SlideShare ist ein Scribd-Unternehmen logo

Linux audit framework

T
Torstein Hansen

kort auditd intro

Software
1 von 9
Downloaden Sie, um offline zu lesen
Linux Auditing Framework In 5 minutes
About ● Included in RHEL4+ and all other linux distros (SuSE used their own product for SLES 9 but switched in SLES 10) ● Supports CAPP, LSPP, RSBAC, NISPOM, FISMA, PCI-DSS, STIG, EAL4+ ● Minimal overhead, integrated with the linux kernel ● Support sudo/su etc and not not “possible” to bypass ● Can audit more or less everything ● Hard to read audit logs
Rules Examples rules: /usr/share/doc/audit-2.2/capp.rules /usr/share/doc/audit-2.2/lspp.rules /usr/share/doc/audit-2.2/nispom.rules /usr/share/doc/audit-2.2/stig.rules
Commands auditctl - Control script. Status, add/remove rules etc ausearch - search in logs aureport - give an report
Easy example auditctl -w /etc/passwd -p rwa -k "reading password file" -w = File monitored -p = Permissions to monitor. Can be Read, Write, Execute or Append -k = Message in the logs
Easy example II auditctl -w /tmp -p e -k "Someone is using /tmp" Checks if someone is using /tmp auditctl -a entry,always -S all -F pid=1005 Monitor everything a PID does... auditctl -l shows current rules
Searching logs ausearch -i -f /etc/passwd could give: type=PATH msg=audit(07/15/2013 15:03:43.153:9090) : item=0 name=/etc/passwd inode=656631 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 type=CWD msg=audit(07/15/2013 15:03:43.153:9090) : cwd=/root type=SYSCALL msg=audit(07/15/2013 15:03:43.153:9090) : arch=x86_64 syscall=open success=yes exit=3 a0=7fffd13addf0 a1=0 a2=619908 a3=7fffd13ad560 items=1 ppid=1255 pid=1801 auid=torstein uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=grep exe=/bin/grep key=reading password file An user (torstein) have used /bin/grep form the directory /root as the user root to view the file
Other searches ausearch -ts 01/01/13 -k password-file ausearch -ts today -k password-file -x rm (show's who deleted the password file today) ausearch -ts today -k "reading password file" -ui 0 (check's who's been using root to check the password file)
More advanced ● Logs to /var/log/audit/ ● /etc/audit/auditd.conf is the config for the daemon. Can be configured to halt on full disk or require reboot to change rules ● /etc/audit/audit.rules is the rules it will load on startup. See example files it ships.. But it could look like this: -w /etc/passwd -p wa -k identity

Empfohlen

The Linux Audit Framework
The Linux Audit FrameworkThe Linux Audit Framework
The Linux Audit FrameworkGary Smith
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep DiveShawn Wells
 
Audit commands by shift
Audit commands by shiftAudit commands by shift
Audit commands by shiftGary Smith
 
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing EventsDevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing EventsDevOps_Fest
 
Osquery
OsqueryOsquery
OsqueryAnimesh Roy
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesPhil Hagen
 
Slug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsSlug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsPaulWay
 
Introduction to JumpStart
Introduction to JumpStartIntroduction to JumpStart
Introduction to JumpStartScott McDermott
 

Empfohlen

The Linux Audit Framework
The Linux Audit FrameworkThe Linux Audit Framework
The Linux Audit FrameworkGary Smith
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep DiveShawn Wells
 
Audit commands by shift
Audit commands by shiftAudit commands by shift
Audit commands by shiftGary Smith
 
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing EventsDevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing EventsDevOps_Fest
 
Osquery
OsqueryOsquery
OsqueryAnimesh Roy
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesPhil Hagen
 
Slug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsSlug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsPaulWay
 
Introduction to JumpStart
Introduction to JumpStartIntroduction to JumpStart
Introduction to JumpStartScott McDermott
 
Spraykatz installation & basic usage
Spraykatz installation & basic usageSpraykatz installation & basic usage
Spraykatz installation & basic usageSylvain Cortes
 
Audit
AuditAudit
AuditMark Ellzey Thomas
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
[ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? [ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? Masamitsu Maehara
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyKaspersky
 
Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"Francesco Prior
 
Summit demystifying systemd1
Summit demystifying systemd1Summit demystifying systemd1
Summit demystifying systemd1Susant Sahani
 
Ch8-Computer Security
Ch8-Computer SecurityCh8-Computer Security
Ch8-Computer SecurityAttaporn Ninsuwan
 
12c (12.1) Database installation on Solaris 11(11.2)
12c (12.1) Database installation on Solaris 11(11.2)12c (12.1) Database installation on Solaris 11(11.2)
12c (12.1) Database installation on Solaris 11(11.2)K Kumar Guduru
 
Introduction to systemd
Introduction to systemdIntroduction to systemd
Introduction to systemdYusaku OGAWA
 
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...Nagios
 
Présentation Clever Audit
Présentation Clever AuditPrésentation Clever Audit
Présentation Clever Auditclevernetsystemsgeneva
 
Modern Evasion Techniques
Modern Evasion TechniquesModern Evasion Techniques
Modern Evasion TechniquesJason Lang
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflowAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFBrendan Gregg
 
Operating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsOperating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsDayal Dilli
 
(SAS) UNIX X Command Tips and Tricks
(SAS) UNIX X Command Tips and Tricks(SAS) UNIX X Command Tips and Tricks
(SAS) UNIX X Command Tips and TricksDavid Horvath
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardeningarchwisp
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLubomir Rintel
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxGiuseppe Paterno'
 
SHOWDOWN: Threat Stack vs. Red Hat AuditD
SHOWDOWN: Threat Stack vs. Red Hat AuditDSHOWDOWN: Threat Stack vs. Red Hat AuditD
SHOWDOWN: Threat Stack vs. Red Hat AuditDThreat Stack
 

Weitere ähnliche Inhalte

Was ist angesagt?

Spraykatz installation & basic usage
Spraykatz installation & basic usageSpraykatz installation & basic usage
Spraykatz installation & basic usageSylvain Cortes
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
[ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? [ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? Masamitsu Maehara
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyKaspersky
 
Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"Francesco Prior
 
Summit demystifying systemd1
Summit demystifying systemd1Summit demystifying systemd1
Summit demystifying systemd1Susant Sahani
 
12c (12.1) Database installation on Solaris 11(11.2)
12c (12.1) Database installation on Solaris 11(11.2)12c (12.1) Database installation on Solaris 11(11.2)
12c (12.1) Database installation on Solaris 11(11.2)K Kumar Guduru
 
Introduction to systemd
Introduction to systemdIntroduction to systemd
Introduction to systemdYusaku OGAWA
 
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...Nagios
 
Modern Evasion Techniques
Modern Evasion TechniquesModern Evasion Techniques
Modern Evasion TechniquesJason Lang
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFBrendan Gregg
 
Operating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsOperating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsDayal Dilli
 
(SAS) UNIX X Command Tips and Tricks
(SAS) UNIX X Command Tips and Tricks(SAS) UNIX X Command Tips and Tricks
(SAS) UNIX X Command Tips and TricksDavid Horvath
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardeningarchwisp
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLubomir Rintel
 

Was ist angesagt? (20)

Spraykatz installation & basic usage
Spraykatz installation & basic usageSpraykatz installation & basic usage
Spraykatz installation & basic usage
 
Audit
AuditAudit
Audit
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
 
[ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? [ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world?
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from Kaspersky
 
Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"
 
Summit demystifying systemd1
Summit demystifying systemd1Summit demystifying systemd1
Summit demystifying systemd1
 
Ch8-Computer Security
Ch8-Computer SecurityCh8-Computer Security
Ch8-Computer Security
 
12c (12.1) Database installation on Solaris 11(11.2)
12c (12.1) Database installation on Solaris 11(11.2)12c (12.1) Database installation on Solaris 11(11.2)
12c (12.1) Database installation on Solaris 11(11.2)
 
Introduction to systemd
Introduction to systemdIntroduction to systemd
Introduction to systemd
 
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...
 
