1. What is the primary place to store log files on a local Linux system and what are recommended procedures for that location?
Almost all logfiles are located under /var/log directory
It is very important that the information that comes from syslog not be compromised. Making the files in /var/log readable and writable by only a limited number of users is a good start.

2. Why remote logging to a central server is considered a best practice?
To identify a baseline system state with the use of the logs & to keep the information from prying eyes.

3. What is the syntax and file you would edit with the necessary entries to send syslogs from your Linux system to a logging server at 172.130.1.254? su –c ’ vi/etc/rsyslog.conf ‘, then remove the # from in front of $ModLoadimudp and $UDPServerRun514 if it hasn’t already been done. Then add a line below remote host with the following syntax *.*@@172.130.1.254:541

4. Why is the “Tripwire” application considered a file integrity checker?
File Integrity Monitoring is available as a standalone solution or as part of Tripwire’s Security Configuration Management suite, where you have continual assurance of the integrity of security configurations and complete visibility and control of all change for your continuous monitoring, change audit and compliance demands.

5. Could rkhunter be considered a file integrity checker? Why or why not?
Rootkit Hunter is considered a file integrity checker because it offers a scan for file properties just as other file integrity checkers do. It is completely dependent on making sure that you have an accurate database to scan from.

6. How would you check to see that a scheduled recurring cron job was scheduled to run?
You can configure a cron to send the output of the script to a user via system mail or redirect the output to a file; however not all crons are setup the same and many times they may be configured to send output to /dev/null hindering any ability to validate the job ran.

7. How would you syslog only error conditions or above to a remote logging server listed as 172.130.1.254 when it had to do with cron jobs?
Type the command su –c ‘ vi /etc/rsyslog.conf ‘ and then scoll down to after the last entry listed under remote-host and add the line syslog.err @@172.130.1.254:61514

8. As a system administrator you notice the logs on your system are starting to take lots of space. You have a remote syslog server with plenty of space but want to minimize the amount of logs on the physical system. What is a manual and an automatic way to do this in Linux?
You can tediously manually delete the old logs or you can utilize log rotate which is designated for automatic rotation, compression, and removal of log files. It uses a cron job for scheduling of tasks, the configuration settings can be accessed by typing /etc/logrotate.conf

9. What port does syslog run on and what transport protocol does it use? Why is this important information?
Port 514 – Syslog protocol does not ensure ordered delivery of packets.

10. Specify a security implication of the Syslog service on a system?
A good syslog implementation has the potential to drastically increase an organization’s security defense posture and stability if fully implemented while continuing to meet or exceed these regulatory requirements. Because security and IT professionals tend to look at syslog in a blinded manner, it tends to be an unknown gem in the security and IT industries.