Catching Linux Post-Exploitation with Auditd

Presented at BSidesLV 2015, Aug. 4, 2015, 3 p.m. (25 minutes).

Many Linux administrators are required to deploy Auditd in order to meet government or industry security compliance requirements. In this talk we will dive into common Linux Audit configurations and determine their value when responding to successful attacks. Finally by examining real world attacks, we can create Auditd rules that can alert us following the successful exploitation of a service.


Presenters:

  • Eric Gershman
    Eric Gershman is currently working on the security team for a group that manages large systems that enable researchers to do "Big Science". Prior to working in security Eric pursued a bachelors degree in Information Technology at the University of Central Florida. During his time at UCF, he worked as a technician on a large help desk, research intern for an Anti-Virus company and finally as a Linux Systems Administration for several Department of Defense projects.

Links:

Similar Presentations: