Auditd is the userspace component of the Linux Auditing System. It is responsible for writing audit records to the disk.
- ausearch/ ausearch: For viewing the logs.
- auditctl : To configure the audit rules. During startup, the rules in /etc/audit/audit.rules are read by auditctl.
- audit daemon: The audit daemon itself has some configuration options that the admin may wish to customize, which are found in the auditd.conf file.
The auditd daemon collects the information from the kernel and creates entries in a log file.
Deep Security added support for monitoring events generated by Auditd with the following Log Inspection rule:
- 1008852 – Auditd
- 1010465 - Auditd - Mitre ATT&CK TA0007: Discovery
- 1010489 - Auditd - Mitre ATT&CK TA0003: Persistence
- 1010528 - Auditd - Mitre ATT&CK TA0004: Privilege Escalation
- 1010558 - Auditd - Mitre ATT&CK TA0005: Defense Evasion
- 1010536 - Auditd - Mitre ATT&CK TA0006: Credential Access
- 1010582 - Auditd - Mitre ATT&CK TA0008: Lateral Movement
After applying these rules the Deep Security Agent Will detect and generate log inspection events for related process creation, process termination, network connection, file creation and can generate log inspection events. These have been mapped to techniques enumerated in the MITRE ATT&CK Framework.
- Download the latest Auditd rule configuration file (audit.rule) from Github.
Replace the file "/etc/audit/audit.rules" with the step 1 file.To make the rules persistent, even after reboot add it to the "/etc/audit/rules.d/audit.rule".
Run the following command to load the new configured auditd rules:
auditctl -R /etc/audit/audit.rules
Go to Computer > Log Inspection > Advanced and make note of the Severity Clipping levels. These are the minimum levels at which logging events are stored.
Or changing at policy level:
Go to Policies and select a policy. Go to Log Inspection > Advanced and make note of the Severity Clipping levels. These are the minimum levels at which logging events are stored.
Go to Computer or Policy > Log Inspection > 1008852 - Auditd > Properties > Configuration.
The administrator will need to tune the priority of the various Rule IDs to be greater than the Severity Clipping levels noted in the previous step to get the corresponding alert. Details about each Rule ID can be found by matching it to the ATT&CK IDs list.
- Repeat the same steps performed in step 2 for 1010465 - Auditd - Mitre ATT&CK TA0007: Discovery and other Auditd LI Rules.
For more details about Auditd and its additional uses, refer to the official AWS documentation.