcbt.com - forces DNS Client resolution off server:8.8.8.8
     b.'dig www.linuxcbt.com' - users default DNS Server prescribed in '/etc/resolv.conf'
    Suggesting:
     Internally(内部),direct DNS traffic to internal,company-managed,DNS servers,and subsequently(其次),forward unfulfilled(无法使用|处理的) requests to internet DNS server,i.e,ISP,then upstream
     Client -> Internal DNS Server(s) -> ISP Server -> Public Servers(Google 8.8.8.8|8.4.4.4) -> Root DNS Servers

    3.Example Debian APT 'sources.list' File
    'deb http://security.debian.org/ squeeze/updates main contrib'
        dig security.debian.org
    dig security.debian.org(L4) -> 149.20.20.6(L3)
    If L3 Server address is poisoned,then NEW rogue target server,COULD supply our APT framework with rogue,malicious,and|or compromised packages
    Note:Try to ensure that PROD systems have consistent '/etc/resolv.conf' files

###　User Profiles ###
Features:
    1.Ability to aggregate and present a consistent user experience across:icons,files,colors,etc
    2.Default $SHELl= BASH
Files:
    1.'/etc/bashrc,profile,profile.d,shells,skel'
     a.'/etc/profile' - system-wide $SHELL file,that configures initial environment
        echo $HISTSIZE
        echo $HISTFILESIZE
        echo $PS1
        echo $PATH
        echo $LOGNAME
        echo $USER
     b.'etc/profile.d' - contains $SHELL includes:i.e,coloration, of 'ls' output
     c.'/etc/shells' - This file dictates allowable $SHELLs
     Note:Ensure that '/etc/shells' does not contain unknown ,unidentified $SHELLs

     d.'/etc/skel' - used to provision new users

    2.'~/.bash_history' - Guard contents,because passwords,credentials may be present
    Note:Consider purging the contents of '~/.bash_history' to a facility such as '/dev/null'
    Note:consider reducing the history size to a small number:i.e,'10'

    3.'$HOME/bin' - This is a per-user executable directory,Monitor this directory for potential,rogue processes

    4.'~/.vnc' - This directory houses files associated with VNC access
     a.'xstartup' - executable file that is invoked when a new VNC/GNOME/KDE session is created
     Note:This features is akin to :Windows->startup group - It will cause applications to launch upon invocation
        netstat -ntl | grep 591
    5.'password' - ensure this file exists,if VNC is in use

### CRON ###
Features:
    1.Process automation
Example of misuse:
    1.DNS client poisoning
    2.Bad package (RPM|APT) is installed
    3.Rogue process is invoked via CRON,regularly
    4.Host becomes a member of a BotNet
Key Files:
    1.'/etc/crontab' - System Cron Tables - defines basis of operation
    2.'/etc/cron.d' - Default jobs are called,Varies by Distro,However,concepts are similar
    Note:these entries are NOT executables,however,simply included as part of larger CRON config
    Note:If you notice executable items in '/etc/cron.d',something is amiss
    3.'/usr/sbin/crond' - CROND process - checksum this
        rpm -qf 0anacron
    4.'/etc/cron.hourly' - jobs that are executable(scripts),and run hourly
    Note:Normally,CRON jobs are not binaries,if you see files that run as jobs and are represented as binaries,have a deeper look.
    5.Ensure the integrity of :'/bin/run-parts' - this utility runs N number of scripts from a directory
    rpm -qa | grep cron
    6.'/usr/bin/crontab' - checksum as well as this could submitted jobs
    7.'/var/spool/cron' - Check for unrelated user jobs - look for unresolved IDs 'ls -l /var/spool/cron'
    8.Ensure the integrity of 'crond' itself using 'rpm' i.e,'rpm -Vvf `which crond`'
    Note:Perform these checks before system enters:PROD,and during PROD.

### DNS Server Configuration ###( TODO Learn bind)
Features:
    1.Glue of the Internet
    2.L4-L3 conversions
Tasks:
    1.Explore environment
     a.'/etc/bind' - Debian
     b.'/etc/named' - && '/var/named' - CentOS | RedHat
     Note:Ensure that you have a baseline
        netstat -nump
    c.'/etc/bind/named.*' - Both OSs - Ensure zones listed are ones that you are responsible for
    2.Follow each Zone file to source file on FS and examine
        dig @localhost hostname
    3.Also run random queries occasionally to ensure the validate of DNS records
    4.Ensure that RFC-1912 && RFC-1918 zones,if defined,are accurate
    Note:ALL named.* files that are included are part of a monolithic(庞大的) configuration (1-big config),which means you are at liberty to place any zone config (descriptor) anywhere
    5.Ensure ROOT servers are accurate:'/var/named/named.ca' on RedHat derived system
    6.Ensure that you constantly look for:
        a.Unauthorized zones
        b.Changes to existing zones
        c.Invalid records,i.e,pointers to unauthorized IP addresses[4|y]
        d.Incomplete records,i.e,present IPv4 and missing IPv6 records
        e.Missing reverse entries - this causes some applications to break

###  Syslog ###
Features:
    1.Logs key system information from programs,services,daemons,kernel,etc
    2.Optionally logs information from remote,Syslog aware systems:devices | routers,switches,firewalls,etc

Explore Syslog Environment
    1.'lib/[64]/rsyslog/*' - contains modules to extends - RedHat|CentOS
    2.'/usr/lib/rsyslog/*' - Debian
    3.'/usr/sbin/rsyslogd' - Debian && '/sbin/rsyslogd' -RedHat | CentOS
    Comment Tcp || UDP listeners if NOT in use - Syslog does not offer AUTH security by default
    Note:This means,once clients have network access to the rsyslog server, they can ,if configured with appropriate facility and|or level send messages to SYSLOG
    #Hypothetical(假设) Case
        Rogue ,infected,Windows machine on-the-wire,sends considerable SYSLOG data to your rsyslog instance,For this reason,consider provision dedicated '/var' per HOST
        # Provides UDP syslog reception
        #$ModLoad imudp
        #$UDPServerRun 514

        # Provides TCP syslog reception
        #$ModLoad imtcp
        #$InputTCPServerRun 514
    rpm -ql rsyslog
    Suggesting:
        Consider restricting TCP:514 AND |OR UDP 514 via IPTables AND | OR External firewall
        iptables -l
    Ensure that you have a comprehensive list of supported Syslog:
        1.Facilitates:local,user,mail,kern,cron,auth|priv
        2.Levels:debug -> emerg
    Note:Ensure that you organizational security policy details accepted Syslog configuration,This help to mitigate(减轻) problems,nerves(紧张),anxieties(焦虑),when things go awry(错误)
    i.e,DDOS attacks generate enormous of data on a number of levels that impact *Nix systtem:
    1.NIDS Systems parsing gigabit traffic
    2.Syslog must capture requests incomming from NIDS,edge processes,and otherwise

转载于:https://my.oschina.net/8pBwdEmxK2hL/blog/261342