Using predefined rulesets

In the /usr/share/doc/audit-version_number/rules directory of your CentOS 7 machine and the /usr/share/doc/audit/rules directory of your CentOS 8 machine, you'll see some premade rulesets for different scenarios. Once you install auditd on Ubuntu, you'll have audit rules for it too, but the location is different for Ubuntu 16.04 and Ubuntu 18.04. On Ubuntu 16.04, the rules are in the /usr/share/doc/auditd/examples/ directory. On Ubuntu 18.04, they're in the /usr/share/doc/auditd/examples/rules/ directory. In any case, some of the rulesets are common among all three of these distros. Let's look at the CentOS 7 machine to see what we have there:

[donnie@localhost rules]$ pwd
/usr/share/doc/audit-2.7.6/rules
[donnie@localhost rules]$ ls -l
total 96
. . .
-rw-r--r--. 1 root root 4915 Apr 19  2017 30-nispom.rules
-rw-r--r--. 1 root root 5952 Apr 19  2017 30-pci-dss-v31.rules
-rw-r--r--. 1 root root 6663 Apr 19  2017 30-stig.rules
-rw-r--r--. 1 root root 1498 Apr 19  2017 31-privileged.rules
-rw-r--r--. 1 root root  218 Apr 19  2017 32-power-abuse.rules
-rw-r--r--. 1 root root  156 Apr 19  2017 40-local.rules
-rw-r--r--. 1 root root  439 Apr 19  2017 41-containers.rules
. . .
[donnie@localhost rules]$

The three files I want to focus on are the nispom, pci-dss, and stig files. Each of these three rulesets is designed to meet the auditing standards of a particular certifying agency. In order, these rulesets are as follows:

  • nispom: The National Industrial Security Program – you'll see this ruleset used at either the US Department of Defense or its contractors.
  • pci-dss: Payment Card Industry Data Security Standard – if you work in the banking or financial industries, or even if you're just running an online business that accepts credit cards, you'll likely become very familiar with this.
  • stig: Security Technical Implementation Guides – if you work for the US government, or possibly other governments, you'll be dealing with this one.

To use one of these rules sets on either CentOS 7 or CentOS 8, just copy the appropriate files over to the /etc/audit/rules.d/ directory:

[donnie@localhost rules]$ sudo cp 30-pci-dss-v31.rules /etc/audit/rules.d
[donnie@localhost rules]$

On Ubuntu, you'll see that these three files are compressed with gzip compression, even though none of the others are:

donnie@ubuntu-ufw:/usr/share/doc/auditd/examples/rules$ ls -l
total 88
. . .
. . .
-rw-r--r-- 1 root root 506 Dec 14 2017 23-ignore-filesystems.rules
-rw-r--r-- 1 root root 1368 Dec 14 2017 30-nispom.rules.gz
-rw-r--r-- 1 root root 2105 Dec 14 2017 30-pci-dss-v31.rules.gz
-rw-r--r-- 1 root root 2171 Dec 14 2017 30-stig.rules.gz
-rw-r--r-- 1 root root 1498 Dec 14 2017 31-privileged.rules
. . .
. . .

So, you'll need to uncompress them before you copy them over, like so:

donnie@ubuntu-ufw:/usr/share/doc/auditd/examples/rules$ sudo gunzip 30-pci-dss-v31.rules.gz

donnie@ubuntu-ufw:/usr/share/doc/auditd/examples/rules$ ls -l 30-pci-dss-v31.rules 
-rw-r--r-- 1 root root 5952 Dec 14  2017 30-pci-dss-v31.rules
donnie@ubuntu-ufw:/usr/share/doc/auditd/examples/rules$

After you've copied the rule file over, restart the auditd daemon to read in the new rules.

For Red Hat or CentOS, do the following:

sudo service auditd restart

For Ubuntu, do the following:

sudo systemctl restart auditd

Of course, there's always the chance that a particular rule in one of these sets might not work for you or that you might need to enable a rule that's currently disabled. If so, just open the rules file in your text editor and comment out what doesn't work or uncomment what you need to enable.

Even though auditd is very cool, bear in mind that it only alerts you about potential security breaches. It doesn't do anything to harden the system against them. 

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.139.79.59