Linux Template
Using the Linux Audit Datasource
The following table shows the Linux security audit details on which the template can be used to control the information that is received and actioned in your security schema.
|
Action |
Subaction |
Condition |
Description |
| System Management | |||
| Object Modification | Object Modification | LinuxAuditCategory = 'LINUXAUDIT.FILESYSTEM.WRITE.FILE.CONTENT' | Records whenever an audited file is modified. |
|
Object Modification |
Object Ownership Modification |
AuditEvent_ExecutedCommand = ‘chown’ |
Records whenever an object has had a change of ownership |
| User Activity | |||
|
Logoff |
Logoff |
LinuxAuditCategory = ‘LINUXAUDIT.LOGOUT.SSH’ |
Records whenever a user logs off the system |
|
Logon Failed |
Logon Failure |
|
Records whenever an logon attempt fails for an administrator user |
|
Logon Failed |
Logon Failure |
LinuxAuditCategory = ‘LINUXAUDIT.LOGON.SSH.FAILURE’ |
Records whenever a logon attempt by a common user fails |
|
Logon Failed |
Logon Failure |
LinuxAuditCategory = ‘LINUXAUDIT.LOGON.SSH.FAILURE’ |
Records whenever a logon attempt fails for a special user |
|
Logon Successful |
Successful Login |
LinuxAuditCategory = ‘LINUXAUDIT.LOGON.SSH.SUCCESS’ |
Records whenever a logon or logoff attempt by an administrator user is successful |
|
Logon Successful |
Successful Login |
LinuxAuditCategory = ‘LINUXAUDIT.LOGON.SSH.SUCCESS’ |
Records whenever a logon or logoff attempt by a special user is successful |
|
Logon_Successful, Logoff |
Successful Login |
LinuxAuditCategory = ‘LINUXAUDIT.LOGON.SSH.SUCCESS’ |
Records whenever a logon or logoff attempt by a common user is successful |
|
Temp Privilege Usage |
Temporary Privilege Usage |
AuditEvent_exe = ‘usr/bin/sudo’ |
|
|
User Switch |
User Switch |
LinuxAuditCategory = ‘LINUXAUDIT.LOGON.SU.SUCCESS |
Records whenever a user profile swap to a super user is initiated successfully |
| Users' Management | |||
|
Grant Permission |
Grant Permission |
AuditEvent_ExecutedCommand = ‘chmod’ |
Records whenever a there is a change in object permissions. |
|
Create Group Role Profile |
Group Creation |
AuditEvent_exe = ‘usr/sbin/groupadd’ |
Records whenever a group is created |
|
Drop Group Role Profile |
Group Deletion |
AuditEvent_exe = ‘usr/sbin/groupdel’ |
Records whenever a group is deleted |
|
Group Role Profile |
Group Modification |
AuditEvent_exe = ‘usr/sbin/groupmod’ |
Records whenever a group is changed |
|
Password Changed |
Password Modification |
AuditEvent_exe = ‘/usr/bin/passwd’ and AuditEvent_Operator <> AuditEvent_AffectedAccount |
Records whenever a user password is changed |
|
Password Reset |
Password Reset |
AuditEvent_exe = ‘/usr/bin/passwd’ and AuditEvent_Operator <> AuditEvent_AffectedAccount |
Records whenever a user password is reset |
|
Create User |
User Creation |
AuditEvent_exe = ‘ /usr/sbin/useradd’ |
Records whenever a user account is created |
|
DropUser |
User Deletion |
AuditEvent_exe = ‘ /usr/sbin/userdel’ |
Records whenever a user account is deleted |
|
User Amended |
User Modification |
AuditEvent_exe = ‘ /usr/sbin/usermod’ |
Records whenever a user account is changed |
Using the Linux Syslog Datasource
The following table shows the Linux Syslog details on which the template can be used to control the information that is received and actioned in your security schema.
|
Action |
Subaction |
Condition |
Description |
| User Activity | |||
|
Logoff |
Logoff |
LinuxAuditCategory = ‘LINUXAUDIT.LOGOUT.SSH’ |
Records whenever a user logs off the system |
|
Logon Failed |
Logon Failure |
|
Records whenever an logon attempt fails for an administrator user |
|
Logon Failed |
Logon Failure |
LinuxAuditCategory = ‘LINUXAUDIT.LOGON.SSH.FAILURE’ |
Records whenever a logon attempt by a common user fails |
|
Logon Failed |
Logon Failure |
LinuxAuditCategory = ‘LINUXAUDIT.LOGON.SSH.FAILURE’ |
Records whenever a logon attempt fails for a special user |
|
Logon Successful |
Successful Login |
LinuxAuditCategory = ‘LINUXAUDIT.LOGON.SSH.SUCCESS’ |
Records whenever a logon or logoff attempt by an administrator user is successful |
|
Logon Successful |
Successful Login |
LinuxAuditCategory = ‘LINUXAUDIT.LOGON.SSH.SUCCESS’ |
Records whenever a logon or logoff attempt by a special user is successful |
|
Logon_Successful, Logoff |
Successful Login |
LinuxAuditCategory = ‘LINUXAUDIT.LOGON.SSH.SUCCESS’ |
Records whenever a logon or logoff attempt by a common user is successful |
|
User Statement |
Command Execution (SUDO) |
AuditEvent_exe = ‘usr/bin/sudo’ |
Records whenever a program is run with the security privileges of another user (by default, as the superuser) |
|
User Switch |
User Switch |
LinuxAuditCategory = ‘LINUXAUDIT.LOGON.SU.SUCCESS |
Records whenever a user profile swap to a super user is initiated successfully |
| Users' Management | |||
|
Create Group Role Profile |
Group Creation |
AuditEvent_exe = ‘usr/sbin/groupadd’ |
Records whenever a group is created |
|
Drop Group Role Profile |
Group Deletion |
AuditEvent_exe = ‘usr/sbin/groupdel’ |
Records whenever a group is deleted |
|
Group Role Profile |
Group Modification |
AuditEvent_exe = ‘usr/sbin/groupmod’ |
Records whenever a group is changed |
|
Password Changed |
Password Modification |
AuditEvent_exe = ‘/usr/bin/passwd’ and AuditEvent_Operator <> AuditEvent_AffectedAccount |
Records whenever a user password is changed |
|
Create User |
User Creation |
AuditEvent_exe = ‘ /usr/sbin/useradd’ |
Records whenever a user account is created |
|
Drop User |
User Deletion |
AuditEvent_exe = ‘ /usr/sbin/userdel’ |
Records whenever a user account is deleted |
|
User Amended |
User Modification |
AuditEvent_exe = ‘ /usr/sbin/usermod’ |
Records whenever a user account is changed |