[Rule Tuning] Updated setup guide #3885
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Rule: Tuning - GuidelinesThese guidelines serve as a reminder set of considerations when tuning an existing rule. Documentation and Context
Rule Metadata Checks
Testing and Validation
|
|
@Aegrah could you please follow the setup guide template mentioned in this issue: https://github.com/elastic/ia-trade-team/issues/410 |
|
@approksiu copy pasted it from the template now. |
imays11
approved these changes
Jul 13, 2024
| setup = """## Setup | ||
| This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. | ||
| setup = """### Auditd Manager Integration Setup | ||
| The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. |
There was a problem hiding this comment.
The format seems a bit off from the templates we have here
Its good to keep it consistent across the rules, if we dont have a specific reason as to why this has changed here.
There was a problem hiding this comment.
I copy pasted it from that doc..
There was a problem hiding this comment.
Have added the suggestion on what was missing
There was a problem hiding this comment.
I implemented your change, but I don't see that line in the document you shared. Doing a ctrl + f in that document also does not return any hits.
We might have to change the template document if the document is wrong!
There was a problem hiding this comment.
Discussed on slack. This was a more of a main section introduction missing!
rules/linux/persistence_user_or_group_creation_or_modification.toml
Outdated
Show resolved
Hide resolved
shashank-elastic
approved these changes
Jul 17, 2024
….toml Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Aegrah
commented
Jul 17, 2024
rules/linux/persistence_user_or_group_creation_or_modification.toml
Outdated
Show resolved
Hide resolved
protectionsmachine
pushed a commit
that referenced
this pull request
Jul 17, 2024
* [Rule Tuning] Updated setup guide * Update persistence_user_or_group_creation_or_modification.toml * Update rules/linux/persistence_user_or_group_creation_or_modification.toml Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Update rules/linux/persistence_user_or_group_creation_or_modification.toml --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> (cherry picked from commit e5d08a2)
protectionsmachine
pushed a commit
that referenced
this pull request
Jul 17, 2024
* [Rule Tuning] Updated setup guide * Update persistence_user_or_group_creation_or_modification.toml * Update rules/linux/persistence_user_or_group_creation_or_modification.toml Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Update rules/linux/persistence_user_or_group_creation_or_modification.toml --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> (cherry picked from commit e5d08a2)
protectionsmachine
pushed a commit
that referenced
this pull request
Jul 17, 2024
* [Rule Tuning] Updated setup guide * Update persistence_user_or_group_creation_or_modification.toml * Update rules/linux/persistence_user_or_group_creation_or_modification.toml Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Update rules/linux/persistence_user_or_group_creation_or_modification.toml --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> (cherry picked from commit e5d08a2)
protectionsmachine
pushed a commit
that referenced
this pull request
Jul 17, 2024
* [Rule Tuning] Updated setup guide * Update persistence_user_or_group_creation_or_modification.toml * Update rules/linux/persistence_user_or_group_creation_or_modification.toml Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Update rules/linux/persistence_user_or_group_creation_or_modification.toml --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> (cherry picked from commit e5d08a2)
protectionsmachine
pushed a commit
that referenced
this pull request
Jul 17, 2024
* [Rule Tuning] Updated setup guide * Update persistence_user_or_group_creation_or_modification.toml * Update rules/linux/persistence_user_or_group_creation_or_modification.toml Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Update rules/linux/persistence_user_or_group_creation_or_modification.toml --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> (cherry picked from commit e5d08a2)
protectionsmachine
pushed a commit
that referenced
this pull request
Jul 17, 2024
* [Rule Tuning] Updated setup guide * Update persistence_user_or_group_creation_or_modification.toml * Update rules/linux/persistence_user_or_group_creation_or_modification.toml Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Update rules/linux/persistence_user_or_group_creation_or_modification.toml --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> (cherry picked from commit e5d08a2)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Added setup guide instructions to this rule, to allow customers to more easily set up the necessary auditd rules.