audit rules to help watch for potential threat?
Burn Alting
burn.alting at iinet.net.au
Sat Jan 14 02:15:42 UTC 2023
Karen,
Quite simply, just monitor execve (in addition to targeted/mandated monitoring) as
per
# Process execution
-a always,exit -F arch=b64 -S execve -F auid!=unset -F key=cmds
And within /etc/audit/auditd.conf change
max_log_file = 8 num_logs = 5to max_log_file = 32 num_logs = 9
Which caters for an expanded set of /var/log/audit/audit.log files (32 x 9 =
288MB).You would need to send your logs to a central SIEM say every 10-15 minutes.
Burn AltingPS. I know I have identified b32 arch but the best b32 arch rule now for
most modern (and supported Linux) is-a always,exit -F arch=b32 -S all -F key=32bit-
abi
On Fri, 2023-01-13 at 22:47 +0000, Wieprecht, Karen M. wrote:
> Steve, Audit team,
> My colleagues and I were discussing ways we might better monitor for potential
> insider threat. We can easily see the commands our SAs run when they use sudo in
> front of the command, but if the sysadmin uses "sudo su -", then we don't have
> good visibility into the commands they perform while they are su'd unless there
> happens to be an audit rule monitoring the specific files/commands they are
> accessing/running.
> We've talked about possible way to improve our visibility in this situation, but
> most of the options we came up with are easily thwarted and/or would cause the
> logs to blow up to the point that it's difficult to spot nefarious
> activity. Some options we considered included having splunk monitor the shell
> history files, and possibly enabling ps auditing.
> Can you recommend any audit rules that would audit the interactive commands being
> issued by a sysadmin who is su'd as root without causing the logs to blow up?
> Any assistance you can provide would be much appreciated.
> Thank you,Karen Wieprecht The Johns Hopkins Applied Physics Laboratory--Linux-
> audit mailing listLinux-audit at redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20230114/2d888203/attachment.htm>
More information about the Linux-audit
mailing list