Configure your Linux endpoints for use with the IBM®
QRadar® Endpoint Content
Extension.
About this task
System performances may be affected depending on the amount of information that is
collected.
Procedure
-
Create a backup of the existing auditd rules configuration file by typing
the following command:
cp /etc/audit/rules.d/audit.rules /etc/audit/rules.d/audit.rules.bkp
- Edit /etc/audit/rules.d/audit.rules.
- Open /etc/audit/rules.d/audit.rules in vi by
typing the following command:
vi /etc/audit/rules.d/audit.rules
- Add the following rules at the end of the
file:
# Program called
-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve
#It is possible to specify single commands to reduce the load with -F <path_to_binary>
(see auditd documentation)
# Process spawns child
-a exit,always -F arch=b64 -S fork -S vfork -S clone
-a exit,always -F arch=b32 -S fork -S vfork -S clone
# File monitoring for edition and attributes modification
-w /boot -p wa
-w /etc/pam.d -p wa
-w /etc/shadow -p wa
-w /etc/passwd -p wa
-w /etc/rsyslog -p wa
-w /etc/openldap -p wa
-w /etc/sysconfig/syslog -p wa
-w /etc/syslog.conf -p wa
-w /etc/sysconfig/network-scripts -p wa
-w /etc/default/ufw -p wa
-w /etc/sudoers -p wa
Tune
the above list and correlation rules with files or directories that you wish to
monitor.
- Restart the auditd service by typing the following command: