All Apps and Add-ons

What does your /etc/audit/rules.d/audit.rules look like?

Explorer

What does your /etc/audit/rules.d/audit.rules look like?

There are lots of knobs and dials to turn in the audit.rules file. Can you provide some examples of what basic, intermediate and paranoid rules sets would look like?

0 Karma

SplunkTrust
SplunkTrust

My personal suggestion would be to implement watch rules for changes to system/service configurations (i.e. /etc), changes to scheduled jobs (i.e. /var/spool/(cron|at) ), and kernel [/module] changes (i.e. /boot). Malware also likes to put stuff in /usr and /lib* so consider watching for writes there too. Keep in mind that when updates are installed it will generate a large number of events. If you have services that write to these paths frequently it could DoS the machine and considering auditd's default behaviour is to halt the machine if the filesystem it's attempting to write to fills up, I suggest careful testing in non-production environments.

Finally, if you can't fix an SELinux policy issue, don't disable it; instead, change it to permissive.

Here's my disclaimer for this advice which is basically a modified MIT license:

THIS ADVICE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THIS ADVICE OR THE USE OR OTHER DEALINGS IN THIS ADVICE.

0 Karma