Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/Neo23x0/auditd
Best Practice Auditd Configuration
https://github.com/Neo23x0/auditd
Last synced: about 1 month ago
JSON representation
Best Practice Auditd Configuration
- Host: GitHub
- URL: https://github.com/Neo23x0/auditd
- Owner: Neo23x0
- License: apache-2.0
- Created: 2018-09-25T07:16:21.000Z (about 6 years ago)
- Default Branch: master
- Last Pushed: 2024-10-16T09:03:03.000Z (about 2 months ago)
- Last Synced: 2024-10-17T20:30:37.983Z (about 2 months ago)
- Size: 271 KB
- Stars: 1,484
- Watchers: 82
- Forks: 257
- Open Issues: 40
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Audit: audit.rules
Awesome Lists containing this project
- sg-awesome - Auditd-Best-Practices - audit.rules file containing best practice rules. (Tools/Scripts/Code:)
- awesome-security-hardening - Neo23x0/auditd - Best Practice Auditd Configuration (GNU/Linux)
README
[![Actively Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
___ ___ __ __
/ | __ ______/ (_) /_____/ /
/ /| |/ / / / __ / / __/ __ /
/ ___ / /_/ / /_/ / / /_/ /_/ /
/_/ |_\__,_/\__,_/_/\__/\__,_/Best Practice Auditd Configuration
## Idea
The idea of this auditd configuration is to provide a basic configuration that
- works out-of-the-box on all major Linux distributions
- fits most use cases
- produces a reasonable amount of log data
- covers security relevant activity
- is easy to read (different sections, many comments)## Sources
The configuration is based on the following sources
Gov.uk auditd rules
https://github.com/gds-operations/puppet-auditd/pull/1CentOS 7 hardening
https://highon.coffee/blog/security-harden-centos-7/#auditd---audit-daemonLinux audit repo
https://github.com/linux-audit/audit-userspace/tree/master/rulesAuditd high performance linux auditing
https://linux-audit.com/tuning-auditd-high-performance-linux-auditing/### Further rules
Not all of these rules have been included.
For PCI DSS compliance see:
https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rulesFor NISPOM compliance see:
https://github.com/linux-audit/audit-userspace/blob/master/rules/30-nispom.rules## Video Explanations by IppSec
IppSec captured a video that explains how to detect the exploitation of the OMIGOD vulnerability using auditd. In that video, he walks you through the audit configuration maintained in this repo and explains how to use it. I highly recommend this video to get a better understanding of what is happening in the config.
https://www.youtube.com/watch?v=lc1i9h1GyMA
## Contribution
Please contribute your changes as pull requests