Security Auditd Config for Enterprises
Steve Grubb
sgrubb at redhat.com
Fri Sep 4 15:41:50 UTC 2020
Hello,
On Friday, September 4, 2020 9:38:33 AM EDT Rohit Nambiar wrote:
> Apologies if this topic has already been discussed before, I couldn't find
> an easy way to sift through older archives.
>
> Is there an auditd rule set which offers a reasonable level of security
> visibility and has been tested on enterprise production systems? And if
> such a rule set can be shared here?
>
> I'm looking for a base document to deploy/modify for use within my
> organization. Many thanks in advance.
The audit system ships a set of pre-written rules for various scenarios. It
should be a matter of locating them over in /usr/share and copying them to
/etc/audit/rules.d/
The rules that I would recommend are the OSPP rules. They form the basis of
the STIG auditing requirements. And I believe CIS's guidance would have
similar rules. That means you would copy the following files (you can also get
these from github if they are not on your system):
10-base-config.rules
11-loginuid.rules
30-ospp-v42-1-create-failed.rules
30-ospp-v42-2-modify-failed.rules
30-ospp-v42-3-access-failed.rules
30-ospp-v42-4-delete-failed.rules
30-ospp-v42-5-perm-change-failed.rules
30-ospp-v42-6-owner-change-failed.rules
43-module-load.rules
The above is designed tro detect violations of the security policy. Meaning
someone trying to access something they do not have permissions for. If you
also need to audit successful events, then copy the corresponging success
rules. However, when you capture all success events, then system update will
be a high volume of events.
HTH,
-Steve
More information about the Linux-audit
mailing list