All Apps and Add-ons

What does your /etc/audit/rules.d/audit.rules look like?

marklaw2
Explorer

What does your /etc/audit/rules.d/audit.rules look like?

There are lots of knobs and dials to turn in the audit.rules file. Can you provide some examples of what basic, intermediate and paranoid rules sets would look like?

0 Karma

doksu
SplunkTrust
SplunkTrust

My personal suggestion would be to implement watch rules for changes to system/service configurations (i.e. /etc), changes to scheduled jobs (i.e. /var/spool/(cron|at) ), and kernel [/module] changes (i.e. /boot). Malware also likes to put stuff in /usr and /lib* so consider watching for writes there too. Keep in mind that when updates are installed it will generate a large number of events. If you have services that write to these paths frequently it could DoS the machine and considering auditd's default behaviour is to halt the machine if the filesystem it's attempting to write to fills up, I suggest careful testing in non-production environments.

Finally, if you can't fix an SELinux policy issue, don't disable it; instead, change it to permissive.

Here's my disclaimer for this advice which is basically a modified MIT license:

THIS ADVICE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THIS ADVICE OR THE USE OR OTHER DEALINGS IN THIS ADVICE.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...