Alert on unexpected services
Configuration Security Monitoring
One of the most important steps you can take toward securing your cloud servers is to ensure that their operating systems and applications are properly hardened against attack. Maintaining attack-resistant software configurations makes it much more difficult for intruders to gain a foothold on your systems.
The Configuration Security Monitoring security module allows you to monitor the details of your configuration settings, system files, running processes, ownership, and permissions to ensure that there are no unauthorized or insecure values, files, processes, and so on that could compromise server security.
Halo regularly scans each server and applies a set of policy rules that specify what the secure configuration for that server should be. You can assign one of the Halo-provided configuration policies to each server group, or you can customize or build one from scratch to better fit it to each group's server configurations.
Scan results are displayed in the Halo portal. Use them to either (1) remediate detected issues by restoring the proper configuration settings to the affected servers, or (2) immediately notify your security team or incident response team, if an actual security breach is suspected.
Use a Halo configuration policy and Halo's event-alerting capability to alert you of any unexpected and possibly malicious services running on your servers.
- If you haven't done it yet, create and assign an alert profile as described in Set up Halo alerts.
- Navigate to Policies > Configuration Policies, then click Add New Linux Policy or Add New Windows Policy.
- Enter a name (for example, "Unwanted Processes") and optional description for the policy, and click Submit.
- On the policy page, expand the category Other and click Add a New Rule.
- Give the rule a name (for example, "Bad Processes") and check both Log and Alert event checkboxes.
- Click Add New Check, and select Process Presence (for Linux), or Service is Started (for Windows).
- Fill in the fields of the check:
- Enter the name of the unwanted process (for this Linux example, "CUPS").
- Click the should not be running button.
- Click Save All. The check, rule, and policy are all updated and saved.
- Navigate to the Dashboard, click the name of a server group to assign the policy to, and click Edit Details below the group name.
- In the Configuration Policies field, add your new policy to the group by selecting it from the dropdown list. Then click Save Group Settings.
In this example, an alert will be sent to users listed in the Alert Profiles of this policy's server group if the "CUPS" process is found running on any of the servers in the group.
For more on configuration-policy rules and checks, see Create or Customize a Configuration Policy in the Configuration Security Monitoring Setup Guide/em>.