This course teaches learners how to utilize the Linux Audit daemon to write audit records and access them using ausearch and aureport. It covers the challenges of parsing and centralizing these records and introduces Elastic's Auditbeat as a solution to ship records to a centralized location for easy visualization. Participants will learn to detect changes to critical files, identify security policy violations, and discover security breaches using interactive dashboards. The course also demonstrates combining Auditd events with logs for enhanced security monitoring. The intended audience for this course includes individuals interested in Linux security, system administrators, and cybersecurity professionals. The teaching method includes a combination of theoretical explanations, live demonstrations, and practical examples.
Overview
Syllabus
Intro
Security incidents
Questions
General Architecture
Live Demonstration
Ubuntu Audit Report
Ubuntu Audit Rules
Example Rules
Oddity
Elastic
Belk
oddity module
filebit
cabana
auditbeat
overview
auditd configuration
SSH login attempts
User login
Passwd Read
Discover
User Nurse
Executions
Secret Text
Power Abuse
Website
Index
Emoji
Website Vandalism
File Integrity
File Integrity Overview
File Integrity Support
Dashboards
Machine Learning
AWS S3
Lego
Oddness
Dashboard
Stickers
Light
Photo
Containers
System Oddity
Data Management
Security
Taught by
Hack in Paris
