Linux/UNIX Server Audit and Log Services
- Can your logging solutions reliably relate program execution to user identity and/or to network endpoint creation and file access, including the task of GeoIP locatig network traffic?
- Do your monitoring mechanisms provide enough information to help you reliably determine a sequence of systen level events during post-mortem, DFIR/Incident response investigation?
- Are you happy with the amount of software dependencies and installation overhead of your monitoring/logging mechanisms?
- Is your monitoring/logging solution Open Source, so you can control both the data it produces and the mechanism?
If the answer to one or more of the previous questions is 'no', you should consider POFR, a new utility that provides a step-by-step forensic compliant picture of what happened in your system. This means that the utility can enable you to perform a number of critical tasks, as part of your core server IT infrastructure such as:
- Examine/interrelate in great detail processes, file access and network endpoint events in a monitored system in the exact order they occurred.
- Assistance in detecting computer account involvement to incidents/misbehaving apps and/or malware.
- Conduct post mortem evidence after security compromises with the evidence stowed away from the monitored system.
- Conduct incident threat response exercises and study their effect on Linux systems.
- Provide reliable log records for Linux systems that need to comply with the logging/auditing requirements of the PCI-DSS and HIPAA standards.
- Obtain/maintain your own collection of threat and OSINT information.
POFR uses an agentless client/server architecture. Clients are the systems to monitor and they push data to a server via the SSH protocol. The server parses the data and updates a Relational Database that is used to store and present the data for further analysis. The overall architecture was designed to provide:
- Absolute transparency on what's happening on the system (source code provided via an Open Source license. No proprietary binaries or blackboxes)
- Minimum implementation complexity: No proprietary kernel hooks or complex installation/deployment software dependencies.
- Acceptable system security: No agents running on client systems exposing open network ports. Data are cryptographically signed and pushed to the server by using encrypted channels.
- Balanced computational overhead and data accuracy: The data extracted from the clients should provide a reasonable level of accuracy to reconstruct event sequences, not at the expense of computational overhead for the monitored systems.
Commercial Support for POFR
POFR is an Open Source solution. We are commited in providing source code for the lifetime of the solution. The process of deploying and maintaining POFR is described in a freely available technical manual. However, maintaining large setups (hundreds, thousands of clients) requires hardware and human resources. We offer commercial support for organizations that need a turn key solution that includes a combination of the following:
- Initial setup and 24/7/365 running of the POFR server backend in secure servers (both in house and on colocated data centers)
- Assistance in the process of interpreting the collected data during DFIR investigations
- Customized development for adapting/tuning POFR for specific solutions
contact us to discuss your detailed and obtain price quote.