قالب وردپرس درنا توس
Home / Tips and Tricks / Using Ubuntu as Your Primary Operating System, Part 4 (Auditing, Antivirus & Monitoring) «Null Byte :: WonderHowTo

Using Ubuntu as Your Primary Operating System, Part 4 (Auditing, Antivirus & Monitoring) «Null Byte :: WonderHowTo



You've protected your Ubuntu system from physical attacks, disgruntled network hackers, and potentially malicious sandboxing applications. Big! The next logical steps to lock your operating system include thoroughly checking Ubuntu for vulnerabilities, using antivirus software that respects your privacy, and monitoring system logs like a boss.

This is the last part of our mini-series to strengthen your primary Ubuntu system. They learn about hardening operating system vulnerabilities using a recognized open-source auditing tool. Apart from that we will check out ClamAV, an antivirus software that will not send your sensitive files to profitable corporate servers. You'll also learn how to allow or deny web access to all apps on your computer. And if I say "monitor system logs like a boss," then I'm talking about the directory / var / log /

If you missed the beginning of this series, you should read the first part to learn more My motivation for How to Start This Four-Part Manual

Step 1
: Monitor Your System with Lynis

Lynis, created by CISOfy, is a security checking tool for Linux and UNIX-based operating systems that supports system-hardened penetration testers and compliance standards Information security like ISO27001, HIPAA and PCI DSS. While Lynis is designed for businesses and organizations, it can be used to test normal Ubuntu installations with a high degree of definition and expertise.

Download Lynis

Lynis is available [GG] on GitHub and can be wget with the sudo github.com/CISOfy/lynis/archive/master.zip' command, as seen here:

  sudo wget & # 39; https://github.com/CISOfy/lynis/archive/master. Postal Code & # 39;

---- https://github.com/CISOfy/lynis/archive/master.zip
Resolve from github.com (github.com) ... 192.30.253.112
Connection to github.com (github.com) | 192.30.253.112 |: 443 ... connected.
HTTP request sent, answer waiting ... 302 found
Location: https://codeload.github.com/CISOfy/lynis/zip/master [following]
---- https://codeload.github.com/CISOfy/lynis/zip/master
Resolution of codeload.github.com (codeload.github.com) ... 192.30.253.120
Connect to codeload.github.com (codeload.github.com) | 192.30.253.120 |: 443 ... connected.
HTTP request sent, answer waiting ... 200 OK
Length: 345734 (338K) [application/zip]
Save as: & # 39; master.zip & # 39;

master.zip 100% [===================================================================>] 337.63K 237KB / s in 1.4s

(237 KB / s) - & # 39; master.zip & # 39; [345734/345734]

I use sudo for the following Lynis commands, since the tool and its directories require privileged access to certain parts of the Ubuntu operating system to audit everything well. Normally, it is not safe to store and use binaries and applications this way, but we will delete Lynis immediately after use.

Decompress the download

Use the downloaded Lynis ZIP with sudo unzip master.zip to unpack the archive

  sudo unpack master.zip

Archive: master.zip
6e0ac57b68bfd39dd7d464e93ec85203ee683313
Creation: Lynis Master /
Extract: Lynis master / .gitignore
Inflation: Lynis-Master / .travis.yml
Inflation: Lynis Master / CHANGELOG.md
Inflate: Lynis Master / CODE_OF_CONDUCT.md
Inflation: Lynis-Master / CONTRIBUTING.md
Inflation: Lynis-Master / CONTRIBUTORS.md
Inflation: Lynis Master / FAQ
Inflation: Lynis Master / INSTALL
Inflation: Lynis Master / LICENSE
Inflation: Lynis Master / README
Inflation: Lynis-Master / README.md
Creation: Lynis Master / db /
Inflate: Lynis master / db / fileperms.db
Inflation: Lynis Master / db / Notes.db
Extract: Lynis Master / db / integrity.db
Creation: Lynis Master / db / Languages ​​/
Bloat: Lynis master / db / languages ​​/ az
Link: Lynis-Master / db / Languages ​​/ br -> pt
Inflation: Lynis master / db / languages ​​/ cn
Inflation: Lynis master / db / languages ​​/ de
Inflation: Lynis master / db / languages ​​/ de
Link: Lynis-Master / db / Languages ​​/ de-GB -> de
Link: Lynis-Master / db / Languages ​​/ DE-GB -> DE
Inflation: Lynis master / db / languages ​​/ it
Inflation: Lynis Master / db / Languages ​​/ fi
Inflation: Lynis master / db / languages ​​/ fr
Inflation: Lynis Master / db / Languages ​​/ Gr
Inflation: Lynis master / db / languages ​​/ er
Inflation: Lynis master / db / languages ​​/ hu
Inflation: Lynis master / db / languages ​​/ it
Inflation: Lynis master / db / languages ​​/ yes
Inflation: Lynis master / db / languages ​​/ nb-NO
Inflation: Lynis master / db / languages ​​/ nl
Link: Lynis master / db / languages ​​/ nl-BE -> nl
Link: Lynis master / db / languages ​​/ nl-NL -> nl
Inflation: Lynis master / db / languages ​​/ pl
Inflation: Lynis master / db / languages ​​/ pt
Inflation: Lynis master / db / languages ​​/ ru
Inflation: Lynis master / db / languages ​​/ se
Inflation: Lynis master / db / languages ​​/ tr
Inflation: Lynis Master / db / Malware-susp.db
Inflate: Lynis Master / db / malware.db
Extract: Lynis Master / db / sbl.db
Inflate: Lynis Master / db / Tests.db
Bloat: Lynis Master / default.prf
Bloat: Lynis Master / Developer.prf
Creation: Lynis Master / Extras /
Inflate: Lynis Master / Extras / README
Creation: lynis-master / extras / bash_completion.d /
Inflate: Lynis Master / Extras / Bash_completion.d / Lynis
Inflate: Lynis Master / Extras / Build-lynnis.sh
Inflate: Lynis Master / Extras / Check- lynis.sh
Inflate: Lynis Master / Extras / Files.dat
Inflate: Lynis Master / Extras / Lynis.spec
Creation: Lynis-Master / Extras / openbsd /
Inflation: Lynis Master / Extras / openbsd / + CONTENT
Creation: Lynis Master / Extras / Systemd /
Inflate: Lynis Master / Extras / Systemd / Lynis.Service
Inflate: Lynis Master / Extras / Systemd / Lynis.Timer
Creation: Lynis Master / Extras / Travis-Ci /
Extract: Lynis Master / Extras / Travis-ci / before_script.sh
Creation: Lynis Master / Include /
Inflate: Lynis master / include / binaries
Inflation: Lynis master / include / cest
Bloat: Lynis master / include / data_upload
Bloat: Lynis master / include / functions
Inflate: Lynis Master / include / helper_audit_dockerfile
Inflate: Lynis Master / include / helper_configure
Bloat: Lynis master / include / helper_show
bloat: lynis-master / include / helper_system_remote_scan
Inflation: Lynis master / include / helper_update
Inflation: Lynis master / include / osdetection
Inflate: Lynis Master / Include / Parameter
Inflate: Lynis Master / Include / Profile
Inflate: Lynis Master / Include / Report
bloat: lynis-master / include / tests_accounting
Bloat: Lynis Master / include / Tests_Authentification
Inflate: Lynis Master / include / Tests_Banner
Inflate: Lynis Master / include / Tests_boot_services
Inflate: Lynis Master / include / tests_containers
Bloat: Lynis Master / include / Tests_crypto
Bloat: lynis-master / include / tests_custom.template
Bloat: Lynis master / include / test_databases
Bloat: Lynis Master / include / Tests_dns
bloat: lynis-master / include / tests_file_integrity
bloat: lynis-master / include / tests_file_permissions
Inflation: Lynis master / include / tests_file systems
Bloat: Lynis Master / include / Tests_Firewalls
Bloat: Lynis Master / include / Tests_Hardening
Bloat: Lynis Master / Include / Tests_Homedirs
Inflate: Lynis Master / include / Tests_insecure_services
Bloat: Lynis Master / include / Tests_kernel
Inflate: Lynis master / include / tests_kernel_hardening
Bloat: Lynis Master / include / Tests_ldap
bloat: lynis-master / include / tests_logging
Inflate: Lynis Master / include / Tests_mac_frameworks
Inflate: Lynis Master / include / tests_mail_messaging
Bloat: Lynis Master / include / Tests_malware
Bloat: lynis-master / include / tests_memory_processes
Inflation: Lynis Master / include / Tests_Nameservices
Bloat: Lynis Master / include / Tests_Networking
Inflation: Lynis Master / include / Tests_php
bloat: lynis-master / include / tests_ports_packages
Inflate: Lynis Master / include / Tests_Printers_spools
bloat: lynis-master / include / tests_scheduling
Bloat: Lynis Master / include / Tests_shells
Bloat: Lynis Master / include / Tests_snmp
Bloat: Lynis Master / include / Tests_squid
Bloat: Lynis Master / include / Tests_ssh
Inflate: Lynis Master / include / Tests_Storage
Inflate: Lynis Master / include / Tests_Speicher_nfs
Inflate: Lynis Master / Include / Tests_System Integrity
Bloat: Lynis master / include / tests_time
Inflation: Lynis Master / include / Tests_tooling
Inflation: Lynis Master / include / Tests_usb
Inflation: Lynis Master / include / Tests_Virtualization
Inflate: Lynis Master / include / Tests_Webserver
Bloat: Lynis Master / include / tool_tips
Inflation: Lynis Master / Lynis
Bloat: Lynis Master / Lynis.8
Creation: Lynis Master / Plugins /
Inflate: Lynis Master / Plugins / README
Inflate: Lynis Master / Plugins / Custom_plugin.template
bloat: lynis-master / plugins / plugin_pam_phase1
bloat: lynis-master / plugins / plugin_systemd_phase1
finished deferred symbolic left:
Lynis Master / db / Languages ​​/ br -> pt
Lynis-Master / db / languages ​​/ DE-GB -> de
Lynis-Master / db / Languages ​​/ DE-GB -> DE
Lynis master / db / languages ​​/ nl-BE -> nl
lynis-master / db / languages ​​/ nl-NL -> nl 

Then change ( cd ) to the newly created lynis master / directory:

  cd lynis-master 

The Lynis binary should already have permissions to run on your computer; if it does not, use the command sudo chmod + x lynis

  sudo chmod + x lynis 

Running Lynis [19659007] To test Lynis and view the available options, use the command help ( -h ), ie sudo ./lynis -h .

  sudo ./lynis -h

[ Lynis 2.6.5 ]

################################################## ###### ###############################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software and it is you
welcome to redistribute it under the terms of the GNU General Public License.
For details about using this software, see the LICENSE file.

2007-2018, CISOfy - https://cisofy.com/lynis/
Enterprise Support available (Compliance, Plugins, Interface and Tools)
################################################## ###### ###############################

[+] Initialization program
------------------------------------

Use: Lynis commando [options]

Command:

exam
Audit System: Perform a local security scan
Test System Remote : Remote Security Scan
audit dockerfile : Analyze dockerfile

show
show: Show all commands
Showversion: Show Lynis Version
Show Help: Show Help

To update
Update Info: Show update details

options:

--no-log: Do not create a log file
--pentest: Unprivileged Scan (useful for Pentest)
--profile : Scan the system with the specified profile file
--quick (-Q): Quick mode, do not wait for user input

layout options
--no-colors: Do not use colors in the output
--quiet (-q): No output
--Reverse colors: Optimize the color display for light backgrounds

Different options
--debug: Debug the logging on the screen
--view-manpage (--man): Show man page
--verbose: Show more details on the screen
--version (-V): Display and exit the version number

Business Options
--plugindir : Define path of available plugins
--upload: Upload data to the central node

More options available. Execute & # 39; ./ lynis show options & # 39; out, or use the man page. 

To begin checking the operating system, use the checker arguments, such as sudo ./lynis audit system

  sudo ./lynis audit system

[ Lynis 2.6.5 ]

[+]   initialization
------------------------------------
- recognize operating system ... [ DONE ]
- Verification of profiles ... [ DONE ]

-------------------------------------------------- -
Program version: 2.6.5
Operating system: Linux
OS name: Ubuntu Linux
OS version: 18.04
Kernel version: 4.15.0
Hardware platform: x86_64
Hostname: nullbyte
-------------------------------------------------- -
Profiles: /home/tokyoneon/Desktop/lynis-master/default.prf
Log file: /var/log/lynnis.log
Report file: /var/log/lynnis-report.dat
Report version: 1.0
Plugin directory: ./plugins
-------------------------------------------------- -
Auditor: [Not Specified]
Language: en
Test category: all
Test Group: all
-------------------------------------------------- -
- Program update status ... [ UNKNOWN ]

============================================= =================================

- [ Lynis 2.6.5 Results ] -

Great, no warnings

Proposals (25):
----------------------------
* Specify a password for the GRUB boot loader to prevent a boot configuration change (for example, single-user mode boot without password) [BOOT-5122]
https://cisofy.com/controls/BOOT-5122/

* Install a PAM module to test password strength like pam_cracklib or pam_passwdqc [AUTH-9262]
https://cisofy.com/controls/AUTH-9262/

* Configure password age in /etc/login.defs [AUTH-9286]
https://cisofy.com/controls/AUTH-9286/

* Configure maximum password age in /etc/login.defs [AUTH-9286]
https://cisofy.com/controls/AUTH-9286/

* Default umask in /etc/login.defs might be stricter than 027 [AUTH-9328]
https://cisofy.com/controls/AUTH-9328/

* To reduce the impact of a full / home file system, place / home on a separate partition [FILE-6310]
https://cisofy.com/controls/FILE-6310/

* To reduce the impact of a full / tmp file system, place / tmp on a separate partition [FILE-6310]
https://cisofy.com/controls/FILE-6310/

