Home > Articles > Networking > Network Administration & Management

  • Print
  • + Share This
This chapter is from the book

6.4 Monitor and Inspect System Activities

System activities include those associated with system performance, processes, and users. Programs executing on your networked systems typically include a variety of operating system and network services, user-initiated programs, and special-purpose applications such as database services. Every program executing on a system is represented by one or more processes. Each process executes with specific privileges that govern what system resources, programs, and data files it can access, and what it is permitted to do with them. The execution behavior of a process is demonstrated by the operations it performs while running, the manner in which those operations execute, and the system resources it uses while executing. Operations include computations; transactions with files, devices, and other processes; and communications with processes on other systems via your network. User activities include login/logout, authentication and other identification transactions, the processes they execute, and the files they access.

If you are reviewing system activities on a host other than the one being monitored, ensure that the connection between them is secure, as described in Section 2.13

You need to verify that your systems are behaving as expected and that the processes executing on your systems are attributed only to authorized activities by users, administrators, and system functions. Unexpected or anomalous system performance may indicate that an intruder is using the system covertly for unauthorized purposes. The intruder may be attempting to attack other systems within (or external to) your network, or running network sniffer programs. A process that exhibits unexpected behavior may indicate that an intrusion has occurred. Intruders may have disrupted the execution of a program or service, causing it either to fail or to operate in a way other than the user or administrator intended. For example, if intruders successfully disrupt the execution of access-control processes running on a firewall system, they may access your organization's internal network in ways that would normally be blocked by the firewall.

If you permit access to your systems and networks by third parties (vendors, contractors, suppliers, partners, customers, etc.), you must monitor their access to ensure that all their actions are authentic and authorized. This step includes monitoring and inspecting their system activities.

6.4.1 Notify Users

Inform authorized users of your systems about the scope and kinds of monitoring you will be doing and the consequences of unauthorized behavior.

A common method for communicating this message is to present a banner message immediately before user login, as described in Section 6.3.1.

Without the presentation of a banner message or other warning, you probably cannot use log files and other collected data in any action you may choose to take against a user.

6.4.2 Review System Alerts

Review and investigate notifications from system-specific alert mechanisms (such as e-mail, voice mail, or pager messages), including the following:

  • Users and other administrators, via e-mail or in person

  • Operating system alert mechanisms

  • System management software traps

  • Intrusion detection systems

  • Custom alert mechanisms from service or application programs (including tools)

6.4.3 Review System Error Reports

These types of notifications are typically produced by the following devices:

  • Operating system error-reporting mechanisms

  • Log file filtering tools

  • Vendor or custom-developed management software

  • Custom error-reporting mechanisms from service or application programs (including tools)

Often an administrator will be able to configure error reporting at a number of criticality, severity, or priority levels when installing the system, service and application programs, and supporting tools.

6.4.4 Review System Performance Statistics

Statistics are generally produced by vendor or custom performance-monitoring tools. Typical statistics include the following (refer to Section 5.3, Table 5.2):

  • Total resource use over time—CPU, memory (used, free), disk (used, free)

  • Status reported by systems and hardware devices such as print queues

  • Changes in system status, including shutdowns and restarts

  • File system status (where mounted, free space by partition, open files, biggest file) over time and at specific times

  • File system warnings (low free space, too many open files, file exceeding allocated size)

  • Disk counters (input/output, queue lengths) over time and at specific times

  • Hardware availability (modems, network interface cards, memory)

  • Performance statistics meaningful for a specific server or host4

  • Comparison of previous system performance statistics with current statistics

Unexpected shutdowns, reboots, and restarts can indicate the presence of a Trojan horse program that requires a shutdown or restart of a system or service.

Investigate anything that appears anomalous.

6.4.5 Monitor Process Activity and Behavior

The examination of processes is complex, time-consuming, and resource-intensive. The degree to which you are able to identify suspicious processes depends on your knowledge of what processes you normally expect to be executing on a given system and how they should behave.

Due to the large number of processes and their rapidly changing natures, it is impractical for you to monitor them continually yourself. In addition, the amount and value of information that you can gather from a snapshot of currently executing processes may be very limited. This means that you must employ a variety of information-gathering and monitoring mechanisms to help you collect and analyze data associated with processes, and to alert you to suspicious activity.

