Advanced Linux Auditing

Syslog and audited

• Syslog operates as an application and a protocol, meaning that it is capable of generating and forwarding system logs to a log aggregator.
• Audited operates as an application at the kernel level, meaning it has much more granular visibility, but does not have its own protocol and cannot forward system logs.

CISOfy/lynis Security Auditing Tool

Lynis is a security auditing tool for Linux. It performs an in-depth security scan and runs on the system itself. The primary goal is to test security defenses and provide tips for further system hardening. It will also scan for general system information, vulnerable software packages, and possible configuration issues

Policy Auditing: Highlight the differences between local policies and security baselines

Policy Reporting: Export results as a CSV or Excel Spreadsheet

Types of Audited Rules

The Need for Audited Configuration

Traditional Linux audit logging is great for basic compliance purposes; not for making security detections. Audited is a Linux system service that hooks into the kernel and provides detailed information about user modifications, logon activity, use of privileged commands, administrator actions, and kernel module activity. It subsequently reports on these events to help identify malicious or anomalous activity. This allows you to better understand how intruders and malware operate on your network.

Automating audited Policy Configuration

Advanced Auditing: Automatically configure your local audit policy to comply with the CIS security baseline.

CentOS 7 and Ubuntu 16 Support: Out-of-the-box support for CentOS and Ubuntu systems. Minor modifications are necessary for other systems.

Deploy in Seconds: Copy and paste 3 lines of bash into a root terminal to configure everything.