* To reduce the impact of a full / var file system, place / var on a separate partition [FILE-6310]
https://cisofy.com/controls/FILE-6310/

* Disable drivers such as USB memory when not in use to prevent unauthorized storage or data theft [STRG-1840]
https://cisofy.com/controls/STRG-1840/

* Check the DNS configuration for the DNS domain name [NAME-4028]
https://cisofy.com/controls/NAME-4028/

* Install Debsums utility for checking packages with known good database. [PKGS-7370]
https://cisofy.com/controls/PKGS-7370/

* Install package apt-show-versions for patch management purposes [PKGS-7394]
https://cisofy.com/controls/PKGS-7394/

* Consider running ARP monitoring software (arpwatch, arpon) [NETW-3032]
https://cisofy.com/controls/NETW-3032/

* Check iptables rules to see which rules are currently unused [FIRE-4513]
https://cisofy.com/controls/FIRE-4513/

* Check which deleted files are still in use and why. [LOGG-2190]
https://cisofy.com/controls/LOGG-2190/

* Add a legal banner to / etc / issue to warn unauthorized users [BANN-7126]
https://cisofy.com/controls/BANN-7126/

* Add legal banner to /etc/issue.net to warn unauthorized users [BANN-7130]
https://cisofy.com/controls/BANN-7130/

* Activate Process Settlement [ACCT-9622]
https://cisofy.com/controls/ACCT-9622/

* Enable sysstat to record the accounting (no results) [ACCT-9626]
https://cisofy.com/controls/ACCT-9626/

* Enable auditd to gather monitoring information [ACCT-9628]
https://cisofy.com/controls/ACCT-9628/

* Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350]
https://cisofy.com/controls/FINT-4350/

* Determine if automation tools are available for system management [TOOL-5002]
https://cisofy.com/controls/TOOL-5002/

* One or more sysctl values ​​are different from the scan profile and can be optimized [KRNL-6000]
- Solution: Change sysctl value or disable test (Skip test = KRNL-6000: )
https://cisofy.com/controls/KRNL-6000/

* Harden compilers limit access to root users only one [HRDN-7222]
https://cisofy.com/controls/HRDN-7222/

* Harden the system by installing at least one malware scanner to perform periodic file system scans [HRDN-7230]
- Solution: Install a tool like rkhunter, chkrootkit, OSSEC
https://cisofy.com/controls/HRDN-7230/

============================================= =================================

Lynis Security Scan Details:

Cure index: 67 [#############       ]
Tests performed: 223
Plugins enabled: 2

components:
- Firewall [V]
- Malware Scanner [X]

Lynis modules:
- Compliance Status [?]
- Security audit [V]
- Vulnerability Scan [V]

files:
- Testing and debugging information: /var/log/lynis.log
- Report data: /var/log/lynnis-report.dat

============================================= ================================================== ================================================== ================================================== ================================================== ======================================================================================================================================================================== I think that's one of Lynis biggest strengths. It provides some helpful starting points for users interested in troubleshooting. For example, Lynis recommends that we "harden" the system by installing at least one malware scanner. This can be easily resolved by following the next step in this guide and installing antivirus software. 

Removing Lynis Upon Completion

If you have fully audited your Ubuntu installation, you can remove Lynis using the following option. rm Commands

  sudo rm -rf / path / to / lynis-master /
sudo rm -rf /path/to/master.zip

Step 2: Malware Protection with ClamAV

ClamAV is an open-source antivirus engine that works in a variety of situations like email Scanning, web scanning, and terminal security. It offers a number of features that Ubuntu users appreciate:

  • Command Line Scanners . This allows users to quickly scan files downloaded from a terminal window from the Internet.
  • Advanced Database Updater . The ClamAV virus database is updated several times a day with support for scripted updates and digital signatures.
  • Support for many archive formats . The ClamAV scanner can safely analyze Zip, RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS, and other file formats.
  • Support for common document formats . MS Office, MacOffice, HTML, Flash, RTF and PDFs.

Unlike Avast, a well-known antivirus company that regularly exports personal user documents to Avast servers, ClamAV locally scans file systems for malware signatures. That's really all it does. It offers no bulletproof protection against advanced attacks, but only common malware signatures found in the wild.

It is said that Linux operating systems do not need antivirus software. I largely agree with this statement. However, ClamAV is an excellent open source project and could provide some comfort to users who prefer to know that their operating system is being checked for malware several times a day.

Install ClamAV

ClamAV is in the Ubuntu repositories and can be installed with the command sudo apt-get install clamav .

  sudo apt-get install clamav

Read package lists ... Done
Create dependency structure
Read status information ... Done
The following package has been automatically installed and is no longer needed:
Menu
Use "sudo apt autoremove" to remove it.
The following additional packages will be installed:
clamav-base clamav-freshclam libclamav7 libllvm3.9 libmspack0 libtfm1
Recommended packages:
clamav-docs libclamunrar7
The following NEW packages will be installed:
clamav clamav-base clamav-freshclam libclamav7 libllvm3.9 libmspack0 libtfm1
0 updated, 7 reinstalled, 0 removed and 0 not updated.
Need 12.5 MB of archives.
After this process, 50.3 MB of additional space will be used.
Do you want to continue? [Y/n] y 

Scan Directories with ClamAV

The ClamAV databases are updated as they are installed, and several times the day after. The command clamscan --help can be used to display the available options of the scanner.

  clamscan --help

Clam AntiVirus Scanner 0.99.4
From The ClamAV Team: http://www.clamav.net/about.html#credits
(C) 2007-2018 Cisco Systems, Inc.

--help -h Print this help screen
--version -V Print version number
--verbose -v Be detailed
--archive-verbose -a Displays filenames in scanned archives
--debug Enables the debug messages from libclamav
--quiet Output only error messages
--stdout Write stdout instead of stderr
--no-summary Disables the summary at the end of the scan
--infected -i Print only infected files
--suppress-ok-results -o Skips the printing of OK files
- bell bell in case of virus detection

--tempdir = DIRECTORY Create temporary files in DIRECTORY
--leave-temps [=yes/no(*)] Do not remove temporary files
--database = FILE / DIR -d FILE / DIR Download or load the virus database from FILE
all supported db files from DIR
--official-db-only [=yes/no(*)] Download only official signatures
--log = FILE -l FILE Save the scan report to FILE
--recursive [=yes/no(*)] subdirectories are recursively examined
--allmatch [=yes/no(*)] -z Scan further in the file after finding a match
--cross-fs [=yes(*)/no] Scans files and directories on other file systems
--foll-dir-symlinks [=0/1(*)/2] Follow directory symlinks (0 = never, 1 = direct, 2 = always)
--Follow File Symlinks [=0/1(*)/2] Follow file symlinks (0 = never, 1 = direct, 2 = always)
--file-list = FILE -f FILE Scan files from FILE
--remove [=yes/no(*)] Remove infected files. Attention!
--move = DIRECTORY Move infected files to DIRECTORY
--copy = DIRECTORY Copy infected files to the DIRECTORY
--exclude = REGEX Do not scan file names that match REGEX
--exclude-dir = REGEX Do not search directories that correspond to REGEX
--include = REGEX Scan only file names that correspond to REGEX
--include-dir = REGEX Search only directories that correspond to REGEX