One common approach with multi-user systems is to set up consoles (or separate terminal windows on workstations) that display the current status of processes and are updated at short intervals. Ideally, these consoles should be hard-wired to the systems for which they are displaying information. With strategic placement of these displays, you can take advantage of the experience of system administrators to notice unexpected activity that may not be picked up by your more immediate alert mechanisms.

Identify any unexpected, unusual, or suspicious process behavior and the possible implications. As a general guideline, you should look for the following:

  • Missing processes

  • Extra processes

  • Unusual process behavior or resource utilization

  • Processes that have unusual user identification associated with them

Data from log files and other data collection mechanisms will help you to analyze the process behavior, for example (refer to Section 5.3, Table 5.2):

  • User executing the process

  • Process start-up time, arguments, file names

  • Process exit status, time duration, resources consumed

  • The amount of resources used (CPU, memory, disk, time) by specific processes over time; top "x" resource-consuming processes

  • System and user processes and services executing at any given time

  • The means by which each process is normally initiated (administrator, other users, other programs or processes), with what authorization and privileges

  • Devices used by specific processes

  • Files currently open by specific processes

Look for processes that are operating in one of the following ways:

  • Running at unexpected times

  • Terminating prematurely

  • Consuming excessive resources (wall clock time, CPU time, memory, disk), which may warn you of an impending DoS condition or the use of a network sniffer

  • Password cracking, network packet sniffing or any other process not due to normal, authorized activities

  • Unusually formatted in their output or arguments (for example, on UNIX systems, a process running as ./telnetd instead of /usr/sbin/telnetd)

  • New, unexpected, or previously disabled, possibly indicating that intruders have installed their own version of a process or service or are running IRC services, web services, FTP services, and so forth to allow them to distribute tools and files they have stolen (such as password files) to other compromised hosts.

  • Being spawned by inactive user accounts using CPU resources

  • A terminal process exhibiting abnormal input/output behavior

  • Without a controlling terminal and executing unusual programs

  • Unusually large in number

Pay close attention to the processes associated with intrusion detection and other security tools. Intruders regularly compromise these tools to gain greater leverage and information and to generate decoy alerts to distract and waste the time of system administrators.

6.4.6 Monitor User Behavior

Identify any unexpected, unusual, or suspicious user behavior and the possible implications.

Data from log files and other data collection mechanisms will help you to analyze user behavior, for example (refer to Section 5.3, Table 5.2):

  • Login/logout information (location, time): successful, failed attempts, attempted logins to privileged accounts

  • Login/logout information on remote access servers that appears in modem logs

  • Changes in user identity

  • Changes in authentication status, such as enabling privileges

  • Failed attempts to access restricted information (such as password files)

  • Keystroke-monitoring logs

  • Violations of user quotas

Look for the following types of intrusions and intrusion attempts:

  • Repeated failed login attempts, including those to privileged accounts

  • Logins from unusual locations or at unusual times, including unusual or unauthorized attempts to log in via a remote access server

  • Unusual attempts to change user identity

  • Unusual processes run by users

  • Unusual file accesses, including unauthorized attempts to access restricted files

  • Users logged in for an abnormal length of time (both short and long)

  • A user executing an unexpected command

  • A user working from an unusual terminal

If you notice unusual activity associated with particular users, initiate supplemental data collection mechanisms to gather detailed information about their activities. Many multiuser systems provide mechanisms to audit all processes associated with a particular user. Since process accounting logs tend to generate a great deal of information rapidly, you will need to allocate sufficient resources to store the data collected. Similarly, detailed network logging of all activity associated with all the systems accessed by a specific user can be voluminous, and you will need to allocate resources accordingly. Review the newly collected data often (at least daily) and rotate files regularly to minimize the amount of information that you have to analyze at any given time (as described in Section 5.4).

6.4.7 Monitor for the Presence of Network Sniffers

One thing intruders commonly do is to gather information from the traffic on your networks to find user account names, passwords, and other information that may facilitate their ability to gain access to your systems. They do this by breaking into one system on your network and installing and executing a sniffer program. This program collects information about connections established between systems from network data packets as they arrive at or pass by the compromised system. To hide this illicit activity on compromised systems, intruders typically modify log files and replace programs that would reveal the presence of the sniffer program with Trojan horse versions. The substitute programs appear to perform the same functions but exclude information associated with the intruders and their activities. In many documented cases of this type of intrusion, the intruders' activities went unnoticed for a considerable amount of time, during which they collected enough information to gain privileged access to several other systems.

