algo icon indicating copy to clipboard operation
algo copied to clipboard
verified publisher icon trailofbits

Rewrite auditd role to use go-audit

Open dguido opened this issue 9 years ago • 2 comments

auditd is the best security feature that no one uses. As an optional feature, we should have Algo configured to log security-critical information and email it out of the VM on a regular basis. The role should use go-audit to get its job done.

There's a lot of sample auditd configuration from CI Security that we copied over to this repo. We should verify that these rules are appropriate:

https://github.com/trailofbits/algo/blob/master/templates/audit.rules.j2 https://github.com/trailofbits/algo/blob/master/templates/auditd.conf.j2 https://github.com/trailofbits/algo/blob/master/templates/CIS.conf.j2 https://github.com/trailofbits/algo/blob/master/security.yml#L44-L52

Here's a short guide for installing and configuring go-audit: https://summitroute.com/blog/2016/12/25/Catching_attackers_with_go-audit_and_a_logging_pipeline/

dguido avatar Jul 19 '16 20:07 dguido

$250 bounty! Submit a pull request and email [email protected] to claim it. Partial solutions may be rewarded.

dguido avatar Nov 25 '16 20:11 dguido

As a heads up, we just added direct file output from go-audit (you no longer have to use rsyslog), which is probably helpful here.

rawdigits avatar Nov 30 '16 17:11 rawdigits