I am not a system engineer and not a security expert (I am more a software developer) but I am working on a project related to a SIEM installation (Wazuh). At the moment this installation have only a demo pourpose for a customer, in a second time a real scenario project will be implemented. This SIEM will monitor some CentOS 7 machines
I have the following doubt: we want to put under monitoring when some important files content changes.
I was thinking that for a first demo we can monitor events related these two use cases:
- When the content of some configurations files changes.
- When logs file size decreases (this could indicate tampering with the log files in order to eliminate information of an attack).
What do you think about? If it make sense can you suggest me a list of important configuration files and a list of important logs files that deserve to be monitored on a Linux system (in particular related to CentOS 7 system).
Moreover can you suggest me also some directory that have to be monitored in order to avoid for example that an attacker upload malicious files?