Detecting the presence of distributed network sniffers may not be possible. Some operating systems (but not all, or even most) respond differently to an ICMP echo request when the interface is in promiscuous mode than when it is not, thus providing some indication that something is amiss. Even when this indication is present, however, the computer is under intruder control and will behave as the intruder directs. Without sophisticated analog electronic signaling techniques, it's probably impossible to detect a distributed sniffer externally.

This reality underscores the importance of using verified software to examine your systems (as described in Section 6.2) and the need to verify the integrity of your files (as described in Section 6.5). Unfortunately, intruders can use several sophisticated collections of programs to gain rapid access to systems and "set up shop" to install and execute a sniffer. In such cases the only way you may be able to catch such activity is to use verified software to examine processes on your systems for unexpected behavior (as described in Section 6.4), although this method is not effective against kernel modifications.

Processes associated with a sniffer will typically have transactions with a network interface that has been placed in promiscuous mode, as well as a file or network connection to which the information gathered from network packets is being sent. However, keep in mind that legitimate network monitors and protocol analyzers will set a network interface in promiscuous mode as well.

Network interfaces on most systems normally operate in nonpromiscuous mode, which means that they ignore network packets not explicitly addressed to them. In promiscuous mode, no packets are ignored, that is, all packets that traverse the network segment to which the system is attached are read by its network interface and are accessible to processes executing on that system.

Refer to CERT advisory CA-1994.01, Ongoing Network Monitoring Attacks, at the CERT web site.

6.4.8 Run Network Mapping and Scanning Tools

The purpose of running network mapping and scanning tools is to understand what intruders who use such tools can learn about your networks and systems. We recommend carrying out this task periodically during nonbusiness hours and when you are physically present, because mapping tools can sometimes affect systems in unexpected ways. Eliminate or make invisible (if possible) any aspect of your network topology and system characteristics that you do not want to be known by intruders who use mapping tools.

6.4.9 Run Vulnerability Scanning Tools on All Systems

The purpose of running vulnerability scanning tools on all systems is to check for the presence of known vulnerabilities. We recommend running such tools periodically during nonbusiness hours and when you are physically present, because scanning tools can sometimes affect systems in unexpected ways. Eliminate all vulnerabilities identified by these tools wherever possible. Many of these can be dealt with by updating configuration file settings and installing vendor-provided patches as described in Section 2.4.

Consider using scanning tools that include password analysis as part of their vulnerability assessment. Such analysis may include the identification of weak, nonexistent, or otherwise flawed passwords, such as those that can be determined using brute force or dictionary-based attacks.

Refer to CERT vulnerability notes at the CERT web site and How to Eliminate the Ten Most Critical Internet Security Threats: The Experts' Consensus, Version 1.25 (SANS 00) for a description of some of the more prevalent vulnerabilities.

6.4.10 Policy Considerations

Your organization's networked systems security policy should specify the following:

  • The need for users to be notified that process and user activities will be monitored and state the objective of such monitoring

  • The responsibilities and authority of designated systems administrators and security personnel to examine systems, processes, and user activity for unexpected behavior

  • What forms of unexpected behavior users should watch for and require users to report any such behavior to their designated security officials and system administrators.

  • What software and data users and administrators are permitted to install, collect, and use, with explicit procedures and conditions for doing so

  • What programs users and administrators are permitted to execute and under what conditions

6.4.11 Additional Information

  1. If you are reviewing system activities on a host other than the one being monitored, ensure that the connection between them is secure, as described in Section 2.13.

  2. Whenever possible, analyze and correlate data collected from multiple sources, as recommended in the other practices of this chapter. Performing some level of correlation analysis during the intrusion detection process, such as determining when intrusion activity occurring in one part of your systems may be related to activity in another part, will assist you in determining the full extent of any compromise and its characteristics as described in Section 7.2.

  3. Logging information produced by vulnerability patches (updated software that corrects or closes a vulnerability), if provided by the vendor and if turned on, can help identify a pattern in which an intruder exploits more than one vulnerability before gaining access. For example, a failed logged attempt to probe for an old vulnerability (produced by the vulnerability patch) could be followed by a successful probe for a new vulnerability that is not logged. The presence of the vulnerability patch logging information, along with other mechanisms such as integrity checking, could alert you to this type of intruder action.

  • + Share This
  • 🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020