Linux OS

OverviewResources

After configuring the Linux to deliver events to the Netsurion Open XDR platform, configure the alerts, dashboards, and reports in the Netsurion Open XDR platform.

Security

Alerts

Linux - A user or group has been deleted: This alert is triggered when a user or a group is removed or deleted from Linux system.
Linux - A user password has been changed or modified: This alert is triggered when password is changed for any user.
Linux - Console login failed: This alert is triggered when a user fails to successfully login into Linux system.
Linux - Sudoers configuration file has been changed or modified: This alert is triggered when someone tries to change or modify the configuration of sudoers file.

Reports

Linux - Console login failed: This report contains a detailed overview of events associated to failed login by users into Linux system. This includes, current user, parent user, event datetime, terminal and operation status.

Operations

Reports

Linux - User command execution activities: This report contains a detailed overview of commands that were executed in user shell. This includes, executed command, shell user, parent user, log datetime, and operation status.
Linux - Console login and logout activities: This report contains a detailed overview of user login and logout activities. This includes, shell user, parent user, log datetime, and operation status.
Linux - Mount and Unmount activities: This report contains a detailed overview of device/drive mount or unmount activities into Linux system. This includes, shell user, parent user, log datetime, and operation status.
Linux - Root Shell Command Execution activities: This report contains a detailed overview of commands executed in root shell. This includes, executed command, shell user, parent user, log datetime, and operation status.
Linux - Sudo commands execution activities: This report contains a detailed overview of commands executed by elevating user privilege, i.e. ‘sudo’. This includes, executed command, shell user, parent user, and log datetime.
Linux – File Monitoring: This report contains a detailed overview of activities associated with file monitoring such as, file read, file delete, file create, etc. This includes, username, event datetime, filepath, filename, status, etc.

Compliance

Reports

Linux - User Management: This report contains a detailed overview of activities performed by any user, such as, user add, user delete, user password change, etc. This includes, shell user, parent user, and log datetime, and operation status.
Linux - Group Management: This report contains a detailed overview of activities performed by any user, such as, group add, group delete, etc. This includes, shell user, parent user, and log datetime, and operation status.
Linux - Package Management: This report contains a detailed overview of activities related to software/package install, remove, or update. This includes, shell user, parent user, and log datetime, application/package name, and operation status.

Scope

The configuration details are consistent with the Netsurion Open XDR platform version 9.3 and later, and Linux (Red Hat/Cent OS version 7.0 and later, Ubuntu 18.0 and later, Oracle Linux 7.0 and later, and Amazon Linux version 2).

Documentation:

To configure the Linux to send logs to the Netsurion Open XDR platform, refer to the How-to Guide.

To configure the Data Source Integration in the Netsurion Open XDR platform, refer to the Integration guide.