All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What does your /etc/audit/rules.d/audit.rules look like?

marklaw2
Explorer
‎01-31-2019 11:42 AM

What does your /etc/audit/rules.d/audit.rules look like?

There are lots of knobs and dials to turn in the audit.rules file. Can you provide some examples of what basic, intermediate and paranoid rules sets would look like?

0 Karma
Reply

doksu
Contributor
‎01-31-2019 09:03 PM

My personal suggestion would be to implement watch rules for changes to system/service configurations (i.e. /etc), changes to scheduled jobs (i.e. /var/spool/(cron|at) ), and kernel [/module] changes (i.e. /boot). Malware also likes to put stuff in /usr and /lib* so consider watching for writes there too. Keep in mind that when updates are installed it will generate a large number of events. If you have services that write to these paths frequently it could DoS the machine and considering auditd's default behaviour is to halt the machine if the filesystem it's attempting to write to fills up, I suggest careful testing in non-production environments.

Finally, if you can't fix an SELinux policy issue, don't disable it; instead, change it to permissive.

Here's my disclaimer for this advice which is basically a modified MIT license:

THIS ADVICE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THIS ADVICE OR THE USE OR OTHER DEALINGS IN THIS ADVICE.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...