--bytecode [=yes(*)/no] Load bytecode from the database
- bytecode-unsigned [=yes/no(*)] Download unsigned bytecode
--bytecode-timeout = set N bytecode timeout (in milliseconds)
--statistics [=none(*)/bytecode/pcre] Collect and print execution statistics
--detect-pua [=yes/no(*)] May detect unwanted applications
--exclude-pua = CAT Skip PUA sigs of category CAT
--include-pua = CAT Load PUA files of category CAT
--detect-structured [=yes/no(*)] Identify Structured Data (SSN, Credit Card)
-Structured SSN format = X SSN format (0 = normal, 1 = removed, 2 = both)
--structured-ssn-count = N Min SSN count to generate a detection
--structured-cc-count = N Min CC count to generate a detection
--scan-mail [=yes(*)/no] Scan mail files
--phishing-sigs [=yes(*)/no] Signature-based phishing detection
--phishing-scan-urls [=yes(*)/no] URL-based phishing detection
--heuristic-scan-precedence [=yes/no(*)] Stop scanning as soon as a heuristic match is found
--phishing-ssl [=yes/no(*)] Always block SSL errors in URLs (phishing engine)
--phishing-cover [=yes/no(*)] Always block hidden URLs (phishing engine)
--partition-intersection [=yes/no(*)] Detecting partition crossings in raw disk images using heuristics.
- Algorithmic detection [=yes(*)/no] Algorithmic detection
--scan-pe [=yes(*)/no] Scan PE files
--scan-elf [=yes(*)/no] Scan ELF files
--scan-ole2 [=yes(*)/no] Scan OLE2 container
--scan-pdf [=yes(*)/no] Scan PDF files
--scan-swf [=yes(*)/no] Scan SWF files
--scan-html [=yes(*)/no] Scan HTML files
--scan-xmldocs [=yes(*)/no] Scan XML-based document files
--scan-hwp3 [=yes(*)/no] Scan HWP3 files
--scan-archive [=yes(*)/no] Scan archive files (supported by libclamav)
--detect-broken [=yes/no(*)] Try to detect damaged executables
--block-encrypted [=yes/no(*)] Blocked encrypted archives
--block-macros [=yes/no(*)] Block OLE2 files with VBA macros
--nocerts Disables the authentication of the authenticode certificate chain in PE files
--dumpcerts dump authenticode certificate chain in PE files

--max-filesize = # n Larger files are skipped and assumed to be clean
--max-scansize = # n The maximum amount of data to be scanned for each container file (**)
--max-files = # n The maximum number of files to be scanned for each container file (**)
--max-recursion = # n Maximum archive recursion level for container file (**)
--max-dir-recursion = # n Maximum directory recursion level
--max-embeddedpe = # n Maximum size file looking for embedded PE
--max-htmlnormalize = # n Maximum size of the HTML file to be normalized
--max-htmlnotags = # n Maximum size of the normalized HTML file to be scanned
--max-scriptnormalize = # n Maximum size of the script file to be normalized
--max-zipptypercg = # n Maximum size zip to re-analyze
--max-partitions = # n Maximum number of partitions in the disk image to be scanned
--max-iconspe = # n Maximum number of symbols in the PE file to be scanned
--max-rechwp3 = # n Maximum number of recursive calls to the HWP3 parsing function
--pcre-match-limit = # n Maximum calls to the PCRE match function.
--pcre-recmatch-limit = # n Maximum number of recursive calls to the PCRE match function.
--pcre-max-filesize = # n Maximum size file to perform the PCRE Subsig Match.
--enable-stats Enable statistical reporting of malware
--disable-pe-stats Disable the transmission of individual PE sections in statistics
--stats-timeout = # n Number of seconds to wait for a response from the statistics server
--stats-host-id = UUID Specifies the host ID used when transmitting statistical data.
--disable-cache Disables cache and cache checks for hashed scans of scanned files. 

Use the following command to scan each file and directory:

  sudo clamscan -r / --log = / tmp / clamav_report.log 

This is the scanner command in its simplest form. Clamscan recursively ( -r ) scans everything ( / ) and stores the scan report ( - log ) in the / tmp directory. Running such a scan can take several hours to scan terabytes of data. It is recommended to start such scans overnight and display the results in the morning.

Malware Detections

As a quick demo for this article, I downloaded a GitHub malware repository and ran clamscan with the malware directory

  sudo clamscan -ir Malware Master /

Malware Master / Zeus / Edition / Builder / Bot.exe.txt: Win.Spyware.Zbot-1275 found
Malware Master / Zeus / Edition / Builder / zsb.exe: Win.Trojan.Zbot-62846 found
Malware Master / Zeus / Edition / Server / zsbcs.exe: Win.Trojan.Botnet-6 found
Malware Master / Zeus / Output / Client32.bin: Win.Spyware.Zbot-1275 found
Malware Master / Alina / Panel / Gate1.php: Php.Malware.ProPOS-2 found
malwaremaster / mirai / loader / bins / dlr.mpsl: Unix.Malware.Agent-1753181 FOUND
malwaremaster / mirai / loader / bins / dlr.spc: Unix.Malware.Agent-1753190 found
Malware Master / mirai / loader / bins / dlr.arm7: Unix.Malware.Agent-1753196 found
malwaremaster / mirai / loader / bins / dlr.x86: Unix.Malware.Agent-1753191 FOUND
malwaremaster / mirai / loader / bins / dlr.sh4: Unix.Malware.Agent-1753186 FOUND
malwaremaster / mirai / loader / bins / dlr.ppc: Unix.Malware.Agent-1753179 FOUND
malwaremaster / mirai / loader / bins / dlr.arm: Unix.Malware.Agent-1768364 FOUND
Malware Master / mirai / loader / bins / dlr.m68k: Unix.Malware.Agent-1753197 found
malwaremaster / mirai / loader / bins / dlr.mips: Unix.Malware.Agent-1753182 FOUND
Malware Master / mirai / dlr / release / dlr.mpsl: Unix.Malware.Agent-1753187 found
Malware Master / mirai / dlr / release / dlr.spc: Unix.Malware.Agent-1753199 found
Malware Master / mirai / dlr / release / dlr.arm7: Unix.Malware.Agent-1753512 found
Malware Master / mirai / dlr / release / dlr.sh4: Unix.Malware.Agent-1753174 found
Malware Master / mirai / dlr / release / dlr.ppc: Unix.Malware.Agent-1753492 found
Malware Master / mirai / dlr / release / dlr.arm: Unix.Malware.Agent-1753516 found
Malware Master / mirai / dlr / release / dlr.m68k: Unix.Malware.Agent-1753177 found
Malware Master / mirai / dlr / release / dlr.mips: Unix.Malware.Agent-1753194 found
Malware Master / Grum / Builder + bin / out.exe: Win.Trojan.Vilsel-2129 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6556187
Engine version: 0.99.4
Scanned directories: 1594
Scanned files: 17195
Infected files: 23
Data scanned: 366.88 MB
Read data: 294.26 MB (ratio 1.25: 1)
Time: 71.994 sec. (1 m 11 s) 

In my example command, I inserted the argument -i which instructs clamscan to print only files detected by the scanner. We can see that 17,195 files were scanned, 23 infections were detected, and the process took 71 seconds

For more information about ClamAV, see the official documentation.

