Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Auditd for the Masses

Philipp Krenn
September 29, 2018

Auditd for the Masses

The Linux Audit daemon is responsible for writing audit records to the disk, which you can then access with ausearch and aureport. However, it turned out that parsing and centralizing these records is not as easy as you would hope. Elastic's new Auditbeat fixes this by keeping the original configuration, but ships them to a centralized location where you can easily visualize all events. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. This talk shows you what can you do to discover changes, events, and potential security breaches as soon as possible on interactive dashboards. Additionally, we are combining Auditd events with logs, which are security relevant.

Philipp Krenn

September 29, 2018

More Decks by Philipp Krenn

Other Decks in Programming


  1. "auditd is the userspace component to the Linux Auditing System.

    It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities."
  2. !

  3. !"

  4. Auditd Module eBPF powers on older kernels Run side by

    side with Auditd Easier configuration
  5. hash_types blake2b_256, blake2b_384, blake2b_512, md5, sha1, sha224, sha256, sha384, sha512,

    sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, sha3_512, xxh64