* Security Auditd Config for Enterprises
@ 2020-09-04 13:38 Rohit Nambiar
2020-09-04 15:27 ` Christian, Mark
2020-09-04 15:41 ` Steve Grubb
0 siblings, 2 replies; 3+ messages in thread
From: Rohit Nambiar @ 2020-09-04 13:38 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 424 bytes --]
Hi all!
Apologies if this topic has already been discussed before, I couldn't find
an easy way to sift through older archives.
Is there an auditd rule set which offers a reasonable level of security
visibility and has been tested on enterprise production systems? And if
such a rule set can be shared here?
I'm looking for a base document to deploy/modify for use within my
organization. Many thanks in advance.
Regards
[-- Attachment #1.2: Type: text/html, Size: 602 bytes --]
[-- Attachment #2: Type: text/plain, Size: 102 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Security Auditd Config for Enterprises
2020-09-04 13:38 Security Auditd Config for Enterprises Rohit Nambiar
@ 2020-09-04 15:27 ` Christian, Mark
2020-09-04 15:41 ` Steve Grubb
1 sibling, 0 replies; 3+ messages in thread
From: Christian, Mark @ 2020-09-04 15:27 UTC (permalink / raw)
To: linux-audit
On Fri, 2020-09-04 at 19:08 +0530, Rohit Nambiar wrote:
> Hi all!
>
> Apologies if this topic has already been discussed before, I couldn't
> find an easy way to sift through older archives.
>
> Is there an auditd rule set which offers a reasonable level of
> security visibility and has been tested on enterprise production
> systems? And if such a rule set can be shared here?
>
> I'm looking for a base document to deploy/modify for use within my
> organization. Many thanks in advance.
consider:
https://github.com/linux-audit/audit-userspace/tree/master/rules
Depending on the age of your auditd, these examples may not work for
you, so test and verify.
Mark
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Security Auditd Config for Enterprises
2020-09-04 13:38 Security Auditd Config for Enterprises Rohit Nambiar
2020-09-04 15:27 ` Christian, Mark
@ 2020-09-04 15:41 ` Steve Grubb
1 sibling, 0 replies; 3+ messages in thread
From: Steve Grubb @ 2020-09-04 15:41 UTC (permalink / raw)
To: linux-audit
Hello,
On Friday, September 4, 2020 9:38:33 AM EDT Rohit Nambiar wrote:
> Apologies if this topic has already been discussed before, I couldn't find
> an easy way to sift through older archives.
>
> Is there an auditd rule set which offers a reasonable level of security
> visibility and has been tested on enterprise production systems? And if
> such a rule set can be shared here?
>
> I'm looking for a base document to deploy/modify for use within my
> organization. Many thanks in advance.
The audit system ships a set of pre-written rules for various scenarios. It
should be a matter of locating them over in /usr/share and copying them to
/etc/audit/rules.d/
The rules that I would recommend are the OSPP rules. They form the basis of
the STIG auditing requirements. And I believe CIS's guidance would have
similar rules. That means you would copy the following files (you can also get
these from github if they are not on your system):
10-base-config.rules
11-loginuid.rules
30-ospp-v42-1-create-failed.rules
30-ospp-v42-2-modify-failed.rules
30-ospp-v42-3-access-failed.rules
30-ospp-v42-4-delete-failed.rules
30-ospp-v42-5-perm-change-failed.rules
30-ospp-v42-6-owner-change-failed.rules
43-module-load.rules
The above is designed tro detect violations of the security policy. Meaning
someone trying to access something they do not have permissions for. If you
also need to audit successful events, then copy the corresponging success
rules. However, when you capture all success events, then system update will
be a high volume of events.
HTH,
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-09-04 15:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-04 13:38 Security Auditd Config for Enterprises Rohit Nambiar
2020-09-04 15:27 ` Christian, Mark
2020-09-04 15:41 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).