Step 3: Monitoring Internet Access for Applications Using OpenSnitch [196590000] 19659007] OpenSnitch is a Linux port of the popular macOS application firewall Little Snitch. OpenSnitch gibt Benutzern ein paar Sekunden, um Verbindungen zuzulassen oder zu verweigern, während sie passieren. Im Folgenden finden Sie ein Beispiel für eine OpenSnitch-Eingabeaufforderung.

Die OpenSnitch-Netzwerkstatistikschnittstelle bietet einen Überblick über alle zuvor zulässigen und verweigerte Verbindungen

Leider ist das alles, was die Schnittstelle im Moment zu bieten hat. Spätere Versionen von OpenSnitch werden zweifellos mehr Funktionen und Kontrolle darüber enthalten, wie diese Informationen verwaltet werden. Obwohl OpenSnitch noch sehr in den Kinderschuhen steckt, habe ich beschlossen, es in diesen Artikel aufzunehmen. Benutzer von Windows 10, die mit grafischen Anwendungen (GUI) vertrauter sind, finden OpenSnitch möglicherweise nützlich, um den von installierten Anwendungen stammenden Datenverkehr zu überwachen.

Enthusiasten mit Interesse an roher, ungefilterter Paketanalyse können Tshark zur Überwachung des Datenverkehrs verwenden. 19659006] Installieren von Abhängigkeiten

Verwenden Sie den folgenden Befehl, um die zum Ausführen von OpenSnitch erforderlichen Abhängigkeiten zu installieren.

 sudo apt-get install protobuf-kompilierer libpcap-dev libnetfilter-queue-dev python3-pip golang git go-dep

Read package lists ... Done
Create dependency structure
Read status information ... Done
The following additional packages will be installed:
  dh-python golang-1.10 golang-1.10-doc golang-1.10-go golang-1.10-rennen-detektor-laufzeit golang-1.10-src golang-doc golang-go
  golang-race-detector-laufzeit golang-src libexpat1-dev libnetfilter-warteschlange1 libnfnetlink-dev libpcap0.8-dev libprotoc10 libpython3-dev
  libpython3.6-dev pkg-config python-pip-whl python3-dev python3-distutils python3-lib2to3 python3-setuptools python3-rad python3.6-dev
Recommended packages:
  bzr git mercurial subversion python-setuptools-doc
The following NEW packages will be installed:
  dh-python golang golang-1.10 golang-1.10-doc golang-1.10-go golang-1.10-rennen-detektor-laufzeit golang-1.10-src golang-doc golang-go
  golang-race-detector-laufzeit golang-src libexpat1-dev libnetfilter-warteschlange-dev libnetfilter-warteschlange1 libnfnetlink-dev libpcap-dev libpcap0.8-dev
  libprotoc10 libpython3-dev libpython3.6-dev pkg-config protobuf-compiler python-pip-whl python3-dev python3-distutils python3-lib2to3 python3-pip
  python3-setuptools python3-wheel python3.6-dev
0 upgraded, 30 newly installed, 0 to remove and 0 not upgraded.
Need to get 52.1 MB of archives.
After this operation, 280 MB of additional disk space will be used.
Do you want to continue? [Y/n] y

Use go to clone the Protocol Buffers repository. This command will not produce an output in the terminal.

go get github.com/golang/protobuf/protoc-gen-go

Then, use Python3's pip to install the gRPC tools and other dependencies.

python3 -m pip install --user grpcio-tools

Collecting grpcio-tools
  Downloading https://files.pythonhosted.org/packages/fb/8f/fc0c7cf8a5ed2aea405afb8712ea4181bbcf9510d731b7cd929427916f97/grpcio_tools-1.12.1-cp36-cp36m-manylinux1_x86_64.whl (22.2MB)
    100% |████████████████████████████████| 22.2MB 53kB/s
Collecting grpcio>=1.12.1 (from grpcio-tools)
  Downloading https://files.pythonhosted.org/packages/1f/ea/664c589ec41b9e9ac6e20cc1fe9016f3913332d0dc5498a5d7771e2835af/grpcio-1.12.1-cp36-cp36m-manylinux1_x86_64.whl (9.0MB)
    100% |████████████████████████████████| 9.0MB 133kB/s
Collecting protobuf>=3.5.0.post1 (from grpcio-tools)
  Downloading https://files.pythonhosted.org/packages/fc/f0/db040681187496d10ac50ad167a8fd5f953d115b16a7085e19193a6abfd2/protobuf-3.6.0-cp36-cp36m-manylinux1_x86_64.whl (7.1MB)
    100% |████████████████████████████████| 7.1MB 136kB/s
Collecting six>=1.5.2 (from grpcio>=1.12.1->grpcio-tools)
  Downloading https://files.pythonhosted.org/packages/67/4b/141a581104b1f6397bfa78ac9d43d8ad29a7ca43ea90a2d863fe3056e86a/six-1.11.0-py2.py3-none-any.whl
Collecting setuptools (from protobuf>=3.5.0.post1->grpcio-tools)
  Downloading https://files.pythonhosted.org/packages/7f/e1/820d941153923aac1d49d7fc37e17b6e73bfbd2904959fffbad77900cf92/setuptools-39.2.0-py2.py3-none-any.whl (567kB)
    100% |████████████████████████████████| 573kB 419kB/s
Installing collected packages: six, grpcio, setuptools, protobuf, grpcio-tools
Successfully installed grpcio-1.12.1 grpcio-tools-1.12.1 protobuf-3.6.0 setuptools-39.2.0 six-1.11.0

Use go get github.com/evilsocket/opensnitch to clone the OpenSnitch GitHub repository.

go get github.com/evilsocket/opensnitch

package github.com/evilsocket/opensnitch: no Go files in /home/tokyoneon/go/src/github.com/evilsocket/opensnitch

Update the Golang PATH in the terminal using the below command. This will allow future terminal sessions to know where Go binaries and projects are stored.

echo 'export GOPATH=$HOME/go' >> ~/.bashrc

Then, use the source command to update the current Golang PATH. This will allow the preceding commands to execute properly.

source ~/.bashrc

Configuring & Installing OpenSnitch

Use makea utility that will automatically determine which pieces of OpenSnitch need to be recompiled.

