Linux-audit Archive on lore.kernel.org
 help / color / Atom feed
* Security Auditd Config for Enterprises
@ 2020-09-04 13:38 Rohit Nambiar
  2020-09-04 15:27 ` Christian, Mark
  2020-09-04 15:41 ` Steve Grubb
  0 siblings, 2 replies; 3+ messages in thread
From: Rohit Nambiar @ 2020-09-04 13:38 UTC (permalink / raw)
  To: linux-audit

[-- Attachment #1.1: Type: text/plain, Size: 424 bytes --]

Hi all!

Apologies if this topic has already been discussed before, I couldn't find
an easy way to sift through older archives.

Is there an auditd rule set which offers a reasonable level of security
visibility and has been tested on enterprise production systems? And if
such a rule set can be shared here?

I'm looking for a base document to deploy/modify for use within my
organization. Many thanks in advance.

Regards

[-- Attachment #1.2: Type: text/html, Size: 602 bytes --]

[-- Attachment #2: Type: text/plain, Size: 102 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Security Auditd Config for Enterprises
  2020-09-04 13:38 Security Auditd Config for Enterprises Rohit Nambiar
@ 2020-09-04 15:27 ` Christian, Mark
  2020-09-04 15:41 ` Steve Grubb
  1 sibling, 0 replies; 3+ messages in thread
From: Christian, Mark @ 2020-09-04 15:27 UTC (permalink / raw)
  To: linux-audit

On Fri, 2020-09-04 at 19:08 +0530, Rohit Nambiar wrote:
> Hi all!
> 
> Apologies if this topic has already been discussed before, I couldn't
> find an easy way to sift through older archives.
> 
> Is there an auditd rule set which offers a reasonable level of
> security visibility and has been tested on enterprise production
> systems? And if such a rule set can be shared here? 
> 
> I'm looking for a base document to deploy/modify for use within my
> organization. Many thanks in advance.

consider:
https://github.com/linux-audit/audit-userspace/tree/master/rules

Depending on the age of your auditd, these examples may not work for
you, so test and verify.

Mark



--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Security Auditd Config for Enterprises
  2020-09-04 13:38 Security Auditd Config for Enterprises Rohit Nambiar
  2020-09-04 15:27 ` Christian, Mark
@ 2020-09-04 15:41 ` Steve Grubb
  1 sibling, 0 replies; 3+ messages in thread
From: Steve Grubb @ 2020-09-04 15:41 UTC (permalink / raw)
  To: linux-audit

Hello,

On Friday, September 4, 2020 9:38:33 AM EDT Rohit Nambiar wrote:
> Apologies if this topic has already been discussed before, I couldn't find
> an easy way to sift through older archives.
> 
> Is there an auditd rule set which offers a reasonable level of security
> visibility and has been tested on enterprise production systems? And if
> such a rule set can be shared here?
> 
> I'm looking for a base document to deploy/modify for use within my
> organization. Many thanks in advance.

The audit system ships a set of pre-written rules for various scenarios. It 
should be a matter of locating them over in /usr/share and copying them to 
/etc/audit/rules.d/

The rules that I would recommend are the OSPP rules. They form the basis of 
the STIG auditing requirements. And I believe CIS's guidance would have 
similar rules. That means you would copy the following files (you can also get 
these from github if they are not on your system):

10-base-config.rules
11-loginuid.rules
30-ospp-v42-1-create-failed.rules
30-ospp-v42-2-modify-failed.rules
30-ospp-v42-3-access-failed.rules
30-ospp-v42-4-delete-failed.rules
30-ospp-v42-5-perm-change-failed.rules
30-ospp-v42-6-owner-change-failed.rules
43-module-load.rules

The above is designed tro detect violations of the security policy. Meaning 
someone trying to access something they do not have permissions for. If you 
also need to audit successful events, then copy the corresponging success 
rules. However, when you capture all success events, then system update will 
be a high volume of events.

HTH,
-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-04 13:38 Security Auditd Config for Enterprises Rohit Nambiar
2020-09-04 15:27 ` Christian, Mark
2020-09-04 15:41 ` Steve Grubb

Linux-audit Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-audit/0 linux-audit/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-audit linux-audit/ https://lore.kernel.org/linux-audit \
		linux-audit@redhat.com
	public-inbox-index linux-audit

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.redhat.linux-audit


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git