After applying these rules the Deep Security Agent Will detect and generate log inspection events for related process creation, process termination, network connection, file creation and can generate log inspection events. These have been mapped to techniques enumerated in the MITRE ATT&CK Framework.
- Download the latest Auditd rule configuration file (audit.rule) from Github.
-
Replace the file "/etc/audit/audit.rules" with the step 1 file.
To make the rules persistent, even after reboot add it to the "/etc/audit/rules.d/audit.rules". -
Run the following command to load the new configured auditd rules:
auditctl -R /etc/audit/audit.rules
-
Go to Computer > Log Inspection > Advanced and make note of the Severity Clipping levels. These are the minimum levels at which logging events are stored.
Or changing at policy level:
Go to Policies and select a policy. Go to Log Inspection > Advanced and make note of the Severity Clipping levels. These are the minimum levels at which logging events are stored.
-
Go to Computer or Policy > Log Inspection > 1008852 - Auditd > Properties > Configuration.
The administrator will need to tune the priority of the various Rule IDs to be greater than the Severity Clipping levels noted in the previous step to get the corresponding alert. Details about each Rule ID can be found by matching it to the ATT&CK IDs list.
- Repeat the same steps performed in step 2 for 1010465 - Auditd - Mitre ATT&CK TA0007: Discovery and other Auditd LI Rules.
For more details about Auditd and its additional uses, refer to the official AWS documentation.