This is a follow-up to my previous blog on Auditd and Splunk. That one was about Defender ATP and Proxmox and license consumption. I did not really touch the subject of a good Auditd baseline configuration.
Florian to the rescue
Do not reinvent the wheel. I didn’t either. There is a true best practice out there already. Built and most importantly constantly maintained by Florian Roth. Once you have installed auditd itself, download Florians latest rules and replace whatever you currently have (most likely an empty default file).
Get the good stuff from here https://github.com/Neo23x0/auditd/blob/master/audit.rules.
Boom says the license consumption
While Florians set gives you great visibility and insight, it really is noisy in many environments that are both live and alive. Florian’s configuration is not at all ignorant about his, quite the opposite. There are comments and guidance on the level of noise to expect from different parts of the rules.
As always – know your own environment, assess your risk, define your risk appetite and then get to work and customize Florians set to your own needs.
An attempt at optimizing for effectiveness and license consumption
Let’s have a look at certain items I modified. You should really download Florian’s rules and cross reference to get an idea of the actual changes here. I am only sharing the actual changes and additions here. The comments should be self-explanatory.
# Splunk itself may be noisy. Don't log stuff that Splunk itself logs. Trust Splunk. -w /var/log/audit/ -F uid!=splunk* -k auditlog
# Splunk itself may be noisy. Don't log stuff that Splunk itself logs. Trust Splunk. -a always,exit -F arch=b32 -S mknod -S mknodat -F uid!=splunk* -k specialfiles -a always,exit -F arch=b64 -S mknod -S mknodat -F uid!=splunk* -k specialfiles
# Gitlab does some weird amount of logging here. Disregard it. This does not remove all Gitlab logging. Just the excessive noise. -a always,exit -F arch=b32 -F uid!=ntp -F uid!=gitlab* -S adjtimex -S settimeofday -S clock_settime -k time -a always,exit -F arch=b64 -F uid!=ntp -F uid!=gitlab* -S adjtimex -S settimeofday -S clock_settime -k time
# We are doing a lot of networking. Let's not log all connections - we're not running a defense system or power plant. #-a always,exit -F arch=b64 -S connect -F a2=16 -F success=1 -F key=network_connect_4 #-a always,exit -F arch=b32 -S connect -F a2=16 -F success=1 -F key=network_connect_4
# Uname is being called a lot. Let's accept the fact. #-w /bin/uname -p x -k recon
# Comment out the shell you are using. Uncomment everything else. Expected vs. the unexpected. #-w /bin/bash -p x -k susp_shell
# Docker is really noise in some cases. Especially in active environments. Get to know the baseline and then decide not to log this. #-w /var/lib/docker -k docker
# Logging all rootcmd's is noisy. Even without this, anomalies will likely stick out. They will. #-a always,exit -F arch=b64 -F euid=0 -S execve -k rootcmd #-a always,exit -F arch=b32 -F euid=0 -S execve -k rootcmd
What are we running using the modified set?
With these modifications we are successfully running 30+ servers with all kinds of services, for instance the following:
- Docker (in many different contexts and many different setups)
We’ve had some special situations on some of these servers and every time during those situations with exceptional actions, auditd has performed the way it should. It has been loud. As we know, Splunk allows for a fair amount of overconsumption as long as it is occasional. These modification while well behaved during normal operation, do create a lot of fuzz and buzz when we get out of baseline territory. Just like it should. It is almost like we have found a technical solution to fit our risk appetite.
This blog post offers a few simple tricks and tips that will ensure that your security controls do not interfere with each other. The tricks are not really tricks, just plain old configurations which offers food for thought. As we know, Splunk is the most complex beast of a software out there.