How to configure auditd to collect logs from /proc kernel file directory

Question

I've been looking for this for about 3 days now and have come up empty-handed. I am looking for a way to build a threat alert for Linux-based credential dumping in Splunk.

To do this I need to be able to monitor the /proc directory. I found audit and auditd (audit deamon) but I don't know how to actually configure auditd to monitor the /proc. If I could do this I could then connect audit.log to Splunk.

I want to at least monitor:

/proc/<PID>/maps
/proc/<PID>/mem
/proc/<PID>/cmdline

But ideally I want to monitor everything in /proc.

Has anyone here ever done this? If so I would really appreciate some help.

Additionally: I found klogd (kernel log deamon), syslogd and a ps and top combination but I don't know how to configure that to /proc either or if that is even what I need.

Any advice is appreciated!

I am of course open to other methods and ideas.

You cross posted this to UNIX StackExchange. Please don't, close one of them. — John Mahowald, Aug 22 '19 at 18:10

score -1 · Answer 1 · answered Aug 30 '19 at 11:17

A couple of options out there, for one there is Filebeat + Graylog (see writeup at https://www.graylog.org/post/back-to-basics-working-with-linux-audit-daemon-log-file) and you can also do Linux Audit logging with NXLog (see https://nxlog.co/documentation/nxlog-user-guide/linux-audit.html)

How to configure auditd to collect logs from /proc kernel file directory

1 Answers1