Zeroska
  • 🐱Zeroska - The Bold
  • Computer/Cyber Security
    • ⭐Fresh off the boat - for new Blue Teamer/ SOC Analyst
    • 💀Necromancer (DFIR)
      • 🕵️DFIR and DFIR case
        • 🗃️Case Files
          • Misconfiguration 0x01
      • 📔My own DFIR notes
        • The Mark of The Web (MOTW)
        • LNK Shortcut
        • Prefetch, AmCache, ShimCache in Windows
        • Malicious Document (VBA, Office, PDF, ...)
        • SRUM (System Resource Usage Monitor)
        • Volatility notes
        • Understand Logon Session in Windows
        • "Very" Hidden sheets in Excel
        • Hidden Processes
      • 📔Notes
        • Useful Resources
        • Useful Resources DFIR
        • Saved Content (Backup for the OG content get deleted)
          • How to be best SOC analyst ever
    • 🧙‍♂️Defense Witchcraft
      • Data Analysis as a Defender
      • Active Directory
      • Windows Event Logs
        • Authentication (Windows Account Life Cycle Events)
      • MS Exchange
      • Windows
    • 💙My Current Blue Team Operation
      • VLAN Monitoring Template
      • Daily Monitoring Report
      • General Playbook
      • JupyterHub Configuration Guide
      • How to train your Blue Team
    • 🏭ICS/OT
      • Setup ICS/OT Simulation Learning Lab
      • Smart Grids
      • Learning Modbus TCP
      • Learning DNP3
      • Resources/Blogs/Links
    • 🥷Threat Intelligence
      • Small Cyber Threat Intelligence Program
      • Intelligence Analysis [VN]
      • OSINT Information Monitoring
        • Telegram Info-Stealer Monitoring
      • C2 Tracker
      • Fake Website Tracker
      • Dark Web Investigation Attempt
      • Threat Intelligence Quick Win
      • Resources/Blogs/Links
  • 😒Computer and Technology
    • My Home Lab Setup
    • 🐴ELK Stack
      • Useful Resources
      • ELK Stack - Container - Docker Compose - AWS ECS
      • ECS - Elastic Common Schema
      • Elasticsearch
      • Logstash
      • Troubleshooting and Problems
    • 🐧Linux
      • Setting up good SSH Authentication
      • Configure Auditd and how to leverage it
      • ELF Format
      • Useful Links
    • 📦Containers
      • Docker container logs is quite big
      • Worth Reading
    • 🪠Splunk Learning Experience
      • Splunk Test Lab
      • Data Collection Tier (How to get the data)
      • SC4S Custom Filter For Windows Event Log in Syslog Format (NXLog)
      • Useful Resources
  • Threat Hunting
    • Hunting for Implant
    • Using STRIDE and DREAD
    • 🐳Predators and Preys (Computing)
      • Tracks or Hunting Artifacts
    • 📦Network Packet Analysis
      • The Basic
      • Tshark | Zeek Copy & Paste
      • Network Analysis Resources
    • Grep | Powershell Search | Regex
    • Hunting Resources
  • 🎵In my remains
    • Choices
    • The Art of Facing Unknown Problems
    • Build the best DFIR team
    • Reverse Engineering - Đồ án hướng ngành A "Hụt" của tôi
Powered by GitBook
On this page
  • Refs
  • How to configure it
  • Script to install and applied Neo23x rules
  • Configure Syslog to send the auditd log
  • Configure Rsyslog
  • Use case

Was this helpful?

  1. Computer and Technology
  2. Linux

Configure Auditd and how to leverage it

Learn how to config and write rules to detect malicious activities

PreviousSetting up good SSH AuthenticationNextELF Format

Last updated 1 year ago

Was this helpful?

Refs

When I was working as a Security Engineer, my company only used Syslog, and I didn't know whether it is enough logs or not. I noticed most of the SOC center collect auditd log

How to configure it

Auditd is developed by Red Hat so RHEL usually has it built-in so most of the time you just need to enable it and configure its rules, below are all related files and processes of auditd

Let's start with audit.rules which is usually stored at/etc/audit/rules.d, this file contains all the rules that you will define for Auditd. The rules will look something like this (I'll explain the rules later)

By default Auditd does not come with default rules whatsoever, you need to write your own manually or you just be like me and clone other people's Auditd rules (with mad respect for them)

Script to install and applied Neo23x rules

The package manager will depend on your system, mine is ubuntu, and yours may be RHEL or Centos

wget -O /etc/audit/rules.d/ https://github.com/Neo23x0/auditd/blob/master/audit.rules
sudo systemctl restart auditd.service

After that, you can use auditctl to check your configuration (the command will check are there any rules have applied)

sudo auditctl -l

Configure Syslog to send the auditd log

By default Syslog does not collect auditd logs, you will have to configure it by changing active = no -> active = yes in this file: /etc/audisp/plugins.d/syslog.conf and after that restart the service

# This file controls the configuration of the syslog plugin.
# It simply takes events and writes them to syslog. The
# arguments provided can be the default priority that you
# want the events written with. And optionally, you can give
# a second argument indicating the facility that you want events
# logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH,
# LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER.

# IF YOU SEE THE ACTIVE = NO -> CHANGE IT INTO YES
active = yes
direction = out
path = builtin_syslog
type = builtin 
args = LOG_INFO
format = string

Configure Rsyslog

Also by default Rsyslog does not collect auditd logs, you have to config a little bit more. you go to the /etc/rsyslog.conf and add these line to the config file on the client 

# auditd audit.log  
$ModLoad imfile
$InputFileName /var/log/audit/audit.log  
$InputFileTag tag_audit_log:  
$InputFileStateFile audit_log  
$InputFileSeverity info  
$InputFileFacility local6  
$InputRunFileMonitor

Use case

Refs:

😒
🐧
https://detect.fyi/file-integrity-monitoring-with-auditd-b9423a52feef
https://documentation.suse.com/sles/12-SP4/html/SLES-all/cha-audit-comp.html
https://linux.die.net/man/7/audit.rules
I copy from openSUSE Auditd documentation