-
Notifications
You must be signed in to change notification settings - Fork 272
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
High logging rules #96
Comments
Those rules should be move to the section |
I have the same issues with deployment for production systems as @valoq . Has it already been discussed to split the different "log level" to different files for easier scripting? A rules file with all the rules can probably easily be created with a CI task, no? |
Is scripting really necessary? |
In the age of devops, automation, and continuous everything, yes, this is a possible use case IMHO *. Since there is Additionally, it wouldn't hurt, would it? |
Splitting up a rule set into multiple files hurts the main goal of this project: to provide a best practice configuration in form of a single file. You can find split up rule sets and subsets of this set everywhere. Would a dev ops engineer write a script to download an ever changing config file and deploy it automatically. |
If we would compile the split files into a single rules file per CI, I fail to see the disadvantage. I'd argue that automatically updating the rules is as plausible as updating software in general. People maybe trust the project (as we trust a lot of software), maybe subscribe to changes, or maybe consider the effort for manual updates vs. the risk of unwanted rules. |
Having a single file for the rules makes it less complicated to get started with. Having different sections that may be commented or uncommented depending on use case is probably the more simple approach and you can still script it. |
Not sure I managed to express my idea: We would still have a single file for download, just a different URL.
Interesting, with which command would one comment out all rules in the section |
imho the real problem is "security" folks are usually copy-paste force-deploying these rules into prod without any understanding on the linux audit framework neither the infra they should protect... I've seen it a couple of times. So the only thing is missing from the readme is probably an RTFM. Or does it? :)
I wouldn't blame this repo for any of the mentioned issues. |
After several years of using the rules in this repository on many different systems, I have to say that I was never able to deploy them in productive environments without significant changes. That is mostly due to rule that create a high amount of logging data.
Since the project is described as above, which includes a reasonable amount of log data and fitting most use cases, perhaps the relevant rules that trigger most often on common systems should be reviewed.
As one example for such a rule, i would list:
If this rule is use on any productive host offering network services, it will flood the logs with these alerts. in most environments, network connections are already logged by central firewalls, so the question is if this rule makes sense to include by default.
The same question can be targeted at rules like susp_shell which will trigger at every execution of a shell script. On production servers I have often seen this rule flood the logs as well since there were scripts that triggered every few seconds.
In general I would argue that the default audit rules should log mostly critical system activities like changing user attributes and privileges as well as anything that is highly likely to be suspicious while having a low chance to be triggered by false positives. Normal operations like network connections should probably be commented out by default.
The text was updated successfully, but these errors were encountered: