Archive
Highlighted

Is there a recommended auditd configuration we can start with?

Builder

All,

We're just getting going with auditd. We're Looking to trace back user activities and file changes.

thanks
-Daniel

0 Karma
Highlighted

Re: Is there a recommended auditd configuration we can start with?

Splunk Employee
Splunk Employee

Check the following TA for Linux auditd, https://splunkbase.splunk.com/app/4232/

There is a companion app, https://splunkbase.splunk.com/app/2642/, that will make use of the collected data for some pretty dashboards.

Highlighted

Re: Is there a recommended auditd configuration we can start with?

Builder

I guess I am looking more for auditd rules configs. Something to get started with. Some of these configs on linux can get pretty intense.

0 Karma
Highlighted

Re: Is there a recommended auditd configuration we can start with?

New Member

There're a few templates under /usr/share/doc/audit-xxx/rules/xxx.rules

0 Karma