I was recently informed by the security team that we need some form of endpoint detection and response (EDR) for our Linux servers to meet a security audit requirement. This made me question whether we really need something as comprehensive as a full EDR solution from Microsoft or if we can get by with basic Linux security tools like Lynis, rkhunter, and chkrootkit. I believe the best approach for securing Linux is to implement SELinux properly, but given time constraints, relying on scanners seems to be the alternative. I'd love to hear your thoughts on this!
5 Answers
Implementing SELinux isn't as tough as it seems! It usually works fine out of the box on Red Hat-based systems. Sure, sometimes you might have to relabel files, but that’s manageable. For us, we use Falcon/CrowdStrike because it gives the infoSec team peace of mind and meets insurance requirements. Just be aware that it might have hiccups with kernel updates.
Honestly, it sounds like the whole EDR requirement is more about checking boxes than actual security. We're using SentinelOne on our Linux machines, but honestly, it just eats up resources and doesn’t do much. In fact, one server has been maxing out a CPU core for years! It satisfies the audit team, though. Honestly, it could be a false sense of security. Just something to think about!
I get that. But how do you address security incidents without EDR support?
This totally depends on your compliance requirements—are you following STIG, PCI, or something else? Tools like auditd for detection are great, but you need a separate system for alerts. Grafana and ELK are useful for that, but keep in mind they can be resource-intensive. Full EDR solutions can catch more anomalies, but if you're looking for basic compliance, perhaps combining scanners and keeping a tight firewall setup is the way to go!
Yup, it’s about balancing resource usage with what you need to satisfy compliance.
Exactly! Just don’t forget to monitor your log files too for missed alerts.
I’ve been using OSSEC to monitor changes on my servers. It sends alerts for failed SSH attempts and whenever a system file changes, which is super helpful. Plus, it’s easy to install and has a free version that works well enough for me!
Honestly, tools like rkhunter and chkrootkit are pretty dated and not effective anymore. We've transitioned to using Lynis which gives actionable insights, plus it’s open source so it's customizable. You’d definitely need to harden your systems on top of any scanning though. Just relying on scanners isn’t going to cut it!
It's good to hear that you're seeing success with Lynis! I think integrating something like that really bolsters your security posture.
Absolutely, automation with tools like Lynis can show auditors that you are taking steps to secure systems. It's about building that compliance narrative.
Right? It's just a resource hog that doesn't offer much real protection. Just get that checkbox ticked and move on.