Catching Linux Post-Exploitation with Auditd

BSidesLV 2015

Presented by: Eric Gershman
Date: Tuesday August 04, 2015
Time: 15:00 - 15:25
Location: Florentine E
Track: Proving Ground

Many Linux administrators are required to deploy Auditd in order to meet government or industry security compliance requirements. In this talk we will dive into common Linux Audit configurations and determine their value when responding to successful attacks. Finally by examining real world attacks, we can create Auditd rules that can alert us following the successful exploitation of a service.

Eric Gershman

Eric Gershman is currently working on the security team for a group that manages large systems that enable researchers to do "Big Science". Prior to working in security Eric pursued a bachelors degree in Information Technology at the University of Central Florida. During his time at UCF, he worked as a technician on a large help desk, research intern for an Anti-Virus company and finally as a Linux Systems Administration for several Department of Defense projects.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats