Python code that parses Auditd logs, saves parsed events to SQLite and aggregates results for chosen rules/commands.
This guide provides step-by-step instructions to set up Auditd on Ubuntu, configure rules using keys in the needed file, and install Pandas for data analysis.
- Ubuntu operating system (tested on Ubuntu XX.XX)
- Administrative access to the Ubuntu system
-
Update the package list for the most up-to-date information on available packages:
sudo apt update
-
Install the Auditd package:
sudo apt install auditd
-
Open the Audit rules file for editing:
sudo su sudo nano /etc/audit/rules.d/audit.rules
-
Add the necessary audit rules using the appropriate keys. For example:
-w /etc/cron.allow -p rxwa -k cron_allow -w /etc/cron.deny -p rxwa -k cron_deny -w /etc/cron.d/ -p rxwa -k cron_d -w /etc/cron.daily/ -p wa -k cron_daily -w /etc/cron.hourly/ -p wa -k cron_hourly -w /etc/cron.monthly/ -p wa -k cron_monthly -w /etc/cron.weekly/ -p wa -k cron -w /etc/crontab -p wa -k cron -w /var/spool/cron/ -p wa -k cron
-
Restart the Auditd service to apply the new rules:
sudo service restart auditd
Install Pandas(Can install in venv if you want)
pip install pandas python3 main.py