All Apps and Add-ons

What does your /etc/audit/rules.d/audit.rules look like?

marklaw2
Explorer

What does your /etc/audit/rules.d/audit.rules look like?

There are lots of knobs and dials to turn in the audit.rules file. Can you provide some examples of what basic, intermediate and paranoid rules sets would look like?

0 Karma

doksu
Contributor

My personal suggestion would be to implement watch rules for changes to system/service configurations (i.e. /etc), changes to scheduled jobs (i.e. /var/spool/(cron|at) ), and kernel [/module] changes (i.e. /boot). Malware also likes to put stuff in /usr and /lib* so consider watching for writes there too. Keep in mind that when updates are installed it will generate a large number of events. If you have services that write to these paths frequently it could DoS the machine and considering auditd's default behaviour is to halt the machine if the filesystem it's attempting to write to fills up, I suggest careful testing in non-production environments.

Finally, if you can't fix an SELinux policy issue, don't disable it; instead, change it to permissive.

Here's my disclaimer for this advice which is basically a modified MIT license:

THIS ADVICE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THIS ADVICE OR THE USE OR OTHER DEALINGS IN THIS ADVICE.

0 Karma
Get Updates on the Splunk Community!

BORE at .conf25

Boss Of Regular Expression (BORE) was an interactive session run again this year at .conf25 by the brilliant ...

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...