Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CIS vs NIST

From: "Bridges, Robert A." <bridgesra () ORNL GOV>
Date: Thu, 3 May 2018 14:39:32 +0000
This is interesting, Kevin. Thanks for sharing. 

What's the cost to the host that's got audit data collection on? Is there noticeable slowdown/high memory cost, etc? 

Thanks, 
Bobby

--
Robert A. Bridges, PhD, Research Mathematician, Cyber & Information Science Research Group, Oak Ridge National 
Laboratory
On 5/2/18, 3:59 PM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Kevin Wilcox" <SECURITY () LISTSERV 
EDUCAUSE EDU on behalf of wilcoxkm () APPSTATE EDU> wrote:

    On 30 April 2018 at 12:52, Valdis Kletnieks <valdis.kletnieks () vt edu> wrote:
    
    > To the best of my knowledge, nobody's using the Linux kernel audit logs for
    > near real time detection of events - it's of more use for forensic analysis of
    > incidents and system/package testing.
    
    I do. If a process is started by a user for the first time (or first
    time for however long I have log data for that host), if previously
    unused commands are kicked off, if commands with <x> name are started
    from <y> path where it's never been seen, etc., all trigger alerts.
    The same holds true for Windows process creation, powershell usage,
    AppLocker stopping something (or if it would have stopped something),
    etc.
    
    kmw
Previous By Date Next
Previous By Thread Next

Current thread: