All Apps and Add-ons

What does your /etc/audit/rules.d/audit.rules look like?

marklaw2
Explorer

What does your /etc/audit/rules.d/audit.rules look like?

There are lots of knobs and dials to turn in the audit.rules file. Can you provide some examples of what basic, intermediate and paranoid rules sets would look like?

0 Karma

doksu
SplunkTrust
SplunkTrust

My personal suggestion would be to implement watch rules for changes to system/service configurations (i.e. /etc), changes to scheduled jobs (i.e. /var/spool/(cron|at) ), and kernel [/module] changes (i.e. /boot). Malware also likes to put stuff in /usr and /lib* so consider watching for writes there too. Keep in mind that when updates are installed it will generate a large number of events. If you have services that write to these paths frequently it could DoS the machine and considering auditd's default behaviour is to halt the machine if the filesystem it's attempting to write to fills up, I suggest careful testing in non-production environments.

Finally, if you can't fix an SELinux policy issue, don't disable it; instead, change it to permissive.

Here's my disclaimer for this advice which is basically a modified MIT license:

THIS ADVICE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THIS ADVICE OR THE USE OR OTHER DEALINGS IN THIS ADVICE.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...