leeand00's picture

Given a base Turnkey Linux Core system, what files / file permissions should be watched with auditd?


Jeremy Davis's picture

Sorry that sounds like a smart ass answer, but really that is how it is...

For the longer answer; TBH I'm not 100% sure (I've never used it). And to some degree it would depend on what you are trying to achieve.

Assuming that you want to keep an eye on things WRT someone hacking your server; then I imagine you'd want to audit anything that might be a target. Probably anything that involves configuration (/etc) but particularly SSH config (/etc/ssh/ & in your home dir too e.g. /root/.ssh/)/ Also perhaps firewall config (assuming you have enabled it)? Perhaps daemon config too: the legacy init system still uses /etc/default/ and /etc/init.d/ SystemD uses /etc/systemd/ by default. Log files may also be worth watching, although as they are constantly being written to you'd need to fine tune that to reduce the day-to-day noise.

Beyond that, anything else you have installed and/or enabled that may be targetted. Keep in mind though, the more stuff you monitor, the more noise you will probably get (making it harder to see anything that may be malicious or undesirable).

Also as TurnKey is Debian under the hood, perhaps someone with more experience with it may have posted something helpful online?

Jeremy Davis's picture

Great idea to post there, although I'm not sure if you'll get much better answers there...

As TurnKey isn't a super well known distro, it may be worth noting that it's Debian based. Actually it might be worth adding something like "If you are unfamiliar with TurnKey, assume that I am asking about a minimal headless Debian server with OpenSSH-server installed". I was going to add it as a comment but I don't have any rep on InfoSecSE.

Add new comment