Hello, On Friday, September 4, 2020 9:38:33 AM EDT Rohit Nambiar wrote: > Apologies if this topic has already been discussed before, I couldn't find > an easy way to sift through older archives. > > Is there an auditd rule set which offers a reasonable level of security > visibility and has been tested on enterprise production systems? And if > such a rule set can be shared here? > > I'm looking for a base document to deploy/modify for use within my > organization. Many thanks in advance.
The audit system ships a set of pre-written rules for various scenarios. It should be a matter of locating them over in /usr/share and copying them to /etc/audit/rules.d/ The rules that I would recommend are the OSPP rules. They form the basis of the STIG auditing requirements. And I believe CIS's guidance would have similar rules. That means you would copy the following files (you can also get these from github if they are not on your system): 10-base-config.rules 11-loginuid.rules 30-ospp-v42-1-create-failed.rules 30-ospp-v42-2-modify-failed.rules 30-ospp-v42-3-access-failed.rules 30-ospp-v42-4-delete-failed.rules 30-ospp-v42-5-perm-change-failed.rules 30-ospp-v42-6-owner-change-failed.rules 43-module-load.rules The above is designed tro detect violations of the security policy. Meaning someone trying to access something they do not have permissions for. If you also need to audit successful events, then copy the corresponging success rules. However, when you capture all success events, then system update will be a high volume of events. HTH, -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
