Audit class/lab

Audit class/lab

[Steve Grubb]

Hello,

I normally don't put the word out about speeches I give, or things like that. 
But I am going to be teaching a hands-on audit class to demonstrate how to 
configure, setup rules, and do searching and reporting using the native linux 
audit tools.

The lab will be part of the Defence in Depth conference in Washington (Tyson's 
Cormers, VA) on Sept 1. Its free, you just have to register. More info:

http://www.redhat.com/en/about/events/2015-defense-depth

I will be going over new features that aids insider threat detection and signs 
of intrusion in addition to basics. Bring your questions and problems, let's 
talk.

-Steve

Re: Audit class/lab

[Smith, Gary R]

Hi Steve,

Any chance that your presentation would get recorded for later viewing
by those of us who have no budget for travel at the end of the fiscal year?

Best regards,

Gary Smith

On 07/15/2015 03:22 PM, Steve Grubb wrote:
> Hello,
>
> I normally don't put the word out about speeches I give, or things like that. 
> But I am going to be teaching a hands-on audit class to demonstrate how to 
> configure, setup rules, and do searching and reporting using the native linux 
> audit tools.
>
> The lab will be part of the Defence in Depth conference in Washington (Tyson's 
> Cormers, VA) on Sept 1. Its free, you just have to register. More info:
>
> http://www.redhat.com/en/about/events/2015-defense-depth
>
> I will be going over new features that aids insider threat detection and signs 
> of intrusion in addition to basics. Bring your questions and problems, let's 
> talk.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

Re: Audit class/lab

[Steve Grubb]

On Thursday, July 16, 2015 05:03:26 PM Smith, Gary R wrote:
> Any chance that your presentation would get recorded for later viewing
> by those of us who have no budget for travel at the end of the fiscal year?

This presentation will not be recorded. Slides will be available. I might do 
something separately from this conference so that there's something people can 
watch. But I expect the lab to be interactive where people can say, "We have 
these requirements, what would be the best way to do it?"  And sometimes, 
there isn't a best way and I take notes to look into it more deeply.

-Steve


> On 07/15/2015 03:22 PM, Steve Grubb wrote:
> > Hello,
> > 
> > I normally don't put the word out about speeches I give, or things like
> > that. But I am going to be teaching a hands-on audit class to demonstrate
> > how to configure, setup rules, and do searching and reporting using the
> > native linux audit tools.
> > 
> > The lab will be part of the Defence in Depth conference in Washington
> > (Tyson's Cormers, VA) on Sept 1. Its free, you just have to register.
> > More info:
> > 
> > http://www.redhat.com/en/about/events/2015-defense-depth
> > 
> > I will be going over new features that aids insider threat detection and
> > signs of intrusion in addition to basics. Bring your questions and
> > problems, let's talk.
> > 
> > -Steve
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit

Re: Audit class/lab

[Burn Alting]

Steve,

The agenda infers that to attend a lab, you must bring a wifi-capable
laptop with an SSH client installed.

Is this a requirement for your lab or just the Applied SCAP Lab?

Regards

On Thu, 2015-07-16 at 14:12 -0400, Steve Grubb wrote:
> On Thursday, July 16, 2015 05:03:26 PM Smith, Gary R wrote:
> > Any chance that your presentation would get recorded for later viewing
> > by those of us who have no budget for travel at the end of the fiscal year?
> 
> This presentation will not be recorded. Slides will be available. I might do 
> something separately from this conference so that there's something people can 
> watch. But I expect the lab to be interactive where people can say, "We have 
> these requirements, what would be the best way to do it?"  And sometimes, 
> there isn't a best way and I take notes to look into it more deeply.
> 
> -Steve
> 
> 
> > On 07/15/2015 03:22 PM, Steve Grubb wrote:
> > > Hello,
> > > 
> > > I normally don't put the word out about speeches I give, or things like
> > > that. But I am going to be teaching a hands-on audit class to demonstrate
> > > how to configure, setup rules, and do searching and reporting using the
> > > native linux audit tools.
> > > 
> > > The lab will be part of the Defence in Depth conference in Washington
> > > (Tyson's Cormers, VA) on Sept 1. Its free, you just have to register.
> > > More info:
> > > 
> > > http://www.redhat.com/en/about/events/2015-defense-depth
> > > 
> > > I will be going over new features that aids insider threat detection and
> > > signs of intrusion in addition to basics. Bring your questions and
> > > problems, let's talk.
> > > 
> > > -Steve
> > > 
> > > --
> > > Linux-audit mailing list
> > > Linux-audit@redhat.com
> > > https://www.redhat.com/mailman/listinfo/linux-audit
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

Re: Audit class/lab

[Steve Grubb]

On Saturday, July 25, 2015 08:39:22 AM Burn Alting wrote:
> Steve,
> 
> The agenda infers that to attend a lab, you must bring a wifi-capable
> laptop with an SSH client installed.
> 
> Is this a requirement for your lab or just the Applied SCAP Lab?

Its not my requirement. However, since it will be about Linux auditing and 
people are requested to have a laptop with a linux image available, ssh client 
should be there. Again, no plans for ssh right now.

-Steve


> On Thu, 2015-07-16 at 14:12 -0400, Steve Grubb wrote:
> > On Thursday, July 16, 2015 05:03:26 PM Smith, Gary R wrote:
> > > Any chance that your presentation would get recorded for later viewing
> > > by those of us who have no budget for travel at the end of the fiscal
> > > year?
> > 
> > This presentation will not be recorded. Slides will be available. I might
> > do something separately from this conference so that there's something
> > people can watch. But I expect the lab to be interactive where people can
> > say, "We have these requirements, what would be the best way to do it?" 
> > And sometimes, there isn't a best way and I take notes to look into it
> > more deeply.
> > 
> > -Steve
> > 
> > > On 07/15/2015 03:22 PM, Steve Grubb wrote:
> > > > Hello,
> > > > 
> > > > I normally don't put the word out about speeches I give, or things
> > > > like
> > > > that. But I am going to be teaching a hands-on audit class to
> > > > demonstrate
> > > > how to configure, setup rules, and do searching and reporting using
> > > > the
> > > > native linux audit tools.
> > > > 
> > > > The lab will be part of the Defence in Depth conference in Washington
> > > > (Tyson's Cormers, VA) on Sept 1. Its free, you just have to register.
> > > > More info:
> > > > 
> > > > http://www.redhat.com/en/about/events/2015-defense-depth
> > > > 
> > > > I will be going over new features that aids insider threat detection
> > > > and
> > > > signs of intrusion in addition to basics. Bring your questions and
> > > > problems, let's talk.
> > > > 
> > > > -Steve
> > > > 
> > > > --
> > > > Linux-audit mailing list
> > > > Linux-audit@redhat.com
> > > > https://www.redhat.com/mailman/listinfo/linux-audit
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit

Re: Audit class/lab

[Steve Grubb]

On Wednesday, July 15, 2015 06:19:30 PM Steve Grubb wrote:
> Hello,
> 
> I normally don't put the word out about speeches I give, or things like
> that. But I am going to be teaching a hands-on audit class to demonstrate
> how to configure, setup rules, and do searching and reporting using the
> native linux audit tools.
> 
> The lab will be part of the Defence in Depth conference in Washington
> (Tyson's Cormers, VA) on Sept 1. Its free, you just have to register. More
> info:
> 
> http://www.redhat.com/en/about/events/2015-defense-depth
> 
> I will be going over new features that aids insider threat detection and
> signs of intrusion in addition to basics. Bring your questions and
> problems, let's talk.

For anyone attending the class tomorrow, I have a tarball with some rules for 
you to install. These rules are not exactly what I'd suggest running with on a 
daily basis, they are intended to cause different kinds of events that we'll 
talk about. Please install them before the class so that you have events to 
see.

http://people.redhat.com/sgrubb/files/lab.tar.gz

I'd also suggest using Fedora 22 or RHEL7 or any distribution that's recent. 
If you can, I'd also suggest using the most recent audit package.

Thanks,
-Steve