Recording für meinen #auditd #laurel #mrmcd23 Talk
"Linux Audit Framework - An Introduction":
https://media.ccc.de/v/2023-269-linux-audit-framework-an-introduction

Slides: https://talks.mrmcd.net/2023/talk/VSBRVX/

@MRMCD Danke für die geile Con und Props an @c3voc: Sound und Bild sind der Hammer.

https://gitlab.com/ndaal_open_source/ndaal_public_auditd #security #audit #linux #auditd #auditrules

#auditd #best #practises updated at https://github.com/Neo23x0/auditd/blob/master/audit.rules with my #ndaal #auditd #rules

Looking inside #sudo shell sessions: #auditd, session recordings, log_subcmds

https://www.sudo.ws/posts/2022/05/looking-inside-sudo-shell-sessions-auditd-session-recordings-log_subcmds/

#Linux lesson learned:

#auditd fails to load rules files with #CRLF line endings.
If a single rule file contains these characters, no rules are loaded at all.

Its easy to fix if you know it.

But when you add a single file to others with no visible difference and everything stops working, this can really drive you crazy.

Does it "make sense" to exclude the #ansible remote user from #auditd I tend to answer "no" to this question, but the audit log is extremely noisy during an Ansible run. Is there a best practice recommendation for configuration management + auditd?

#sysadmin #linux #secops

RT @_hillu@twitter.com

Just released v0.5.1 of Laurel, the #linux #auditd plugin event post-processing plugin that generates useful, enriched JSON-based audit logs suitable for modern security monitoring setups.

https://github.com/threathunters-io/laurel/

🐦🔗: https://twitter.com/_hillu/status/1619025672432939008

Just released v0.5.1 of Laurel, the #linux #auditd plugin event post-processing plugin that generates useful, enriched JSON-based audit logs suitable for modern security monitoring setups.

https://github.com/threathunters-io/laurel/

Looking inside #sudo shell sessions has been possible for quite some time, but not much convenient. You could use #auditd, or @sudoproject session recordings. Version 1.9.8 introduced log_subcmds, allowing you to log sub-commands with other sudo logs.

https://www.sudo.ws/posts/2022/05/looking-inside-sudo-shell-sessions-auditd-session-recordings-log_subcmds/

Server auditing is an important task to ensure platform-level security in an IT infrastructure.

I've written a blog post to provide an introduction to auditing in linux environment. The blog covers:

- Intro to linux auditing framework
- Configuring auditd service
- Inspecting audit logs
- Writing custom audit rules
- remote logging.

https://ayedaemon.github.io/post/2022/12/recording_system_events_with_auditd/

Feel free to comment with corrections and opinions.

#linux #audit #security #auditd

Just released version 0.5.0 of Laurel, the #linux #auditd plugin for generating useful JSON-based audit logs suitable for SIEM usage. New features include message filtering, container id logging, trimming of long command lines, plus several bug fixes. https://github.com/threathunters-io/laurel

RT @_hillu@twitter.com

Over the last few months, quite a few interesting features have been added to Laurel, the #Linux #auditd plugin for generating useful JSON-based audit logs for SIEM usage. Just published a 0.5.0-pre1 prerelease. https://github.com/threathunters-io/laurel

🐦🔗: https://twitter.com/_hillu/status/1599553481794195457

Over the last few months, quite a few interesting features have been added to Laurel, the #Linux #auditd plugin for generating useful JSON-based audit logs for SIEM usage. Just published a 0.5.0-pre1 prerelease. https://github.com/threathunters-io/laurel

@tazwake Better, use linux auditd with some good ruleset: https://github.com/bfuzzy/auditd-attack

Pro tip: Do some formatting, because the standard event format is *hmmm* "challenging" to read and interpret: https://github.com/threathunters-io/laurel

Especially useful when sending to a SIEM.

#Linux #DFIR #auditd #laurel

Linux auditd best practices are updated https://github.com/Neo23x0/auditd #security #linux #auditd #ndaal #vpierre #neo23x0 #opensource

https://github.com/Neo23x0/auditd #security #linux #auditd #ndaal #vpierre #neo23x0 #opensource

RT @vPierre0x0@twitter.com

Auditd best practices updated https://github.com/Neo23x0/auditd #security #linux #auditd #bestpractice #ndaal #Neo23x0

🐦🔗: https://twitter.com/vPierre0x0/status/1547573121133072384

Auditd best practices updated https://github.com/Neo23x0/auditd #security #linux #auditd #bestpractice #ndaal #Neo23x0

RT @cyb3rops@twitter.com

For #auditd on #Linux you can use my best practice auditd configuration, which is still actively maintained and gets frequent updates via PR

If you've found ways to improve it, please provide them as pull request to help everyone else

https://github.com/Neo23x0/auditd

🐦🔗: https://twitter.com/cyb3rops/status/1537756755861688320

RT @uptycs@twitter.com

What are the best #Linux resources for infrastructure security?https://bit.ly/3hVe1Ma #auditd #osquery #opensource

🐦🔗: https://twitter.com/uptycs/status/1301930520117379072