Présentation Clever Audit
Présentation Clever AuditPrésentation Clever Audit
Présentation Clever Audit
 
Modern Evasion Techniques
Modern Evasion TechniquesModern Evasion Techniques
Modern Evasion Techniques
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPF
 
Operating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsOperating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systems
 
(SAS) UNIX X Command Tips and Tricks
(SAS) UNIX X Command Tips and Tricks(SAS) UNIX X Command Tips and Tricks
(SAS) UNIX X Command Tips and Tricks
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardening
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshop
 

Andere mochten auch

Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxGiuseppe Paterno'
 
SHOWDOWN: Threat Stack vs. Red Hat AuditD
SHOWDOWN: Threat Stack vs. Red Hat AuditDSHOWDOWN: Threat Stack vs. Red Hat AuditD
SHOWDOWN: Threat Stack vs. Red Hat AuditDThreat Stack
 
Open Audit
Open AuditOpen Audit
Open Auditncspa
 
How To Train Your Python
How To Train Your PythonHow To Train Your Python
How To Train Your PythonJordi Riera
 
Dealing with Linux Malware
Dealing with Linux MalwareDealing with Linux Malware
Dealing with Linux MalwareMichael Boelen
 
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Micah Hoffman
 
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete CheslockBringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete CheslockThreat Stack
 
Whitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and SolarisWhitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and SolarisObserveIT
 
MySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionMySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionOlivier DASINI
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Network Security and Analysis with Python
Network Security and Analysis with PythonNetwork Security and Analysis with Python
Network Security and Analysis with Pythonpycontw
 
Linux Security Scanning with Lynis
Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with LynisMichael Boelen
 
Handling of compromised Linux systems
Handling of compromised Linux systemsHandling of compromised Linux systems
Handling of compromised Linux systemsMichael Boelen
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for DevelopersMichael Boelen
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Puppet Camp Paris 2014: Highly Available Puppet : Automate the deployment of ...
Puppet Camp Paris 2014: Highly Available Puppet : Automate the deployment of ...Puppet Camp Paris 2014: Highly Available Puppet : Automate the deployment of ...
Puppet Camp Paris 2014: Highly Available Puppet : Automate the deployment of ...Puppet
 

Andere mochten auch (20)

Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
 
SHOWDOWN: Threat Stack vs. Red Hat AuditD
SHOWDOWN: Threat Stack vs. Red Hat AuditDSHOWDOWN: Threat Stack vs. Red Hat AuditD
SHOWDOWN: Threat Stack vs. Red Hat AuditD
 
Open Audit
Open AuditOpen Audit
Open Audit
 
How To Train Your Python
How To Train Your PythonHow To Train Your Python
How To Train Your Python
 
Dealing with Linux Malware
Dealing with Linux MalwareDealing with Linux Malware
Dealing with Linux Malware
 
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
 
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete CheslockBringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock
 
Whitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and SolarisWhitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and Solaris
 
Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdf
 
MySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionMySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise Edition
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Network Security and Analysis with Python
Network Security and Analysis with PythonNetwork Security and Analysis with Python
Network Security and Analysis with Python
 
Linux Security Scanning with Lynis
Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with Lynis
 
Handling of compromised Linux systems
Handling of compromised Linux systemsHandling of compromised Linux systems
Handling of compromised Linux systems
 
Linux Hardening
Linux HardeningLinux Hardening
Linux Hardening
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
Puppet Camp Paris 2014: Highly Available Puppet : Automate the deployment of ...
Puppet Camp Paris 2014: Highly Available Puppet : Automate the deployment of ...Puppet Camp Paris 2014: Highly Available Puppet : Automate the deployment of ...
Puppet Camp Paris 2014: Highly Available Puppet : Automate the deployment of ...
 

