Trunc has introduced a powerful new feature called Security Insights, designed to provide a quick summary of critical security events based on predefined criteria. This feature enables system administrators to gain rapid visibility into potential threats and system health, making it easier to respond swiftly and effectively. Below is an outline of the key criteria included in Security Insights:
Security Insights Criteria
Here is a table of the predefined security criteria:
| Criteria | Description | Purpose | Example Log | System/Device |
|---|---|---|---|---|
| Authentication success via SSH for user ‘root’ | Alerts if there is a successful SSH authentication for the ‘root’ user. | Identifies potential unauthorized access using the root account. | Accepted password for root from 192.168.1.100 port 22 | Linux Server |
| Low memory | Flags any log entries warning about low system memory. | Helps prevent system instability due to performance bottlenecks. | kernel: Out of memory: Kill process 1234 (mysqld) | Linux Server |
| System crash | Flags logs indicating a system crash event. | Provides immediate visibility into critical system failures. | systemd: System crashed due to kernel panic. | Linux Server |
| Review: Authentication via SSH | Summarizes all direct SSH connections. | Allows review of SSH activity to identify unauthorized access. | sshd: Accepted publickey for user from 203.0.113.45 | Linux Server |
| Authentication success from Tor | Alerts if successful authentication is detected from the Tor network. | Identifies attempts to mask the source of unauthorized access. | Accepted password for admin from 185.220.101.35 port 22 | Linux Server |
| Authentication success from blacklisted IPs | Alerts when successful authentication occurs from blacklisted IP addresses. | Detects compromised systems or malicious access attempts. | Accepted password for user from 45.67.89.10 (blacklisted) | Linux Server |
| Brute force authentication attempts | Flags repeated failed authentication attempts. | Detects ongoing brute force attempts on user accounts. | sshd: Failed password for invalid user admin from 10.0.0.1 | Linux Server |
| Authentication success via SSH password | Alerts if authentication via password is detected over SSH. | Identifies risks from less secure, password-based authentication. | Accepted password for user from 192.168.1.150 port 22 | Linux Server |
| Accounts Added | Flags any new user accounts added for review. | Identifies unauthorized or suspicious account creation. | useradd: New user 'john_doe' added | Linux Server |
| Accounts Deleted | Flags any user accounts deleted for review. | Detects potential unauthorized account deletions. | userdel: User 'john_doe' removed | Linux Server |
| Sudo Authentication Fails | Alerts on Linux ‘sudo’ authentication failures. | Highlights failed privilege escalation attempts. | sudo: pam_authentication failed for user | Linux Server |
| Su Authentication Fails | Alerts on Linux ‘su’ authentication failures. | Identifies failed attempts to switch users, indicating a potential issue. | su: Authentication failure for root | Linux Server |
| New Applications Installed | Lists any new applications installed. | Monitors for unauthorized or suspicious software installations. | dpkg: Package 'nginx' installed successfully | Linux Server |
| No New Applications Installed | Confirms that no new applications were installed. | Ensures system integrity when no changes are expected. | No package changes detected. | Linux Server |
| Windows Event Log Cleared | Flags any log that indicates the Windows event log was cleared. | Detects potential attempts to hide malicious activity. | Security log cleared by user SYSTEM | Windows Server |
| Disk Space Full | Flags any logs warning about the disk being full. | Prevents system failures due to lack of disk space. | Filesystem root full: 100% used | Linux Server |