Configure your Linux endpoints for use with the IBM
Security QRadar Endpoint Content
Extension.
About this task
System performances may be affected depending on the amount of information that is
collected.
Procedure
-
Create a backup of the existing auditd rules configuration file by typing
the following command:
cp /etc/audit/rules.d/audit.rules /etc/audit/rules.d/audit.rules.bkp
- Edit /etc/audit/rules.d/audit.rules.
- Open /etc/audit/rules.d/audit.rules in vi by
typing the following command:
vi /etc/audit/rules.d/audit.rules
- Add the following rules at the end of the
file:
# Program called
-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve
#It is possible to specify single commands to reduce the load with -F <path_to_binary>
(see auditd documentation)
# Process spawns child
-a exit,always -F arch=b64 -S fork -S vfork -S clone
-a exit,always -F arch=b32 -S fork -S vfork -S clone
# File monitoring for edition and attributes modification
-w /boot -p wa
-w /etc/pam.d -p wa
-w /etc/shadow -p wa
-w /etc/passwd -p wa
-w /etc/rsyslog -p wa
-w /etc/openldap -p wa
-w /etc/sysconfig/syslog -p wa
-w /etc/syslog.conf -p wa
-w /etc/sysconfig/network-scripts -p wa
-w /etc/default/ufw -p wa
-w /etc/sudoers -p wa
Tune
the above list and correlation rules with files or directories that you wish to
monitor.
- Restart the auditd service by typing the following command: