Re: Security Auditd Config for Enterprises

[Steve Grubb <sgrubb@redhat.com>]

Hello,

On Friday, September 4, 2020 9:38:33 AM EDT Rohit Nambiar wrote:
> Apologies if this topic has already been discussed before, I couldn't find
> an easy way to sift through older archives.
> 
> Is there an auditd rule set which offers a reasonable level of security
> visibility and has been tested on enterprise production systems? And if
> such a rule set can be shared here?
> 
> I'm looking for a base document to deploy/modify for use within my
> organization. Many thanks in advance.

The audit system ships a set of pre-written rules for various scenarios. It 
should be a matter of locating them over in /usr/share and copying them to 
/etc/audit/rules.d/

The rules that I would recommend are the OSPP rules. They form the basis of 
the STIG auditing requirements. And I believe CIS's guidance would have 
similar rules. That means you would copy the following files (you can also get 
these from github if they are not on your system):

10-base-config.rules
11-loginuid.rules
30-ospp-v42-1-create-failed.rules
30-ospp-v42-2-modify-failed.rules
30-ospp-v42-3-access-failed.rules
30-ospp-v42-4-delete-failed.rules
30-ospp-v42-5-perm-change-failed.rules
30-ospp-v42-6-owner-change-failed.rules
43-module-load.rules

The above is designed tro detect violations of the security policy. Meaning 
someone trying to access something they do not have permissions for. If you 
also need to audit successful events, then copy the corresponging success 
rules. However, when you capture all success events, then system update will 
be a high volume of events.

HTH,
-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit