Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Deep Security Log Inspection Rules for Auditd Event Monitoring

    • Updated:
    • 25 Nov 2020
    • Product/Version:
    • Deep Security All
    • Platform:
    • N/A
Summary

Auditd is the userspace component of the Linux Auditing System. It is responsible for writing audit records to the disk.

Auditd utilities

  • ausearch/ ausearch: For viewing the logs.
  • auditctl : To configure the audit rules. During startup, the rules in /etc/audit/audit.rules are read by auditctl.
  • audit daemon: The audit daemon itself has some configuration options that the admin may wish to customize, which are found in the auditd.conf file.

The auditd daemon collects the information from the kernel and creates entries in a log file.

Deep Security added support for monitoring events generated by Auditd with the following Log Inspection rule:

  • 1008852 – Auditd
  • 1010465 - Auditd - Mitre ATT&CK TA0007: Discovery
  • 1010489 - Auditd - Mitre ATT&CK TA0003: Persistence
  • 1010528 - Auditd - Mitre ATT&CK TA0004: Privilege Escalation
  • 1010558 - Auditd - Mitre ATT&CK TA0005: Defense Evasion
  • 1010536 - Auditd - Mitre ATT&CK TA0006: Credential Access
  • 1010582 - Auditd - Mitre ATT&CK TA0008: Lateral Movement
Details
Public

After applying these rules the Deep Security Agent Will detect and generate log inspection events for related process creation, process termination, network connection, file creation and can generate log inspection events. These have been mapped to techniques enumerated in the MITRE ATT&CK Framework.

  1. Download the latest Auditd rule configuration file (audit.rule) from Github.
  2. Replace the file "/etc/audit/audit.rules" with the step 1 file.

     
    To make the rules persistent, even after reboot add it to the "/etc/audit/rules.d/audit.rule".
     
  3. Run the following command to load the new configured auditd rules:

    auditctl -R /etc/audit/audit.rules

  1. Go to Computer > Log Inspection > Advanced and make note of the Severity Clipping levels. These are the minimum levels at which logging events are stored.

    Computer

    Or changing at policy level:

    Go to Policies and select a policy. Go to Log Inspection > Advanced and make note of the Severity Clipping levels. These are the minimum levels at which logging events are stored.

    Computer

  2. Go to Computer or Policy > Log Inspection > 1008852 - Auditd > Properties > Configuration.

    Configuration

    The administrator will need to tune the priority of the various Rule IDs to be greater than the Severity Clipping levels noted in the previous step to get the corresponding alert. Details about each Rule ID can be found by matching it to the ATT&CK IDs list.

  3. Repeat the same steps performed in step 2 for 1010465 - Auditd - Mitre ATT&CK TA0007: Discovery and other Auditd LI Rules.

For more details about Auditd and its additional uses, refer to the official AWS documentation.

Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000266142
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.