Skip to content

Instantly share code, notes, and snippets.

@mike2194

mike2194/audit.rules

Last active June 18, 2021 17:32
Show Gist options
  • Save mike2194/3675ab0c3cc5b0d5a0e43b1ce4e39f1e to your computer and use it in GitHub Desktop.
Save mike2194/3675ab0c3cc5b0d5a0e43b1ce4e39f1e to your computer and use it in GitHub Desktop.
Download ZIP
auditd_baseline_rules
Raw
audit.rules
# Remove any existing rules
-D
# Buffer Size
## Feel free to increase this if the machine panic's
-b 8192
# Failure Mode
## Possible values: 0 (silent), 1 (printk, print a failure message), 2 (panic, halt the system)
-f 1
# Ignore errors
## e.g. caused by users or files not found in the local environment
-i# ___ ___ __ __
# / | __ ______/ (_) /_____/ /
# / /| |/ / / / __ / / __/ __ /
# / ___ / /_/ / /_/ / / /_/ /_/ /
# /_/ |_\__,_/\__,_/_/\__/\__,_/
#
# Linux Audit Daemon
# /etc/audit/audit.rules
#
# Based on rules published here:
#
# https://github.com/bfuzzy/auditd-attack
# https://github.com/Neo23x0/auditd
#
# Self Auditing ---------------------------------------------------------------
## Audit the audit logs
### Successful and unsuccessful attempts to read/write information from the audit records
-w /var/log/audit/ -k auditlog
## Auditd configuration
### Modifications to audit configuration that occur while the audit collection functions are operating
-w /etc/audit/ -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /etc/audisp/ -p wa -k audispconfig
## Monitor for use of audit management tools
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools
# Filters ---------------------------------------------------------------------
### We put these early because audit is a first match wins system.
## Ignore SELinux AVC records
# bad practice!!
#-a always,exclude -F msgtype=AVC
## Ignore current working directory records
-a always,exclude -F msgtype=CWD
## Ignore EOE records (End Of Event, not needed)
-a always,exclude -F msgtype=EOE
## Cron jobs fill the logs with stuff we normally don't want (works with SELinux)
-a never,user -F subj_type=crond_t
-a exit,never -F subj_type=crond_t
## This prevents chrony from overwhelming the logs
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
-a never,exit -F arch=b64 -S adjtimex -F auid=4294967295 -F uid=998 -F subj_type=chronyd_t
-a never,exit -F arch=b32 -S adjtimex -F auid=4294967295 -F uid=998 -F subj_type=chronyd_t
## This is not very interesting and wastes a lot of space if the server is public facing
-a always,exclude -F msgtype=CRYPTO_KEY_USER
## VMWare tools
-a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2
-a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2
### High Volume Event Filter (especially on Linux Workstations)
-a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess_filter
-a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess_filter
-a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm_filter
-a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm_filter
## More information on how to filter events
### https://access.redhat.com/solutions/2482221
### Special files and swap ----------------------------------------------------
## Special files
-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles
-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles
## Change swap (only attributable)
-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap
-a always,exit -F arch=b32 -S swapon -S swapoff -F auid!=-1 -k swap
#### Standard Rules -----------------------------------------------------------
### T1215_Kernel_Modules_and_Extensions ---------------------------------------
## Kernel parameters
-w /etc/sysctl.conf -p wa -k T1215_Kernel_Modules_and_Extensions
## Kernel module loading and unloading
-a always,exit -F perm=x -F auid!=-1 -F path=/bin/kmod -k T1215_Kernel_Modules_and_Extensions
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k T1215_Kernel_Modules_and_Extensions
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k T1215_Kernel_Modules_and_Extensions
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k T1215_Kernel_Modules_and_Extensions
-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k T1215_Kernel_Modules_and_Extensions
-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k T1215_Kernel_Modules_and_Extensions
## Modprobe configuration
-w /etc/modprobe.conf -p wa -k T1215_Kernel_Modules_and_Extensions
-w /etc/modprobe.d/ -p wa -k T1215_Kernel_Modules_and_Extensions
## KExec usage (all actions)
-a always,exit -F arch=b64 -S kexec_load -k T1215_Kernel_Modules_and_Extensions_KEXEC
-a always,exit -F arch=b32 -S sys_kexec_load -k T1215_Kernel_Modules_and_Extensions_KEXEC
### T1099_Timestomp -----------------------------------------------------------
## Time
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k T1099_Timestomp
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k T1099_Timestomp
-a always,exit -F arch=b32 -S clock_settime -k T1099_Timestomp
-a always,exit -F arch=b64 -S clock_settime -k T1099_Timestomp
-w /etc/localtime -p wa -k T1099_Timestomp
### T1079_Multilayer_Encryption -----------------------------------------------
## Stunnel
-w /usr/sbin/stunnel -p x -k T1079_Multilayer_Encryption
### T1168_Local_Job_Scheduling ------------------------------------------------
## Cron configuration & scheduled jobs
-w /etc/cron.allow -p wa -k T1168_Local_Job_Scheduling
-w /etc/cron.deny -p wa -k T1168_Local_Job_Scheduling
-w /etc/cron.d/ -p wa -k T1168_Local_Job_Scheduling
-w /etc/cron.daily/ -p wa -k T1168_Local_Job_Scheduling
-w /etc/cron.hourly/ -p wa -k T1168_Local_Job_Scheduling
-w /etc/cron.monthly/ -p wa -k T1168_Local_Job_Scheduling
-w /etc/cron.weekly/ -p wa -k T1168_Local_Job_Scheduling
-w /etc/crontab -p wa -k T1168_Local_Job_Scheduling
-w /var/spool/cron/crontabs/ -k T1168_Local_Job_Scheduling
-w /etc/at.allow -p wa -k T1168_Local_Job_Scheduling
-w /etc/at.deny -p wa -k T1168_Local_Job_Scheduling
-w /var/spool/at/ -p wa -k T1168_Local_Job_Scheduling
-w /etc/anacrontab -p wa -k T1168_Local_Job_Scheduling
-w /usr/bin/crontab -p x -k T1168_Local_Job_Scheduling
## System startup scripts - not systemd
-w /etc/inittab -p wa -k T1168_Local_Job_Scheduling
-w /etc/init.d/ -p wa -k T1168_Local_Job_Scheduling
-w /etc/init/ -p wa -k T1168_Local_Job_Scheduling
### T1082_System_Information_Discovery ----------------------------------------
## Login configuration and information
-w /etc/hostname -p r -k T1082_System_Information_Discovery
-w /sbin/iptables -p x -k T1082_System_Information_Discovery
-w /sbin/ifconfig -p x -k T1082_System_Information_Discovery
-w /etc/login.defs -p wa -k T1082_System_Information_Discovery
-w /etc/securetty -p wa -k T1082_System_Information_Discovery
-w /var/log/faillog -p wa -k T1082_System_Information_Discovery
-w /var/log/lastlog -p wa -k T1082_System_Information_Discovery
-w /var/log/tallylog -p wa -k T1082_System_Information_Discovery
### T1016_System_Network_Configuration_Discovery ------------------------------
## Network Configuration Changes and Discovery
-w /etc/resolv.conf -k T1016_System_Network_Configuration_Discovery
-w /etc/hosts.allow -k T1016_System_Network_Configuration_Discovery
-w /etc/hosts.deny -k T1016_System_Network_Configuration_Discovery
-w /etc/hosts -k T1016_System_Network_Configuration_Discovery
-w /etc/sysconfig/network -k T1016_System_Network_Configuration_Discovery
-w /etc/sysconfig/network-scripts/ -k T1016_System_Network_Configuration_Discovery
-w /etc/network/ -p wa -k T1016_System_Network_Configuration_Discovery
-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -k T1016_System_Network_Configuration_Discovery
### T1052_Exfiltration_Over_Physical_Medium -----------------------------------
## Mount operations (only attributable)
-a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k T1052_Exfiltration_Over_Physical_Medium
-a always,exit -F arch=b32 -S mount -S umount -S umount2 -F auid!=-1 -k T1052_Exfiltration_Over_Physical_Mediums
-w /usr/sbin/mount.fuse -p x -k T1052_Exfiltration_Over_Physical_Medium
### T1201_Password_Policy_Discovery -------------------------------------------
## Pam configuration
-w /etc/pam.d/common-password -p wa -k T1201_Password_Policy_Discovery
-w /etc/pam.d/ -p wa -k T1071_Standard_Application_Layer_Protocol
-w /etc/security/limits.conf -p wa -k T1071_Standard_Application_Layer_Protocol
-w /etc/security/pam_env.conf -p wa -k T1071_Standard_Application_Layer_Protocol
-w /etc/security/namespace.conf -p wa -k T1071_Standard_Application_Layer_Protocol
-w /etc/security/namespace.init -p wa -k T1071_Standard_Application_Layer_Protocol
### T1021_Remote_Services -----------------------------------------------------
## SSH configuration
-w /etc/ssh/sshd_config -k T1021_Remote_Services
## Login Related Events
-w /var/log/faillog -p wa -k T1021_Remote_Services
-w /var/log/lastlog -p wa -k T1021_Remote_Services
-w /var/log/tallylog -p wa -k T1021_Remote_Services
### T1501_Systemd_Service -----------------------------------------------------
## Systemd
-w /bin/systemctl -p x -k T1501_Systemd_Service
-w /etc/systemd/ -p wa -k T1501_Systemd_Service
-w /lib/systemd/ -p wa -k T1501_Systemd_Service
-w /usr/bin/journalctl -p x -k T1501_Systemd_Service
### T1222_File_and_Directory_Permissions_Modification -------------------------
## SELinux events that modify the system's Mandatory Access Controls (MAC)
-w /etc/selinux/ -p wa -k T1222_File_and_Directory_Permissions_Modification_SLinux
### T1108_Redundant_Access ----------------------------------------------------
## Session initiation information
-w /var/run/utmp -p wa -k T1108_Redundant_Access
-w /var/log/btmp -p wa -k T1108_Redundant_Access
-w /var/log/wtmp -p wa -k T1108_Redundant_Access
### T1529_System_Shutdown_Reboot ----------------------------------------------
## Power state
-w /sbin/shutdown -p x -k T1529_System_Shutdown_Reboot
-w /sbin/poweroff -p x -k T1529_System_Shutdown_Reboot
-w /sbin/reboot -p x -k T1529_System_Shutdown_Reboot
-w /sbin/halt -p x -k T1529_System_Shutdown_Reboot# Special Rules ---------------------------------------------------------------
### T1055_Process_Injection_32bit_api -----------------------------------------
## Library search paths
-w /etc/ld.so.conf -p wa -k T1055_Process_Injection_ld
-w /etc/ld.so.preload -k T1055_Process_Injection_ld
## Injection
### These rules watch for code injection by the ptrace facility.
### This could indicate someone trying to do something bad or just debugging
-a always,exit -F arch=b32 -S ptrace -k T1055_Process_Injection_tracing
-a always,exit -F arch=b64 -S ptrace -k T1055_Process_Injection_tracing
-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k T1055_Process_Injection_code
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k T1055_Process_Injection_code
-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k T1055_Process_Injection_data
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k T1055_Process_Injection_data
-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k T1055_Process_Injection_register
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k T1055_Process_Injection_register