make

make[1]: Entering directory '/home/tokyoneon/go/src/github.com/evilsocket/opensnitch/proto'
python3 -m grpc_tools.protoc -I. --python_out=../ui/opensnitch/ --grpc_python_out=../ui/opensnitch/ ui.proto
make[1]: Leaving directory '/home/tokyoneon/go/src/github.com/evilsocket/opensnitch/proto'
make[1]: Entering directory '/home/tokyoneon/go/src/github.com/evilsocket/opensnitch/daemon'
dep: WARNING: Unknown field in manifest: prune
make[1]: Leaving directory '/home/tokyoneon/go/src/github.com/evilsocket/opensnitch/daemon'
make[1]: Entering directory '/home/tokyoneon/go/src/github.com/evilsocket/opensnitch/ui'
The directory '/home/tokyoneon/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/tokyoneon/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting grpcio==1.0.0 (from -r requirements.txt (line 1))
  Downloading https://files.pythonhosted.org/packages/ba/f7/2138b9148b2d68431ebb05d4871e2fc60deacb4ee282384171083b522823/grpcio-1.0.0.tar.gz (5.3MB)
    100% |████████████████████████████████| 5.3MB 181kB/s
Collecting grpcio-tools==1.10.1 (from -r requirements.txt (line 2))
  Downloading https://files.pythonhosted.org/packages/f0/f4/1e5a56b1c0ec2d802113c7f793fcb40ba4e9387b073c310e27ef8653b441/grpcio_tools-1.10.1-cp36-cp36m-manylinux1_x86_64.whl (22.2MB)
    100% |████████████████████████████████| 22.2MB 55kB/s
Collecting pyinotify==0.9.6 (from -r requirements.txt (line 3))
  Downloading https://files.pythonhosted.org/packages/e3/c0/fd5b18dde17c1249658521f69598f3252f11d9d7a980c5be8619970646e1/pyinotify-0.9.6.tar.gz (60kB)
    100% |████████████████████████████████| 61kB 81kB/s
Collecting unicode_slugify==0.1.3 (from -r requirements.txt (line 4))
  Downloading https://files.pythonhosted.org/packages/8c/ba/1a05f61c7fd72df85ae4dc1c7967a3e5a4b6c61f016e794bc7f09b2597c0/unicode-slugify-0.1.3.tar.gz
Collecting pyqt5==5.10.1 (from -r requirements.txt (line 5))
  Downloading https://files.pythonhosted.org/packages/e4/15/4e2e49f64884edbab6f833c6fd3add24d7938f2429aec1f2883e645d4d8f/PyQt5-5.10.1-5.10.1-cp35.cp36.cp37.cp38-abi3-manylinux1_x86_64.whl (107.8MB)
    100% |████████████████████████████████| 107.8MB 13kB/s
Collecting configparser==3.5.0 (from -r requirements.txt (line 6))
  Downloading https://files.pythonhosted.org/packages/7c/69/c2ce7e91c89dc073eb1aa74c0621c3eefbffe8216b3f9af9d3885265c01c/configparser-3.5.0.tar.gz
Requirement already satisfied: six>=1.5.2 in /home/tokyoneon/.local/lib/python3.6/site-packages (from grpcio==1.0.0->-r requirements.txt (line 1))
Collecting enum34>=1.0.4 (from grpcio==1.0.0->-r requirements.txt (line 1))
  Downloading https://files.pythonhosted.org/packages/af/42/cb9355df32c69b553e72a2e28daee25d1611d2c0d9c272aa1d34204205b2/enum34-1.1.6-py3-none-any.whl
Collecting futures>=2.2.0 (from grpcio==1.0.0->-r requirements.txt (line 1))
  Downloading https://files.pythonhosted.org/packages/cc/26/b61e3a4eb50653e8a7339d84eeaa46d1e93b92951978873c220ae64d0733/futures-3.1.1.tar.gz
Requirement already satisfied: protobuf>=3.0.0 in /home/tokyoneon/.local/lib/python3.6/site-packages (from grpcio==1.0.0->-r requirements.txt (line 1))
Collecting unidecode (from unicode_slugify==0.1.3->-r requirements.txt (line 4))
  Downloading https://files.pythonhosted.org/packages/59/ef/67085e30e8bbcdd76e2f0a4ad8151c13a2c5bce77c85f8cad6e1f16fb141/Unidecode-1.0.22-py2.py3-none-any.whl (235kB)
    100% |████████████████████████████████| 235kB 142kB/s
Collecting sip<4.20,>=4.19.4 (from pyqt5==5.10.1->-r requirements.txt (line 5))
  Downloading https://files.pythonhosted.org/packages/8a/ea/d317ce5696dda4df7c156cd60447cda22833b38106c98250eae1451f03ec/sip-4.19.8-cp36-cp36m-manylinux1_x86_64.whl (66kB)
    100% |████████████████████████████████| 71kB 80kB/s
Requirement already satisfied: setuptools in /home/tokyoneon/.local/lib/python3.6/site-packages (from protobuf>=3.0.0->grpcio==1.0.0->-r requirements.txt (line 1))
Installing collected packages: enum34, futures, grpcio, grpcio-tools, pyinotify, unidecode, unicode-slugify, sip, pyqt5, configparser
  Running setup.py install for futures ... done
  Found existing installation: grpcio 1.12.1
    Uninstalling grpcio-1.12.1:
      Successfully uninstalled grpcio-1.12.1
  Running setup.py install for grpcio ... done
  Found existing installation: grpcio-tools 1.12.1
    Uninstalling grpcio-tools-1.12.1:
      Successfully uninstalled grpcio-tools-1.12.1
  Running setup.py install for pyinotify ... done
  Running setup.py install for unicode-slugify ... done
  Running setup.py install for configparser ... done
Successfully installed configparser-3.5.0 enum34-1.1.6 futures-3.1.1 grpcio-1.0.0 grpcio-tools-1.10.1 pyinotify-0.9.6 pyqt5-5.10.1 sip-4.19.8 unicode-slugify-0.1.3 unidecode-1.0.22
make[1]: Leaving directory &#39;/home/tokyoneon/go/src/github.com/evilsocket/opensnitch/ui&#39;

Use the make install command with sudo to complete the installation.

sudo make install

make[1]: Entering directory &#39;/home/tokyoneon/go/src/github.com/evilsocket/opensnitch/daemon&#39;
make[1]: Leaving directory &#39;/home/tokyoneon/go/src/github.com/evilsocket/opensnitch/daemon&#39;
make[1]: Entering directory &#39;/home/tokyoneon/go/src/github.com/evilsocket/opensnitch/ui&#39;
The directory &#39;/home/tokyoneon/.cache/pip/http&#39; or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo&#39;s -H flag.
The directory &#39;/home/tokyoneon/.cache/pip&#39; or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo&#39;s -H flag.
Processing /home/tokyoneon/go/src/github.com/evilsocket/opensnitch/ui
Installing collected packages: opensnitch-ui
  Running setup.py install for opensnitch-ui ... done
Successfully installed opensnitch-ui-1.0.0b0
make[1]: Leaving directory &#39;/home/tokyoneon/go/src/github.com/evilsocket/opensnitch/ui&#39;

Starting OpenSnitch at Boot

To start OpenSnitch with every boot, using the systemctl command with the enable argument.

sudo systemctl enable opensnitchd

Created symlink /etc/systemd/system/multi-user.target.wants/opensnitchd.service → /etc/systemd/system/opensnitchd.service.

