(3) Host Related Issue Investigation Flashcards
Describe a few System resource monitoring tools that can help identify an issue with a particular host
Some system resource monitoring tools that can be used to identify an issue with a specific host include:
-Processor consumption and monitoring
-Memory consumption/monitoring
-Drive Capacity Consumption/monitoring
-Filesystem changes and abnormalities
In terms of host related issues, what can increased processor consumption indicate?
In terms of host related issues, increased processor consumption can indicate that new software or processes are active or can also point to a DoS situation. You’ll need more data than CPU consumption to accurately identify what is going on though
How should memory consumption be considered when monitoring for host related issues?
Memory consumption tools and settings are mostly configured to watch for overall usage and not what specifically is being used.
Therefore, most alarms are going to be set to look for out of memory situations or in Windows terms a buffer overflow tag in the memory section of a windows machine
What is the main focus of drive capacity monitoring in terms of potential Host Related issues?
Drive capacity monitoring usually focuses on preventing a drive from filling up, causing an issue.
Tools to help avoid this are available on all major OS’s and security monitoring systems like System Center Operations Manager (SCOM) for Windows or Nagios for Linux
In terms of monitoring for host based issues, how can disk monitoring in real time be extra useful?
In terms of monitoring for host based issues. Disk monitoring in real time can help resolve an issue quick because disks can fill up quick and cause issues fast.
In terms of host related issues, what filesystem monitoring should be done? What process should be used to determine if a file is correct and good before being installed or otherwise brought into the network?
In terms of host related issues, filesystem changes can help detect and stop attacks in real time.
Manual verification of files is a good habit to use as well to make sure that the checksum matches what it should match.
In terms of host related issues, describe the Windows Resource Monitor, or resmon
Resource Monitor, or resmon is a Windows resource monitor that provides an easy view into:
-CPU
-Memory
-Disk
-Network Utilization for a system
It also shows network activities including open TCP connections and what service are associated with open system ports
In terms of host related issues, describe the Windows Performance Monitor, or perfmon
In terms of host related issues, perfmon provides detailed data, such as energy usage data counters to disk and network happenings.
Collection from remote systems is available, as is remote system activity views which are broader and include more data
When considering windows perfmom and resmon, what are the tools strengths and weaknesses?
In terms of strengths and weaknesses, perfmon is better for detailed data collection and resmon is good for basic usage stats at a quick glance
Describe the Sysinternals suite for Windows
Sysinternals gives monitoring capabilities at a deeper level. You should test it out
Name a couple tools that can be used within Linux that can be used to check CPU, disk, and memory usage
A few tools that can be used to check CPU, disk, and memory usage include:
-ps
-top
-df
-w
Describe the Linux ps tool
Within Linux, ps gives data in regards to CPU and memory usage, the time the process was started, how long it has run and the command that got the process going
Describe the Linux “top” tool
Within Linux, the “top” tool issues CPU utilization under the CPU stats and shows memory usage in addition to running processes details.
One can also use hotkeys to get quick ID of top process by entering A
Describe the Linux df tool
The Linux df tool offers a report of disk usage on the system with other flags that provide extra info for formatting
Describe the Linux “w” tool
Within Linux, the “w” tool provides details about logged in accounts.
This can be helpful to figure out who is using a particular process
