Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Neo23x0/auditd

Best Practice Auditd Configuration
https://github.com/Neo23x0/auditd

Last synced: 8 days ago
JSON representation

Best Practice Auditd Configuration

Host: GitHub
URL: https://github.com/Neo23x0/auditd
Owner: Neo23x0
License: apache-2.0
Created: 2018-09-25T07:16:21.000Z (about 6 years ago)
Default Branch: master
Last Pushed: 2024-10-16T09:03:03.000Z (23 days ago)
Last Synced: 2024-10-17T20:30:37.983Z (22 days ago)
Size: 271 KB
Stars: 1,484
Watchers: 82
Forks: 257
Open Issues: 40
Metadata Files:
- Readme: README.md
- License: LICENSE
- Audit: audit.rules

Awesome Lists containing this project

sg-awesome - Auditd-Best-Practices - audit.rules file containing best practice rules. (Tools/Scripts/Code:)
awesome-security-hardening - Neo23x0/auditd - Best Practice Auditd Configuration (GNU/Linux)

README

[![Actively Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)

___ ___ __ __
/ | __ ______/ (_) /_____/ /
/ /| |/ / / / __ / / __/ __ /
/ ___ / /_/ / /_/ / / /_/ /_/ /
/_/ |_\__,_/\__,_/_/\__/\__,_/

Best Practice Auditd Configuration

## Idea

The idea of this auditd configuration is to provide a basic configuration that

- works out-of-the-box on all major Linux distributions
- fits most use cases
- produces a reasonable amount of log data
- covers security relevant activity
- is easy to read (different sections, many comments)

## Sources

The configuration is based on the following sources

Gov.uk auditd rules
https://github.com/gds-operations/puppet-auditd/pull/1

CentOS 7 hardening
https://highon.coffee/blog/security-harden-centos-7/#auditd---audit-daemon

Linux audit repo
https://github.com/linux-audit/audit-userspace/tree/master/rules

Auditd high performance linux auditing
https://linux-audit.com/tuning-auditd-high-performance-linux-auditing/

### Further rules

Not all of these rules have been included.

For PCI DSS compliance see:
https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules

For NISPOM compliance see:
https://github.com/linux-audit/audit-userspace/blob/master/rules/30-nispom.rules

## Video Explanations by IppSec

IppSec captured a video that explains how to detect the exploitation of the OMIGOD vulnerability using auditd. In that video, he walks you through the audit configuration maintained in this repo and explains how to use it. I highly recommend this video to get a better understanding of what is happening in the config.

https://www.youtube.com/watch?v=lc1i9h1GyMA

## Contribution

Please contribute your changes as pull requests