Reboot for the changes to take effect. OpenSnitch can be found in the icon tray. Click the "Statistics" button to bring up the user interface.

As applications attempt to access the internet, OpenSnitch will prompt you with the ability to allow or deny the activity.

Step 4: Regularly Monitor System Logs

Linux log files are stored in the /var/log/ directory. These files monitor system activity, background daemons, kernel messages, application and server logs, authentication logs, firewall logs, AppArmor logs, and much more.

To monitor logs in real time, use the find /var/log/ -type f ( -name "*.log" ) -exec tail -f "$file" {} + command.

find /var/log/ -type f ( -name "*.log" ) -exec tail -f "$file" {} +

==> /var/log/ufw.log <==
kernel: [ 3488.126537] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=52.84.13.246 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14998 DF PROTO=TCP SPT=51778 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
kernel: [ 3489.152073] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=52.84.13.246 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14999 DF PROTO=TCP SPT=51778 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
kernel: [ 3491.168057] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=52.84.13.246 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15000 DF PROTO=TCP SPT=51778 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
kernel: [ 3495.392064] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=52.84.13.246 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15001 DF PROTO=TCP SPT=51778 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
kernel: [ 3503.584187] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=52.84.13.246 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15002 DF PROTO=TCP SPT=51778 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
kernel: [ 3519.712123] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=52.84.13.246 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15003 DF PROTO=TCP SPT=51778 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
kernel: [ 3900.250931] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=104.193.19.59 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=47090 DF PROTO=TCP SPT=35944 DPT=9999 WINDOW=29200 RES=0x00 SYN URGP=0
kernel: [ 3901.280089] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=104.193.19.59 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=47091 DF PROTO=TCP SPT=35944 DPT=9999 WINDOW=29200 RES=0x00 SYN URGP=0
kernel: [ 4201.573248] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=91.189.91.157 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=17312 DF PROTO=UDP SPT=43425 DPT=123 LEN=56

==> /var/log/kern.log <==
kernel: [ 3488.126537] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=52.84.13.246 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14998 DF PROTO=TCP SPT=51778 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
kernel: [ 3489.152073] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=52.84.13.246 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14999 DF PROTO=TCP SPT=51778 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
kernel: [ 3491.168057] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=52.84.13.246 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15000 DF PROTO=TCP SPT=51778 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
kernel: [ 3495.392064] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=52.84.13.246 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15001 DF PROTO=TCP SPT=51778 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
kernel: [ 3503.584187] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=52.84.13.246 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15002 DF PROTO=TCP SPT=51778 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
kernel: [ 3519.712123] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=52.84.13.246 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15003 DF PROTO=TCP SPT=51778 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
kernel: [ 3900.250931] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=104.193.19.59 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=47090 DF PROTO=TCP SPT=35944 DPT=9999 WINDOW=29200 RES=0x00 SYN URGP=0
kernel: [ 3901.280089] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=104.193.19.59 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=47091 DF PROTO=TCP SPT=35944 DPT=9999 WINDOW=29200 RES=0x00 SYN URGP=0
kernel: [ 4201.573248] [UFW BLOCK] IN= OUT=enp0s8 SRC=192.168.1.44 DST=91.189.91.157 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=17312 DF PROTO=UDP SPT=43425 DPT=123 LEN=56

==> /var/log/alternatives.log <==
update-alternatives 2018-06-26 21:01:54: run with --install /usr/bin/identify-im6 identify-im6 /usr/bin/identify-im6.q16 10000 --slave /usr/share/man/man1/identify-im6.1.gz identify-im6.1.gz /usr/share/man/man1/identify-im6.q16.1.gz
update-alternatives 2018-06-26 21:01:54: run with --install /usr/bin/stream stream /usr/bin/stream-im6.q16 10000 --slave /usr/share/man/man1/stream.1.gz stream.1.gz /usr/share/man/man1/stream-im6.q16.1.gz
update-alternatives 2018-06-26 21:01:54: run with --install /usr/bin/stream-im6 stream-im6 /usr/bin/stream-im6.q16 10000 --slave /usr/share/man/man1/stream-im6.1.gz stream-im6.1.gz /usr/share/man/man1/stream-im6.q16.1.gz
update-alternatives 2018-06-26 21:01:54: run with --install /usr/bin/display display /usr/bin/display-im6.q16 10000 --slave /usr/share/man/man1/display.1.gz display.1.gz /usr/share/man/man1/display-im6.q16.1.gz
update-alternatives 2018-06-26 21:01:54: run with --install /usr/bin/display-im6 display-im6 /usr/bin/display-im6.q16 10000 --slave /usr/share/man/man1/display-im6.1.gz display-im6.1.gz /usr/share/man/man1/display-im6.q16.1.gz
update-alternatives 2018-06-26 21:01:54: run with --install /usr/bin/montage montage /usr/bin/montage-im6.q16 10000 --slave /usr/share/man/man1/montage.1.gz montage.1.gz /usr/share/man/man1/montage-im6.q16.1.gz
update-alternatives 2018-06-26 21:01:54: run with --install /usr/bin/montage-im6 montage-im6 /usr/bin/montage-im6.q16 10000 --slave /usr/share/man/man1/montage-im6.1.gz montage-im6.1.gz /usr/share/man/man1/montage-im6.q16.1.gz
update-alternatives 2018-06-26 21:01:54: run with --install /usr/bin/mogrify mogrify /usr/bin/mogrify-im6.q16 10000 --slave /usr/share/man/man1/mogrify.1.gz mogrify.1.gz /usr/share/man/man1/mogrify-im6.q16.1.gz
update-alternatives 2018-06-26 21:01:54: run with --install /usr/bin/mogrify-im6 mogrify-im6 /usr/bin/mogrify-im6.q16 10000 --slave /usr/share/man/man1/mogrify-im6.1.gz mogrify-im6.1.gz /usr/share/man/man1/mogrify-im6.q16.1.gz
update-alternatives 2018-06-26 21:01:55: run with --install /usr/bin/x-terminal-emulator x-terminal-emulator /usr/bin/gnome-terminal.wrapper 40 --slave /usr/share/man/man1/x-terminal-emulator.1.gz x-terminal-emulator.1.gz /usr/share/man/man1/gnome-terminal.1.gz

==> /var/log/installer/casper.log <==
This disc is called:
&#39;Ubuntu 18.04 LTS _Bionic Beaver_ - Release amd64 (20180426)&#39;
Copying package lists...gpgv: Signature made Thu Apr 26 18:43:31 2018 UTC
gpgv:                using RSA key D94AA3F0EFE21092
gpgv: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) "
Reading Package Indexes... Done
Writing new source list
Source list entries for this disc are:
deb cdrom:[Ubuntu 18.04 LTS _Bionic Beaver_ - Release amd64 (20180426)]/ bionic main restricted
Repeat this process for the rest of the CDs in your set.

