Skip to content

SEKOIA-IO/auditd

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 

Repository files navigation

Actively Maintained

    ___             ___ __      __
   /   | __  ______/ (_) /_____/ /
  / /| |/ / / / __  / / __/ __  / 
 / ___ / /_/ / /_/ / / /_/ /_/ /  
/_/  |_\__,_/\__,_/_/\__/\__,_/   

Best Practice Auditd Configuration

Sekoia.io fork

The Sekoia.io fork adds the following changes to the base rules:

  • Disable rules specific to MacOS
  • Watch for tcp connections
  • Do not watch for socket creations
  • Watch for python/perl scripts executions
  • Disable rule about 32 bits exploitation
  • Disable IPC rules
  • Add rule preventing kudu from overwhelming the logs

Idea

The idea of this auditd configuration is to provide a basic configuration that

  • works out-of-the-box on all major Linux distributions
  • fits most use cases
  • produces a reasonable amount of log data
  • covers security relevant activity
  • is easy to read (different sections, many comments)

Sources

The configuration is based on the following sources

Gov.uk auditd rules alphagov/puppet-auditd#1

CentOS 7 hardening https://highon.coffee/blog/security-harden-centos-7/#auditd---audit-daemon

Linux audit repo https://github.com/linux-audit/audit-userspace/tree/master/rules

Auditd high performance linux auditing https://linux-audit.com/tuning-auditd-high-performance-linux-auditing/

Further rules

Not all of these rules have been included.

For PCI DSS compliance see: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules

For NISPOM compliance see: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-nispom.rules

Video Explanations by IppSec

IppSec captured a video that explains how to detect the exploitation of the OMIGOD vulnerability using auditd. In that video, he walks you through the audit configuration maintained in this repo and explains how to use it. I highly recommend this video to get a better understanding of what is happening in the config.

https://www.youtube.com/watch?v=lc1i9h1GyMA

Contribution

Please contribute your changes as pull requests

About

Best Practice Auditd Configuration

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published