## 32bit API Exploitation
### If you are on a 64 bit platform, everything _should_ be running
### in 64 bit mode. This rule will detect any use of the 32 bit syscalls
### because this might be a sign of someone exploiting a hole in the 32
### bit API.
-a always,exit -F arch=b32 -S all -k T1055_Process_Injection_32bit_api
### T1087_Account_Discovery ---------------------------------------------------
## Recon Related Events
-w /etc/group -p r -k T1087_Account_Discovery
-w /etc/passwd -p r -k T1087_Account_Discovery
-w /etc/gshadow -p r -k T1087_Account_Discovery
-w /etc/shadow -p r -k T1087_Account_Discovery
-w /etc/security/opasswd -p r -k T1087_Account_Discovery
-w /usr/sbin/nologin -k T1087_Account_Discovery
-w /sbin/nologin -k T1087_Account_Discovery
### T1033_System_Owner_User_Discovery -----------------------------------------
## Recon Related Events
-w /usr/bin/whoami -p x -k T1033_System_Owner_User_Discovery
-w /usr/bin/who -p x -k T1033_System_Owner_User_Discovery
-w /usr/bin/w -p x -k T1033_System_Owner_User_Discovery
### T1082_System_Information_Discovery ----------------------------------------
## Recon Related Events
-w /etc/aliases -p r -k T1082_System_Information_Discovery
-w /etc/issue -p r -k T1082_System_Information_Discovery
-w /etc/issue.net -p r -k T1082_System_Information_Discovery
-w /etc/redhat-release -p r -k T1082_System_Information_Discovery
-w /usr/bin/id -p x -k T1082_System_Information_Discovery
-w /usr/bin/uname -p x -k T1082_System_Information_Discovery
-w /etc/hostname -p r -k T1082_System_Information_Discovery
-w /sbin/iptables -p x -k T1082_System_Information_Discovery
-w /sbin/ifconfig -p x -k T1082_System_Information_Discovery
-w /etc/login.defs -p wa -k T1082_System_Information_Discovery
-w /etc/resolv.conf -k T1016_System_Network_Configuration_Discovery
-w /etc/hosts.allow -k T1016_System_Network_Configuration_Discovery
-w /etc/hosts.deny -k T1016_System_Network_Configuration_Discovery
-w /etc/securetty -p wa -k T1082_System_Information_Discovery
-w /var/log/faillog -p wa -k T1082_System_Information_Discovery
-w /var/log/lastlog -p wa -k T1082_System_Information_Discovery
-w /var/log/tallylog -p wa -k T1082_System_Information_Discovery
-w /usr/sbin/tcpdump -p x -k T1049_System_Network_Connections_discovery
-w /usr/sbin/traceroute -p x -k T1049_System_Network_Connections_discovery
-w /usr/bin/wireshark -p x -k T1049_System_Network_Connections_discovery
-w /usr/bin/rawshark -p x -k T1049_System_Network_Connections_discovery
### T1081_Credentials_In_Files ------------------------------------------------
## Recon Related Events
-w /usr/bin/grep -p x -k T1081_Credentials_In_Files
-w /usr/bin/egrep -p x -k T1081_Credentials_In_Files
### T1057_Process_Discovery ---------------------------------------------------
## Recon Related Events
-w /usr/bin/ps -p x -k T1057_Process_Discovery
### T1219_Remote_Access_Tools -------------------------------------------------
## Suspicious activity
-w /usr/bin/wget -p x -k T1219_Remote_Access_Tools
-w /usr/bin/curl -p x -k T1219_Remote_Access_Tools
-w /bin/nc.traditional -p x -k T1219_Remote_Access_Tools
-w /bin/nc -p x -k T1219_Remote_Access_Tools
-w /usr/bin/base64 -p x -k T1219_Remote_Access_Tools
-w /bin/netcat -p x -k T1219_Remote_Access_Tools
-w /usr/bin/ncat -p x -k T1219_Remote_Access_Tools
-w /usr/bin/ssh -p x -k T1219_Remote_Access_Tools
-w /usr/bin/socat -p x -k T1219_Remote_Access_Tools
-w /usr/bin/wireshark -p x -k T1219_Remote_Access_Tools
-w /usr/bin/rawshark -p x -k T1219_Remote_Access_Tools
-w /usr/bin/rdesktop -p x -k T1219_Remote_Access_Tools## Critical elements access failures - unauthedfileaccess
-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b32 -S open -F dir=/etc -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b32 -S open -F dir=/bin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b32 -S open -F dir=/sbin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b32 -S open -F dir=/usr/bin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b32 -S open -F dir=/usr/sbin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b32 -S open -F dir=/var -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b32 -S open -F dir=/home -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b32 -S open -F dir=/srv -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-w /bin/su -p x -k T1169_Sudo
-w /usr/bin/sudo -p x -k T1169_Sudo
-w /etc/sudoers -p rw -k T1169_Sudo
-a always,exit -S setresuid -F a0=0 -F exe=/usr/bin/sudo -k T1169_Sudo
