Summary

Creating a custom auditd.rules

• Go to /etc/audit/rules.d/audit.rules
• Add these lines

# Clears previously loaded rules
-D

# Create a buffer size
-b 320

# Monitor writing to the ssh config
-w /etc/ssh -p wa -k ssh_changed

# Monitor writing to the sudoers file
-w /etc/sudoers -p wa -k sudoers_changed

# Monitor writing to the sudoers.d folder
-w /etc/sudoers.d -p wa -k sudoersd_changed

• Generate the rules from audit.rules
  • augenrules --load

Ingesting audit.log logs

• There is no need for Splunk UF, as the logs are already in our log server
• In the Splunk Web Interface, select Settings > Data Inputs
• Create a new Files & Directories input
• Select the directory as /var/log/audit
• Set the type to linux_audit

Organizing logs on the Splunk server

• Create an event by changing or adding a file to /etc/sudoers.d, running visudo and adding a comment, and creating a file in /etc/ssh
• Find the log for editing /etc/sudoers.d and extract the type field.
• This is an important event, so make an alert for this
  • Select Settings > Searches, Reports, and Alerts
  • Select New
  • Set the name to "sudoers file modified"
  • Change the search to host="log01" type="PATH" name="/etc/sudoers.d"
  • Set the Alert Type to Real-time
  • Set the Trigger alert when field to Per-Result
• To repeat the process for the other events, change the name to match.