==> /var/log/fontconfig.log <==
/usr/share/fonts/truetype/sinhala: skipping, existing cache is valid: 1 fonts, 0 dirs
/usr/share/fonts/truetype/tibetan-machine: skipping, existing cache is valid: 1 fonts, 0 dirs
/usr/share/fonts/truetype/tlwg: skipping, existing cache is valid: 58 fonts, 0 dirs
/usr/share/fonts/truetype/ttf-khmeros-core: skipping, existing cache is valid: 2 fonts, 0 dirs
/usr/share/fonts/truetype/ubuntu: skipping, existing cache is valid: 13 fonts, 0 dirs
/usr/share/fonts/type1: skipping, existing cache is valid: 0 fonts, 1 dirs
/usr/share/fonts/type1/gsfonts: skipping, existing cache is valid: 35 fonts, 0 dirs
/usr/local/share/fonts: skipping, existing cache is valid: 0 fonts, 0 dirs
/var/cache/fontconfig: cleaning cache directory
fc-cache: succeeded

==> /var/log/dpkg.log <==
2018-06-27 00:17:36 status installed apparmor-profiles:all 2.12-4ubuntu5
2018-06-27 00:17:36 trigproc man-db:amd64 2.8.3-2 
2018-06-27 00:17:36 status half-configured man-db:amd64 2.8.3-2
2018-06-27 00:17:38 status installed man-db:amd64 2.8.3-2
2018-06-27 00:17:38 configure apparmor-utils:amd64 2.12-4ubuntu5 
2018-06-27 00:17:38 status unpacked apparmor-utils:amd64 2.12-4ubuntu5
2018-06-27 00:17:38 status unpacked apparmor-utils:amd64 2.12-4ubuntu5
2018-06-27 00:17:38 status unpacked apparmor-utils:amd64 2.12-4ubuntu5
2018-06-27 00:17:38 status half-configured apparmor-utils:amd64 2.12-4ubuntu5
2018-06-27 00:17:38 status installed apparmor-utils:amd64 2.12-4ubuntu5

==> /var/log/unattended-upgrades/unattended-upgrades-shutdown.log <==

==> /var/log/boot.log <==
/dev/mapper/ubuntu--vg-root: clean, 164324/10379264 files, 1928530/41497600 blocks
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  Volume group "ubuntu-vg" not found
  Cannot process volume group ubuntu-vg
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  Reading all physical volumes.  This may take a while...
  Found volume group "ubuntu-vg" using metadata type lvm2
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  2 logical volume(s) in volume group "ubuntu-vg" now active
/dev/mapper/ubuntu--vg-root: clean, 164321/10379264 files, 1928587/41497600 blocks

==> /var/log/apt/term.log <==
Unpacking apparmor-utils (2.12-4ubuntu5) ...
Selecting previously unselected package apparmor-profiles.
Preparing to unpack .../apparmor-profiles_2.12-4ubuntu5_all.deb ...
Unpacking apparmor-profiles (2.12-4ubuntu5) ...
Setting up python3-libapparmor (2.12-4ubuntu5) ...
Setting up python3-apparmor (2.12-4ubuntu5) ...
Setting up apparmor-profiles (2.12-4ubuntu5) ...
Processing triggers for man-db (2.8.3-2) ...
Setting up apparmor-utils (2.12-4ubuntu5) ...
Log ended: 2018-06-27  00:17:38

==> /var/log/apt/history.log <==
Commandline: apt-get remove apparmor-profiles
Requested-By: tokyoneon (1000)
Remove: apparmor-profiles:amd64 (2.12-4ubuntu5)

Commandline: apt-get install apparmor-profiles apparmor-utils
Requested-By: tokyoneon (1000)
Install: python3-libapparmor:amd64 (2.12-4ubuntu5, automatic), apparmor-profiles:amd64 (2.12-4ubuntu5), python3-apparmor:amd64 (2.12-4ubuntu5, automatic), apparmor-utils:amd64 (2.12-4ubuntu5)

==> /var/log/gpu-manager.log <==
Skipping "/dev/dri/card0", driven by "vboxvideo"
Skipping "/dev/dri/card0", driven by "vboxvideo"
Does it require offloading? no
last cards number = 1
Has amd? no
Has intel? no
Has nvidia? no
How many cards? 1
Has the system changed? No
Single card detected

==> /var/log/auth.log <==
CRON[7210]: pam_unix(cron:session): session closed for user root
sudo: pam_unix(sudo:auth): conversation failed
sudo: pam_unix(sudo:auth): auth could not identify password for [tokyoneon]
sudo: tokyoneon : TTY=pts/3 ; PWD=/home/tokyoneon ; USER=root ; COMMAND=/bin/su
sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
su[7307]: Successful su for root by root
su[7307]: + /dev/pts/3 root:root
su[7307]: pam_unix(su:session): session opened for user root by (uid=0)
systemd-logind[859]: Existing logind session ID 2 used by new audit session, ignoring
systemd-logind[859]: New session c3 of user root.

==> /var/log/bootstrap.log <==
update-initramfs: deferring update (trigger activated)
Setting up ubuntu-minimal (1.417) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Processing triggers for systemd (237-3ubuntu10) ...
Processing triggers for ca-certificates (20180409) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Processing triggers for initramfs-tools (0.130ubuntu3) ...

==> /var/log/auth.log <==
su[7307]: pam_unix(su:session): session closed for user root
sudo: pam_unix(sudo:session): session closed for user root
systemd-logind[859]: Removed session c3.
sudo: tokyoneon : TTY=pts/3 ; PWD=/home/tokyoneon ; USER=root ; COMMAND=/bin/su
sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
su[7329]: Successful su for root by root
su[7329]: + /dev/pts/3 root:root
su[7329]: pam_unix(su:session): session opened for user root by (uid=0)
systemd-logind[859]: Existing logind session ID 2 used by new audit session, ignoring
systemd-logind[859]: New session c4 of user root.

This command will find any file (-type f) with the .log extension (( -name "*.log" )) in the /var/log directory and use tail to print updates in the files as they occur (-f). Each log file will be encased in ascii arrows (==> filename.log <==). Anyone looking for find abnormalities on their system will find this useful.

We&#39;ve Barely Scratched the Surface ...

That concludes our series on strengthening your primary Ubuntu system ... for now.

As I stated at that start of this series, this guide isn&#39;t a complete or comprehensive approach to securing a Linux system. There are many Kernel level modifications users can do to further improve Ubuntu&#39;s susceptibility to a variety of attacks. We can also do more to secure the bootloader, enforce better login password policies, secure shared memory, browse the internet anonymously, and so much more.

Linux operating systems have incredible potential as a platform for security-focused users. I encourage readers to download the Beginning Ubuntu for Windows and Mac Users and Practical Linux Security Cookbook to gain a better understanding of the Ubuntu OS and its inner workings.

Don&#39;t Miss: How to Protect Yourself from Being Hacked (Advice from a Real Hacker)

Cover image by Justin Meyers/Null Byte; Screenshots by tokyoneon/Null Byte

Source link