# Admin power abuse
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -k T1169_Sudo
## Discretionary Access Control (DAC) modifications - perm_mod
-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid### T1072_third_party_software -------------------------------------------------
## Software Management
# RPM (Redhat/CentOS/Fedora)
-w /usr/bin/rpm -p x -k T1072_third_party_software
-w /usr/bin/yum -p x -k T1072_third_party_software
-w /usr/bin/dnf -p x -k T1072_third_party_software
# YAST/Zypper/RPM (SuSE)
-w /sbin/yast -p x -k T1072_third_party_software
-w /sbin/yast2 -p x -k T1072_third_party_software
-w /bin/rpm -p x -k T1072_third_party_software
-w /usr/bin/zypper -k T1072_third_party_software
# DPKG / APT-GET (Debian/Ubuntu)
-w /usr/bin/dpkg -p x -k T1072_third_party_software
-w /usr/bin/apt-add-repository -p x -k T1072_third_party_software
-w /usr/bin/apt-get -p x -k T1072_third_party_software
-w /usr/bin/aptitude -p x -k T1072_third_party_software# add special watched software here or uncomment examples
# Special Software ------------------------------------------------------------
### T1222_File_and_Directory_Permissions_Modification_Apparmor ----------------
#-w /etc/apparmor/ -p wa -k T1222_File_and_Directory_Permissions_Modification_apparmor
#-w /etc/apparmor.d/ -p wa -k T1222_File_and_Directory_Permissions_Modification_apparmor
#-w /sbin/apparmor_parser -p x -k T1222_File_and_Directory_Permissions_Modification_apparmor
#-w /usr/sbin/aa-complain -p x -k T1222_File_and_Directory_Permissions_Modification_apparmor
#-w /usr/sbin/aa-disable -p x -k T1222_File_and_Directory_Permissions_Modification_apparmor
#-w /usr/sbin/aa-enforce -p x -k T1222_File_and_Directory_Permissions_Modification_apparmor
#
### GDS specific secrets
#-w /etc/puppet/ssl -p wa -k puppet_ssl
#
### IBM Bigfix BESClient
#-a exit,always -F arch=b64 -S open -F dir=/opt/BESClient -F success=0 -k soft_besclient
#-w /var/opt/BESClient/ -p wa -k soft_besclient
#
### CHEF https://www.chef.io/chef/
#-w /etc/chef -p wa -k soft_chef
#
#### KVM
#-w /usr/bin/virsh -p x -k kvm
#-w /etc/libvirt/ -p w -k kvm
#
#### Docker
#-w /usr/bin/dockerd -p x -k docker
#-w /usr/bin/docker -p x -k docker
#-w /usr/bin/docker-containerd -p x -k docker
#-w /usr/bin/docker-runc -p x -k docker
#-w /var/lib/docker/ -p w -k docker
#-w /etc/docker/ -p w -k docker
#-w /etc/sysconfig/docker -p w -k docker
#-w /etc/sysconfig/docker-storage -p w -k docker
#-w /usr/lib/systemd/system/docker.service -p w -k docker
#
#### Kubelet
#-w /usr/bin/kubelet -p x -k kubelet
#
## Backup Software ------------------------------------------------------------
## SUSE / Btrfs backup
#-w /usr/sbin/snapperd -p x -k snapperd_backup# add critical application data here
#-w /etc/myappliaction/app.conf -p rwa -k myapplicationkey
# High volume events - disable if it generates too much load
### T1107_File_Deletion -------------------------------------------------------
## File Deletion Events by User
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k T1107_File_Deletion
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k T1107_File_Deletion
### T1070_Indicator_Removal_on_Host -------------------------------------------
## File Deletion Events by Root
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k T1070_Indicator_Removal_on_Host
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k T1070_Indicator_Removal_on_Host
### T1005_Data_from_Local_System ----------------------------------------------
## Data Copy(Local)
-w /usr/bin/cp -p x -k T1005_Data_from_Local_System
-w /usr/bin/dd -p x -k T1005_Data_from_Local_System### TOMCAT
# whitelist
-a exit,never -F dir=/srv/tomcat -F euid=tomcat -k tomcat_webignore_serving_dir
-a exit,never -F dir=/var/log/tomcat/ -F euid=tomcat -k tomcat_webignore_log_dir
-a exit,never -F dir=/var/cache/tomcat/ -F euid=tomcat -k tomcat_webignore_cache_dir
-a exit,never -F dir=/sys/fs/cgroup/memory/system.slice/tomcat.service/ -F euid=tomcat -k tomcat_webignore_memory_dir
-a exit,never -F dir=/sys/fs/cgroup/cpu,cpuacct/cpu.shares -F euid=tomcat -k tomcat_webignore_memory_dir
-a exit,never -F dir=/usr/share/tomcat/conf/tomcat-users.xml -F euid=tomcat -k tomcat_webignore_user_dir
-a exit,never -F dir=/usr/share/tomcat/work/ -F euid=tomcat -k tomcat_webignore_work_dir
-a exit,never -F dir=/usr/lib64/jvm -F euid=tomcat -F perm=xa -k tomcat_webignore_jvm_dir
# blacklist everything else
-a exit,always -F dir=/ -F euid=tomcat -F perm=rwxa -k T1190_Exploit_Public_Facing_Application_Tomcat
