Linux Server Administration & Security Monitoring

Project Overview

In this home lab project, I built a comprehensive security monitoring environment using Wazuh SIEM. The goal was to simulate a real-world enterprise detection environment and practice standard SOC workflows including log analysis, integrity monitoring, and incident response.

Key Accomplishments

1. Unified SIEM Deployment

• Deployed Wazuh SIEM v4.13.1 on an Ubuntu server acting as the central manager.
• Configured a distributed agent architecture across multiple virtual machines (Linux & Windows).
• Hardened agent communication using Tailscale to ensure encrypted telemetry across network segments.

2. File Integrity Monitoring (FIM)

Configured aggressive FIM policies to monitor critical system directories for unauthorized changes:

• /etc (Configuration files)
• /usr/bin (System binaries)
• /home (User directories)

This provided real-time alerts for any permission changes, content modifications, or ownership shifts—critical for detecting persistence mechanisms like modified startup scripts or backdoored binaries.

3. Custom Alerting & Tuning

• Implemented custom XML rules to reduce noise from routine administrative tasks.
• Tuned log collection via UDP 1514 to ensure reliable delivery without flooding the network.
• Mapped alerts to MITRE ATT&CK tactics to visualize coverage gaps.

Outcomes

• Successfully detected simulated attacks including SSH brute force and privilege escalation attempts.
• Gained deep familiarity with RSYSLOG, Auditd, and Wazuh config syntax.
• Documented incident response playbooks for common alarms.