Server Security (Part 3): Protecting Your Server with File Auditing and Intrusion Detection Systems


Welcome to Part 3 of our 4 part series of posts about server security.   As mentioned in our previous posts, cyber attacks on Internet-connected servers are at an all time high. If you’re not taking steps to actively protect your server, the chances are high that your machine will be compromised. In this third QuadraNet blog post on the subject, we will take a look at file auditing and intrusion detection systems and how they can be incorporated into a server security plan.

What is File Auditing and Intrusion Detection System?

A file auditing system is used to detect and log the changes to a known healthy file system.   Unauthorized changes to a know clean server configuration is a sure sign that someone has gained unauthorized access to your server.  Once the file audit data is collected, the data needs to be aggregated, normalized, and analyzed so that it can detect any potential unauthorized activity. The software that looks for unauthorized file changes and reports them is commonly referred to as an Intrusion Detection System or IDS.  Windows based servers have been capable of doing this for a long time, however, Linux-based systems didn’t have auditing capabilities until the Linux 2.6 kernel audit system was introduced in December of 2003.

Why Use a File Auditing and Intrusion Detection System?

Alerting you to security issues before they become a problem is an integral part of a proactive security policy.  Knowing that your server’s files have been tampered with allows you to react to security problems as quickly as possible. When an incident occurs, and you need to figure out what happened and who was responsible, an auditing system can assist you in tracking down the issues very quickly.

How do they work?

Many Intrusion Detection Systems scan the files for unauthorized activity in real time, while some File Auditing Systems scan the files on a server and compare them to a known ‘clean’ set of files on a scheduled interval.

Many auditing systems log the activity that takes place to all of the files on the server.   Some of the information that is capable of being recorded is:

  • Date and time, type, and outcome of an event.
  • Sensitivity labels of subjects and objects.
  • Association of an event with the identity of the user who triggered the event.
  • All modifications to Audit configuration and attempts to access Audit log files.
  • All uses of authentication mechanisms, such as SSH, Kerberos, and others.
  • Changes to any trusted database, such as /etc/passwd.
  • Attempts to import or export information into or from the system.
  • Include or exclude events based on user identity, subject and object labels, and other attributes.

Another noteworthy point of information about File Auditing is the use of an Audit system is also a requirement for a number of security-related certifications such as:

  • Controlled Access Protection Profile (CAPP)
  • Labeled Security Protection Profile (LSPP)
  • Rule Set Base Access Control (RSBAC)
  • National Industrial Security Program Operating Manual (NISPOM)
  • Federal Information Security Management Act (FISMA)
  • Payment Card Industry — Data Security Standard (PCI-DSS)
  • Security Technical Implementation Guides (STIG)

How to Setup a File Auditing and Intrusion Detection System?

The process of setting up server auditing software varies depending on the OS of the server.   For an overview of how a sample audit system is installed on a Linux server, please click here.   For a walkthrough of the process on a Windows server, please click here.

As always, the support staff at QuadraNet is standing by and ready to help in securing your server.  To request help from our Support Department in securing your server or for options on installing a File Auditing and Intrusion Detection System, please open a support ticket in your QuadraNet Management Portal.