Audit operating system to detect connections/modifications?

[Dibunom]

Hi, I would like to know if there is any way to find out if someone has managed to copy/modify files.

I always set the Firewall to reject incoming connections, but I don't know if that will be enough to not worry.

How can I tell if an application is reading data it shouldn't read or sending information to a server? Is it possible on linux?

I would like to know ways or recommendations to audit the operating system and know that I should not worry.

Thanks.

 

[Condobloke]

Don't Worry....Be Happy !!! (You're with Linux Now)

Source your applications from the Software Manager (I am assuming you are using Linux Mint ?)

Use your browser responsibly.

Ensure your system has the latest updates.

Enjoy yourself

 

[osprey]

Dibunom wrote:

I would like to know if there is any way to find out if someone has managed to copy/modify files.

What Condobloke said.

If you running through a router connecting to the internet, it will almost certainly have a firewall so most users sitting behind that don't need to activate a firewall at all. And you may be able to configure that firewall as well through your browser. Usually the router only allows in what the user has "requested" in their browser use or other downloading functions, and rejects unsolicited probes. If you are running a server, that has more need and use for a firewall.

On the matter of checking for changes in files, if you are unsure about any particular file you can use the stat command on the file and it will let you know the dates the file has been accessed or changed:

[flip@flop ~]$ stat testfile
  File: testfile
  Size: 181             Blocks: 8          IO Block: 4096   regular file
Device: 8,4     Inode: 25696540    Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/     ben)   Gid: ( 1000/     ben)
Access: 2022-10-25 08:55:32.693760309 +1100
Modify: 2022-09-16 17:19:29.706292505 +1000
Change: 2022-09-16 17:19:29.742293517 +1000
 Birth: 2022-09-16 17:19:29.706292505 +1000

 

[bob466]

When I download a new Mint IOS...I run the checksum...so I know the ISO is good and enable the firewall as Condobloke said...you're using Linux now because Linux isn't windwoes.

 

[dos2unix]

Take a look at auditd.

It's not exactly that simple. There are multiple things you can do to mitigate this.
Also you might run intrusion detection.
Run the "last" command to see who logged in and when.