Ähnlich wie Linux audit framework

Linux Common Command
Linux Common CommandLinux Common Command
Linux Common CommandJeff Yang
 
Sysdig
SysdigSysdig
Sysdiggnosek
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 
PostgreSQL Administration for System Administrators
PostgreSQL Administration for System AdministratorsPostgreSQL Administration for System Administrators
PostgreSQL Administration for System AdministratorsCommand Prompt., Inc
 
Linux for Security Professionals (Tips and Tricks) - Init 6 10/2012
Linux for Security Professionals (Tips and Tricks) - Init 6 10/2012Linux for Security Professionals (Tips and Tricks) - Init 6 10/2012
Linux for Security Professionals (Tips and Tricks) - Init 6 10/2012Jose L. Quiñones-Borrero
 
An Introduction to User Space Filesystem Development
An Introduction to User Space Filesystem DevelopmentAn Introduction to User Space Filesystem Development
An Introduction to User Space Filesystem DevelopmentMatt Turner
 
Virtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + PuppetVirtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + PuppetOmar Reygaert
 
What you most likely did not know about sudo…
What you most likely did not know about sudo…What you most likely did not know about sudo…
What you most likely did not know about sudo…All Things Open
 
Sysdig Open Source Intro
Sysdig Open Source IntroSysdig Open Source Intro
Sysdig Open Source IntroMichael Ducy
 
Installing odoo v8 from github
Installing odoo v8 from githubInstalling odoo v8 from github
Installing odoo v8 from githubAntony Gitomeh
 
Linux 系統管理與安全:基本 Linux 系統知識
Linux 系統管理與安全:基本 Linux 系統知識Linux 系統管理與安全:基本 Linux 系統知識
Linux 系統管理與安全:基本 Linux 系統知識維泰 蔡
 
Ibm aix technical deep dive workshop advanced administration and problem dete...
Ibm aix technical deep dive workshop advanced administration and problem dete...Ibm aix technical deep dive workshop advanced administration and problem dete...
Ibm aix technical deep dive workshop advanced administration and problem dete...solarisyougood
 
Useful linux-commands
Useful linux-commandsUseful linux-commands
Useful linux-commandsHimani Singh
 
Linux Du Jour
Linux Du JourLinux Du Jour
Linux Du Jourmwedgwood
 
Asian Spirit 3 Day Dba On Ubl
Asian Spirit 3 Day Dba On UblAsian Spirit 3 Day Dba On Ubl
Asian Spirit 3 Day Dba On Ublnewrforce
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005James Morris
 
Ansible - Swiss Army Knife Orchestration
Ansible - Swiss Army Knife OrchestrationAnsible - Swiss Army Knife Orchestration
Ansible - Swiss Army Knife Orchestrationbcoca
 

Ähnlich wie Linux audit framework (20)

Linux Security Crash Course
Linux Security Crash CourseLinux Security Crash Course
Linux Security Crash Course
 
Linux Common Command
Linux Common CommandLinux Common Command
Linux Common Command
 
Sysdig
SysdigSysdig
Sysdig
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
 
PostgreSQL Administration for System Administrators
PostgreSQL Administration for System AdministratorsPostgreSQL Administration for System Administrators
PostgreSQL Administration for System Administrators
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
 
Linux for Security Professionals (Tips and Tricks) - Init 6 10/2012
Linux for Security Professionals (Tips and Tricks) - Init 6 10/2012Linux for Security Professionals (Tips and Tricks) - Init 6 10/2012
Linux for Security Professionals (Tips and Tricks) - Init 6 10/2012
 
An Introduction to User Space Filesystem Development
An Introduction to User Space Filesystem DevelopmentAn Introduction to User Space Filesystem Development
An Introduction to User Space Filesystem Development
 
Virtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + PuppetVirtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + Puppet
 
Adhocr T-dose 2012
Adhocr T-dose 2012Adhocr T-dose 2012
Adhocr T-dose 2012
 
What you most likely did not know about sudo…
What you most likely did not know about sudo…What you most likely did not know about sudo…
What you most likely did not know about sudo…
 
Sysdig Open Source Intro
Sysdig Open Source IntroSysdig Open Source Intro
Sysdig Open Source Intro
 
Installing odoo v8 from github
Installing odoo v8 from githubInstalling odoo v8 from github
Installing odoo v8 from github
 
Linux 系統管理與安全:基本 Linux 系統知識
Linux 系統管理與安全:基本 Linux 系統知識Linux 系統管理與安全:基本 Linux 系統知識
Linux 系統管理與安全:基本 Linux 系統知識
 
Ibm aix technical deep dive workshop advanced administration and problem dete...
Ibm aix technical deep dive workshop advanced administration and problem dete...Ibm aix technical deep dive workshop advanced administration and problem dete...
Ibm aix technical deep dive workshop advanced administration and problem dete...
 
Useful linux-commands
Useful linux-commandsUseful linux-commands
Useful linux-commands
 
Linux Du Jour
Linux Du JourLinux Du Jour
Linux Du Jour
 
Asian Spirit 3 Day Dba On Ubl
Asian Spirit 3 Day Dba On UblAsian Spirit 3 Day Dba On Ubl
Asian Spirit 3 Day Dba On Ubl
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005
 
Ansible - Swiss Army Knife Orchestration
Ansible - Swiss Army Knife OrchestrationAnsible - Swiss Army Knife Orchestration
Ansible - Swiss Army Knife Orchestration
 

Mehr von Torstein Hansen

Mehr von Torstein Hansen (6)

Prosess accouting
Prosess accoutingProsess accouting
Prosess accouting
 
Logstash
LogstashLogstash
Logstash
 
Elastic search
Elastic searchElastic search
Elastic search
 
Kibana
KibanaKibana
Kibana
 
Aide
AideAide
Aide
 
Pci dss intro v2
Pci dss intro v2Pci dss intro v2
Pci dss intro v2
 

Kürzlich hochgeladen

(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 

Kürzlich hochgeladen (20)

(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 

Linux audit framework

  • 2. About ● Included in RHEL4+ and all other linux distros (SuSE used their own product for SLES 9 but switched in SLES 10) ● Supports CAPP, LSPP, RSBAC, NISPOM, FISMA, PCI-DSS, STIG, EAL4+ ● Minimal overhead, integrated with the linux kernel ● Support sudo/su etc and not not “possible” to bypass ● Can audit more or less everything ● Hard to read audit logs
  • 4. Commands auditctl - Control script. Status, add/remove rules etc ausearch - search in logs aureport - give an report
  • 5. Easy example auditctl -w /etc/passwd -p rwa -k "reading password file" -w = File monitored -p = Permissions to monitor. Can be Read, Write, Execute or Append -k = Message in the logs
  • 6. Easy example II auditctl -w /tmp -p e -k "Someone is using /tmp" Checks if someone is using /tmp auditctl -a entry,always -S all -F pid=1005 Monitor everything a PID does... auditctl -l shows current rules
  • 7. Searching logs ausearch -i -f /etc/passwd could give: type=PATH msg=audit(07/15/2013 15:03:43.153:9090) : item=0 name=/etc/passwd inode=656631 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 type=CWD msg=audit(07/15/2013 15:03:43.153:9090) : cwd=/root type=SYSCALL msg=audit(07/15/2013 15:03:43.153:9090) : arch=x86_64 syscall=open success=yes exit=3 a0=7fffd13addf0 a1=0 a2=619908 a3=7fffd13ad560 items=1 ppid=1255 pid=1801 auid=torstein uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=grep exe=/bin/grep key=reading password file An user (torstein) have used /bin/grep form the directory /root as the user root to view the file
  • 8. Other searches ausearch -ts 01/01/13 -k password-file ausearch -ts today -k password-file -x rm (show's who deleted the password file today) ausearch -ts today -k "reading password file" -ui 0 (check's who's been using root to check the password file)
  • 9. More advanced ● Logs to /var/log/audit/ ● /etc/audit/auditd.conf is the config for the daemon. Can be configured to halt on full disk or require reboot to change rules ● /etc/audit/audit.rules is the rules it will load on startup. See example files it ships.. But it could look like this: -w /etc/passwd -p wa -k identity