We need to create a /etc/rsyslog.d/rule with external program.

module(load=”imfile”)
module(load=”omprog”)
input(type=”imfile”
File=”/opt/app/app.log”
Tag=”app”
Facility=”user”
Severity=”info”
PersistStateInterval=”1"
reopenOnTruncate=”on”
freshStartTail=”on”
ruleset=”app-log”)
ruleset(name=”app-log”) {
action(type=”omprog”
binary=”/usr/local/bin/omsplunkhec.py …

First of all we need a modern and maintained tool to dump memory and do it over the network. Recommended one is from Microsoft: avml /dev/stdout | aws s3 cp — s3://dfir/memory. Microsoft must have it because they ported Hyper-V to Linux and run container/Kubernetes on Linux in a shared…


Red Hat 7.9 originally released in 2013 with 10 years of Long Term Support uses GNU C library in version 2.17. Linpem binaries built on Debian and released in 2019 use symbols from glibc 2.25 and 2.27. This binary does not run on Red Hat 7.9

The good thing is…


The common knowledge is that it’s not possible, because missing functions are usually covered by not present symbol versions. Example: Red Hat 8 with getrandom() function marked as GLIBC_2.25 versus Red Hat 7 with GNU Lib C 2.17. Symbol version GLIBC_2.25 …


Covid-19 pokazał nam jak blisko nas może być śmierć. Może są ludzie, którzy od niej uciekają. Twierdzą, że pandemii nie ma, że jest grypa i przeziębienie. Fakt śmierci jest jednak oczywisty i trzeba się z nim zmierzyć.

Jeśli mózg przestaje działać, wraz z jego wyłączeniem się ginie moja “ja”, to…


Google for cyber threat map, open page and look in the source code for a “random”. You would be suprised.

BitDefender without any obfuscation of JS uses function generateAttacksRandomly. Random is a pair of cities and issue type (infection, attack or spam).

If you’ve got very specific requirements which would be hard to get from a big vendor think about a startup.


I was analyzing common approach to Endpoint Detection using Linux Audit subsystem and its rules and I thought that it would be better to monitor syscalls instead of commands. We can step one level below. For example: “ifconfig eth0 promisc” can be replaced with “PARAM=promisc cat $(which ifconfig) > /tmp/cmd…


Linux gives you powerful auditing subsystem compliant with Common Criteria 4. You just need to design smart rules. Example below.

## https://github.com/Neo23x0/auditd/blob/master/audit.rules (2020/11/17)
## https://documentation.suse.com/sles/11-SP4/html/SLES-all/cha-audit-scenarios.html
## https://filippo.io/linux-syscall-table

# Remove any existing rules
-D

# Buffer Size
## Feel free to increase this if the machine panics
-b 8192

# Failure…


It’s not uncommon to have 2 data centers if you want to have on-prem high availability. Primary may host everything and secondary just fit all business critical services in case there is a failure of 1st DC. Let’s say we want to have highly available Event Bus with 2DCs. …

Jakub Jóźwicki

Cloud Security Engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store