Generate user-access alerts
Configuration Security Monitoring
One of the most important steps you can take toward securing your cloud servers is to ensure that their operating systems and applications are properly hardened against attack. Maintaining attack-resistant software configurations makes it much more difficult for intruders to gain a foothold on your systems.
The Configuration Security Monitoring security module allows you to monitor the details of your configuration settings, system files, running processes, ownership, and permissions to ensure that there are no unauthorized or insecure values, files, processes, and so on that could compromise server security.
Halo regularly scans each server and applies a set of policy rules that specify what the secure configuration for that server should be. You can assign one of the Halo-provided configuration policies to each server group, or you can customize or build one from scratch to better fit it to each group's server configurations.
Scan results are displayed in the Halo portal. Use them to either (1) remediate detected issues by restoring the proper configuration settings to the affected servers, or (2) immediately notify your security team or incident response team, if an actual security breach is suspected.
Use a Halo configuration policy and Halo's event-alerting capability to alert you whenever a specified user that should not log into a server has logged in, or when a user account has been inactive long enough that it should be expired. The example given here just detects unwanted logins.
- Navigate to Policies > Configuration Policies, then click Add New Linux Policy.
- Enter a name (for example, "Unwanted Logins") and optional description for the policy, and click Save.
- On the policy page, expand the category Other and click Add a New Rule.
- Give the rule a name (for example, "Root Logins") and select both Log and Alert event checkboxes.
- Click Add New Check, and select No Recent Account Login.
- Fill in the fields of the check:
- user(s) (for example, "root")
- should have NOT logged in in the past days (for example, "100")
- Click Save All. The check, rule, and policy are all updated and saved.
- Navigate to the Dashboard, click the name of a server group to assign the policy to, and click Edit Details below the group name.
- In the Configuration Policies field, add your new policy to the group by selecting it from the dropdown list. Then click Save Group Settings.
- In order to receive alerts, create an alert profile listing your intended recipients and add it to the server group, as described in Set up Halo alerts.
In this example, an alert will be sent to users in the Alert Profiles list of this policy's server group if the root user has logged into any of the servers in the group within the past 100 days.
For more information on using configuration policies, rules, and checks, see the Configuration Policy Rule Checks appendix of the Configuration Security Monitoring Setup Guide.