store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Tue Sep 30, 2014 5:47 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: Security Event ID 550
Unread postPosted: Fri Feb 24, 2012 8:06 am 
Offline
Forum User
Forum User

Joined: Fri Feb 24, 2012 4:42 am
Posts: 6
Location: Greece
Hello to all,

Please forgive my ignorance since this is my first time I use ASL and I am not aware of it's capabilities or issues yet.
Regarding to my issue now. I installed trial ASL on a Centos up-to-date server and since it's installation I am monitoring it to see how it's working/functioning etc.
I notice in the Security Events full of event IDs 550, which if this was a production server I believe I would have to have worried a lot!

"Description
This rule is detects when a monitored file changes. This may be an authorized change, or an unauthorized change and these changes should be investigated further."

I get id 550 on libraries, iptables binaries, configurations and a lot.
2076 events out of 2184 are id 550 and keep growing! System is not updating currently. What do you suggest I should check first, second, third... ?

Regards,

Makis


Top
 Profile  
 
 Post subject: Re: Security Event ID 550
Unread postPosted: Fri Feb 24, 2012 2:57 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3635
Location: Chantilly, VA
Thanks for the question. That rule alerts you when a monitored file changes, which can tell you that either someone was changed without your permission (malicious) or that it was changed with your permission.

ASL will try to help you determine if this was due to a software update that was authorized, or via some other method. Just log into ASL, click on the ASL tab, then select File Integrity. If anything has changed you will it in that window (you may need to set the via farther back than today if this happened earlier). Then you will a listing of all the files that changes and when they changed. If you click on the filename it will then try to determine if its a managed piece of software, and if it is it will pull up the systems change log for that file to help you identify what it is and what package/rpm it may be part of.

From there, check your /var/log/yum.log file to see if anything was updated recently, and then see if it matches the files in the FI window. If they don't, then someone may made these changes without your permission. If they do match, then check your logs to see if you updated anything on the system.

I hope this helps, and if you have other questions please don't hesitate to ask.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group