Linux Systems¶
About¶
Just like Windows, iOS, and Mac OS, Linux is an operating system. In fact, one of the most popular platforms on the planet, Android, is powered by the Linux operating system. An operating system is software that manages all of the hardware resources associated with your desktop or laptop. To put it simply, the operating system manages the communication between your software and your hardware. Without the operating system (OS), the software wouldn't function.
The Linux operating system comprises several different pieces:
-
Bootloader - The software that manages the boot process of your computer. For most users, this will simply be a splash screen that pops up and eventually goes away to boot into the operating system.
-
Kernel – This is the one piece of the whole that is actually called Linux. The kernel is the core of the system and manages the CPU, memory, and peripheral devices. The kernel is the lowest level of the OS.
-
Init system – This is a sub-system that bootstraps the user space and is charged with controlling daemons. One of the most widely used init systems is systemd which also happens to be one of the most controversial. It is the init system that manages the boot process, once the initial booting is handed over from the bootloader (i.e., GRUB or GRand Unified Bootloader).
-
Daemons – These are background services (printing, sound, scheduling, etc.) that either start up during boot or after you log into the desktop.
-
Graphical server – This is the sub-system that displays the graphics on your monitor. It is commonly referred to as the X server or just X.
-
Desktop environment – This is the piece that the users actually interact with. There are many desktop environments to choose from (GNOME, Cinnamon, Mate, Pantheon, Enlightenment, KDE, Xfce, etc.). Each desktop environment includes built-in applications (such as file managers, configuration tools, web browsers, and games).
-
Applications – Desktop environments do not offer the full array of apps. Just like Windows and macOS, Linux offers thousands upon thousands of high-quality software titles that can be easily found and installed. Most modern Linux distributions (more on this below) include App Store-like tools that centralize and simplify application installation. For example, Ubuntu Linux has the Ubuntu Software Center (a rebrand of GNOME Software Figure 1) which allows you to quickly search among the thousands of apps and install them from one centralized location.
Product Details¶
Vendor URL: Linux Systems
Product Type: OS
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Linux Systems - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON and Syslog
Expected Normalization Rate: 80-90%
Data Label: LINUX_OS
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| acct,principal.user.userid,userId,username | principal.user.userid |
| action,desc | security_result.description |
| additional.COMMAND,command,process | target.process.command_line |
| additional.dest_process_id,pid,_ResourceId,instance_id,json_data.resource.labels.instance_id | target.process.pid |
| additional.dest.dvchost,dvc,Hostname,relayHostname | intermediary.hostname |
| additional.duser,target.user.userid,username | target.user.userid |
| additional.file_name,additional.TTY,dev | target.process.file.full_path |
| additional.PWD,process,ProcessName,name | principal.process.file.full_path |
| command,comm | principal.process.command_line |
| dstPort,targetPort | target.port |
| dvc,Hostname,relayIp | intermediary.ip |
| dvc,targetHostname,node | target.hostname |
| dvc,targetIp | target.ip |
| exe | security_result.about.process.file.full_path |
| filepath,pwd | target.file.full_path |
| json_data.labels.compute.googleapis.com/resource_name | target.resource.name |
| json_data.resource.labels.project_id | target.asset.attribute.cloud.project.id |
| json_data.resource.labels.zone | target.asset.attribute.cloud.availability_zone |
| metadata.description,action,SyslogMessage,type | metadata.description |
| metadata.product_name,eventType,ProcessName,op | metadata.product_event_type |
| outcome,hasing_algo,proto,reason | security_result.summary |
| principal.hostname,dvc,srcHostName,Computer,source | principal.hostname |
| principal.ip,dvc,srcIp,HostIP | principal.ip |
| principal.port,srcPort | principal.port |
| process | target.application |
| process | target.application |
| processId | principal.process.pid |
| protocol | network.ip_protocol |
| received_bytes | network.received_bytes |
| security_result.action | security_result.action |
| security_result.severity,log_level,SeverityLevel | security_result.severity |
| sent_bytes | network.sent_bytes |
| sessionId | network.session_id |
| targetEmail | network.email.to |
| uid | security_result.about.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all other events | GENERIC_EVENT |
| CRYPTO_SESSION,sftp-server,Connection | NETWORK_CONNECTION |
| LOGIN,USER_AUTH,USER_LOGIN,Authentication failed,Started,Starting,opened | USER_LOGIN |
| SERVICE_START | RESOURCE_CREATION,SERVICE_START |
| SERVICE_STOP | RESOURCE_DELETION,SERVICE_STOP |
| smtpd | NETWORK_CONNECTION,NETWORK_SMTP |
| systemd-logind | USER_UNCATEGORIZED |
| USER_ACCT,Starting Session | USER_UNCATEGORIZED |
| USER_LOGOUT,session closed | USER_LOGOUT |
Log Sample¶
2021-10-03T15:39:48-07:00 sysloghost systemd[1]: Started Session sessionid of user root.
Sample Parsing¶
metadata.event_timestamp = "2021-10-03T15:40:45.940124Z"
metadata.event_type = "USER_LOGIN"
metadata.product_name = "Unix OS"
metadata.ingested_timestamp = "2021-10-03T15:40:45.940124Z"
principal.process.pid = "sessionid"
principal.platform = "LINUX"
target.hostname = "sysloghost"
target.user.userid = "root"
target.process.pid = "sessionid"
target.application = "systemd"
target.asset.hostname = "sysloghost"
intermediary.hostname = "sysloghost"
security_result.description = "Started"
extensions.auth.mechanism = "USERNAME_PASSWORD"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon