00:00 - Intro, how to install and configure auditd
01:15 - Installing Auditd
02:30 - Downloading a good baseline ruleset from github
03:40 - Going over the baseline file to understand how logging works
05:00 - What the -p flag does with files. Logging read/write/execute/attribute change events
07:10 - If you want CWD in your logs, uncomment this line
13:20 - Logging priv_esc events
14:40 - Excluding system accounts from log captures
15:40 - Fun detections to find recon and suspicious activity
21:40 - Logging when users fail to access files in special directories
24:16 - Running the omigod exploit and getting a reverse shell echo/base64
25:05 - Running ausearch to detect what we had done by searching for commands ran by root
28:00 - Using some bashfu to show only commands ran by a ppid
28:50 - Looking for the suspicious activity
30:40 - Analyzing a detection rule for this and understanding the importance of not excluding CWD from logs
34:15 - Checking if mkfifo is detected... yep
36:20 - Installing Laurel to convert Auditd's multiline format to singleline JSON
38:50 - Installing Rust then compiling Laurel
43:40 - Removing End Of Event from Auditd config to see if that fixes the Laurel bug (IT DOES!)
46:56 - Viewing our Auditd logs in JSON Format! SIEMS will love this!
48:30 - Going over aureport to show some things
50:30 - Looking for why we have so many syscall failures
Support the originator by clicking the read the rest link below.
){kind=link}