auditd
Best Practice Auditd Configuration (by Neo23x0)
adversary_emulation_library
An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs. (by center-for-threat-informed-defense)
| auditd | adversary_emulation_library | |
|---|---|---|
| 9 | 8 | |
| 1,364 | 1,550 | |
| - | 1.9% | |
| 5.8 | 9.5 | |
| 13 days ago | 4 months ago | |
| C | ||
| Apache License 2.0 | Apache License 2.0 |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
auditd
Posts with mentions or reviews of auditd.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2023-02-24.
-
The Linux Process Journey - “kauditd”
Lastly, by using the “Linux Auditing System” the system administrator can investigate what happens in the system for the purpose of debugging or in case of a security incident. We can also use the “auditctl” utility get/add/delete rules as part of Linux's kernel audit system (https://linux.die.net/man/8/auditctl). Also, there are great examples for “audit.rules” in GitHub (one example is https://github.com/Neo23x0/auditd/blob/master/audit.rules).
-
Looking for inputs and validation for this network setup.
2) There are many opensource solutions, and you hit on all the important ones. Think creativitly, and test all your controls. hit your boxes with Metaspoilt and atomic redteam. These tools will help you verify that you have the proper controls in place, and that you are able to detect attacks (successful, and failed). Run auditd with Florian Roth's rule set on your linux boxes (https://github.com/Neo23x0/auditd/blob/master/audit.rules ), and sysmon (https://github.com/olafhartong/sysmon-modular) on windows.
-
Top 5 logs to ingest into Splunk
Linux: AuditD with customized configurations script for your environment
-
help needed: auditd rules for general purpose vps
However, the auditd repo from Florian Roth is like a golden standard for auditd config.
- How to forward syslog event related to CMDs done by none root user
- New blue team
-
Alerts Log Broken
Enabled auditd - with the rules from - https://github.com/Neo23x0/auditd
-
Splunk App for Unix and Linux
I don't think that the addon can do this for you. But, as a good start, check out Florian Roths auditd config (https://github.com/Neo23x0/auditd).
- Sysmon on Linux
adversary_emulation_library
Posts with mentions or reviews of adversary_emulation_library.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-10-16.
-
What adversary emulation options are there nowadays to test SIEMs and IDSs?
Unfortunately I don't have the background and knowledge of cybersecurity needed to plan a pentest of my own. Also, it would be more interesting to emulate the attacks of actual APTs known in the wild. So far, I've tested Caldera, Invoke-AtomicRedTeam and manual tests from CTID's adversary emulation library: https://github.com/center-for-threat-informed-defense/adversary_emulation_library
- adversary_emulation_library: An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.
-
New blue team
This is a great callout! To help get started, check out the adversary emulation library, https://github.com/center-for-threat-informed-defense/adversary_emulation_library. There are also micro-emulation plans, described here: https://ctid.mitre-engenuity.org/our-work/micro-emulation-plans/.
- micro_emulation_plans: This collection expands the impact of the Adversary Emulation Library by developing easy-to-execute adversary emulation content that targets specific behaviors and challenges facing defenders
-
Advice on purple teaming
I don't know how we know what CS would do if that command was part of a chain of attack, I'm assuming it would just detect on the more malicious activities. Once we get a bit more mature in our use of Atomic Red team I was looking at this framework for simulating an actual attack chain.
- THT: When hunt APT look for emulation ...
- Adversary Emulation Library
- menuPass Adversary Emulation
What are some alternatives?
When comparing auditd and adversary_emulation_library you can also consider the following projects:
sysmon-modular - A repository of sysmon configuration modules
tram - TRAM is an open-source platform designed to advance research into automating the mapping of cyber threat intelligence reports to MITRE ATT&CK®.
velociraptor - Digging Deeper....
laurel - Transform Linux Audit logs for SIEM usage
attack-flow - Attack Flow helps executives, SOC managers, and defenders easily understand how attackers compose ATT&CK techniques into attacks by developing a representation of attack flows, modeling attack flows for a small corpus of incidents, and creating visualization tools to display attack flows.
PEASS-ng - PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
attack-control-framework-mappings - 🚨ATTENTION🚨 The NIST 800-53 mappings have migrated to the Center’s Mappings Explorer project. See README below. This repository is kept here as an archive.
RedEye - RedEye is a visual analytic tool supporting Red & Blue Team operations
AtomicPurpleTeam - Atomic Purple Team Framework and Lifecycle
stix2.1-coa-playbook-extension - A STIX 2.1 Extension Definition for the Course of Action (COA) object type. The nested property extension allows a COA to share machine-readable security playbooks such as CACAO Security Playbooks
auditd vs sysmon-modular
adversary_emulation_library vs tram
auditd vs velociraptor
adversary_emulation_library vs sysmon-modular
auditd vs laurel
adversary_emulation_library vs attack-flow
auditd vs PEASS-ng
adversary_emulation_library vs attack-control-framework-mappings
auditd vs RedEye
adversary_emulation_library vs RedEye
auditd vs AtomicPurpleTeam
adversary_emulation_library vs stix2.1-coa-playbook-extension