- Firewall
- Fail2Ban
- AV / NGAV
- HIDS
- SIEM
- Auditd
- SysmonForLinux (eBPF)
- SELinux / Apparmor (SELinux = more granular, Apparmor = easier to use. Use only one of them at a time. source
- LKRG
- USBGuard
- Backup (rsync / rclone + google drive)
- BIOS password
- Filesystem encrypted
Audit
- Lynis
- Linpeas.sh
Monitoring
- hunt for revshell with :
sudo netstat -anp | grep ESTABLISHED
To check
HIDS eBPF Based
- Falco
- https://tetragon.io/
- https://github.com/chriskaliX/Hades
- SysmonForLinux
Network
- zeek
- snort
- suricata
Wazuh Integrations:
- wazuh x auditd other link
- wazuh x falco
- wazuh x suricata other link other link
- wazuh x virustotal
- wazuh x URLhaus
- wazuh x theHive
SIEM XDR solutions:
- Wazuh (more HIDS ?)
- UTMStack (more XDR ?)
- SecurityOnion (More SIEM ?)
https://www.reddit.com/r/AskNetsec/comments/10lw9cy/utmstack_vs_wazuh_vs_security_onion/ https://www.blackhillsinfosec.com/wp-content/uploads/2021/03/SLIDES_OpenandFreeEDR.pdf
HIDS Comparison
https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system_comparison