### NGINX
# whitelisting
-a exit,never -F dir=/srv/www/ -F euid=nginx -k nginx_webignor_serving_dir
-a exit,never -F dir=/var/log/nginx/ -F euid=nginx -k nginx_webignor_log_dir
# blacklist
-a exit,always -F dir=/ -F euid=nginx -F perm=rwxa -k T1190_Exploit_Public_Facing_Application_nginx
### APACHE
# whitelist
-a exit,never -F dir=/var/www/ -F euid=apache -k apache_webignor_serving_dir
-a exit,never -F dir=/var/log/httpd/ -F euid=apache -k apache_webignor_log_dir
-a exit,never -F dir=/etc/httpd/ -F euid=apache -F perm=wxa -k apache_webignor_etc_dir
-a exit,never -F path=/usr/share/zoneinfo/UTC -F euid=apache -F perm=wxa -k apache_webignor_tzinfo_dir
# blacklist
-a exit,always -F dir=/ -F euid=apache -F perm=rwxa -k T1190_Exploit_Public_Facing_Application_apache
#### Account related ----------------------------------------------------------
### T1078_Valid_Accounts ------------------------------------------------------
## Group
-w /etc/group -p wa -k T1078_Valid_Accounts_group
-w /etc/gshadow -k T1078_Valid_Accounts_group
-w /usr/sbin/groupadd -p x -k T1078_Valid_Accounts_group
-w /usr/sbin/groupmod -p x -k T1078_Valid_Accounts_group
-w /usr/sbin/addgroup -p x -k T1078_Valid_Accounts_group
## Sudoers file changes
-w /etc/sudoers -p wa -k T1078_Valid_Accounts_sudoers
## Passwd
-w /etc/shadow -k T1078_Valid_Accounts_passwd
-w /etc/security/opasswd -k T1078_Valid_Accounts_passwd
-w /etc/passwd -p wa -k T1078_Valid_Accounts_passwd
-w /usr/bin/passwd -p x -k T1078_Valid_Accounts_passwd
## Users
-w /usr/sbin/useradd -p x -k T1078_Valid_Accounts_user
-w /usr/sbin/usermod -p x -k T1078_Valid_Accounts_user
-w /usr/sbin/adduser -p x -k T1078_Valid_Accounts_user
# High Load
## Privleged Command Execution Related Events
-a exit,always -F arch=b64 -F euid=0 -S execve -k T1078_Valid_Accounts_priv_command
-a exit,always -F arch=b32 -F euid=0 -S execve -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/sbin/userdel -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/bin/chgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/bin/ping6 -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/sbin/pwck -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/sbin/suexec -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/sbin/newusers -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/sbin/groupdel -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/sbin/ccreds_validate -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
##-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/Xorg -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/rlogin -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/rsh -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/kgrantpty -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/rcp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/newrole -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/kpac_dhcp_helper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
### T1043_Commonly_Used_Port --------------------------------------------------
##C2 Releated Events
#Log 64 bit processes (a2!=6e filters local unix socket calls)
-a exit,always -F arch=b64 -S connect -F a2!=110 -k T1043_Commonly_Used_Port
#Log 32 bit processes (a0=3 means only outbound sys_connect calls)
-a exit,always -F arch=b32 -S socketcall -F a0=3 -k T1043_Commonly_Used_Port## File Access
### Unauthorized Access (unsuccessful)
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k unsuccessful_file_access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k unsuccessful_file_access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k unsuccessful_file_access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k unsuccessful_file_access
### Unsuccessful Creation
-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k unsuccessful_file_creation
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k unsuccessful_file_creation
-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k unsuccessful_file_creation
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k unsuccessful_file_creation
### Unsuccessful Modification
-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k unsuccessful_file_modification
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k unsuccessful_file_modification
-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k unsuccessful_file_modification
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k unsuccessful_file_modification
# Make the configuration immutable ---------------------------------------------
#-e 2
# Normal activation -------------------------------------------------------------
-e 1
Raw
base.rules
# Name: AuditD Baseline Rules
# Author: nshadov@ravencloud.net
# Date: 2016-06-02
# Desc: Baseline auditd audit configuration, without machine/organization specific entries.
# Target system: DEBIAN/UBUNTU (64 BIT)
# Based on 'https://www.suse.com/documentation/sled10/audit_sp1/data/cha_audit_scenarios.html'
# VERSION: 1.0
# TODO:
# * ADD KEYS TO GROUP OF RECORDS
# * SCOPE FOR USERS (UID: 10 000-12 000)
###################
### BASE CONFIG ###
###################
### DELETE ALL PREVIOUS RULES
-D
### INCREASE LOG BUFFER
-b 8192
### FAILURE FLAG (2 - KERNEL PANIC, 1 - PRINTK, 0 - SILENT)
-f 1
#####################
### AUDITD CONFIG ###
#####################
### LOG FILE WATCHES (WRITE AND ATTRIBUTE CHANGE)
-w /var/log/audit/ -k baseline-audit-logs
-w /var/log/audit/audit.log -k baseline-audit-logs
### AUDITD CONFIG
-w /etc/audit/auditd.conf -p wa -k baseline-audit-conf
-w /etc/audit/audit.rules -p wa -k baseline-audit-conf
-w /etc/libaudit.conf -p wa -k baseline-audit-conf
-w /etc/default/auditd -p wa -k baseline-audit-conf
################################################
### FILESYSTEM RULES (DIR/FILES, ATTRIBUTES) ###
################################################
-a exit,always -F arch=b64 -S chmod -S chown -S fchown -S lchown -k baseline-filesystem-perm
-a exit,always -F arch=b64 -S creat -S truncate -S ftruncate -k baseline-filesystem-create
-a exit,always -F arch=b64 -S mkdir -S rmdir -k baseline-filesystem-dir
-a exit,always -F arch=b64 -S unlink -S rename -S link -S symlink -k baseline-filesystem-link
#
# -a exit,always -F arch=b64 -S open # IMPORTNANT FOR SYSTEMS WITH HIGHLY CONFIDENTIAL DATA
#
-a exit,always -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k baseline-filesystem-attrib
-a exit,always -F arch=b64 -S mknod -k baseline-filesystem-mknod
-a exit,always -F arch=b64 -S mount -S umount2 -k baseline-filesystem-mount
############################
### SYSTEM CONFIGURATION ###
############################
### STARTUP
-w /var/spool/at -k baseline-system-startup
-w /etc/at.allow -k baseline-system-startup
-w /etc/at.deny -k baseline-system-startup
-w /etc/cron.allow -p wa -k baseline-system-startup
-w /etc/cron.deny -p wa -k baseline-system-startup
-w /etc/cron.d/ -p wa -k baseline-system-startup
-w /etc/cron.daily/ -p wa -k baseline-system-startup
-w /etc/cron.hourly/ -p wa -k baseline-system-startup
-w /etc/cron.monthly/ -p wa -k baseline-system-startup
-w /etc/cron.weekly/ -p wa -k baseline-system-startup
-w /etc/crontab -p wa -k baseline-system-startup
-w /var/spool/cron/root -k baseline-system-startup
### USERS/GROUPS
-w /etc/group -p wa -k baseline-user-conf
-w /etc/passwd -p wa -k baseline-user-conf
-w /etc/shadow -k baseline-user-conf
### SECURITY LOGS
-w /etc/login.defs -p wa -k baseline-user-logs
-w /etc/securetty -k baseline-user-logs
-w /var/log/faillog -k baseline-user-logs
-w /var/log/lastlog -k baseline-user-logs
### HOSTNAME CONFIG
-a exit,always -F arch=b64 -S sethostname -k baseline-system-hostname
-w /etc/issue -p wa -k baseline-system-banner
-w /etc/issue.net -p wa -k baseline-system-banner
-w /etc/hosts -p wa -k baseline-system-network
-w /etc/inittab -p wa -k baseline-system-startup
-w /etc/init.d/ -p wa -k baseline-system-startup
-w /etc/init.d/auditd -p wa -k baseline-system-startup
-w /etc/ld.so.conf -p wa -k baseline-system-lib
-w /etc/localtime -p wa -k baseline-system-time
-w /etc/sysctl.conf -p wa -k baseline-system-kernel
-w /etc/modprobe.conf.d/ -k baseline-system-kernel
-w /etc/modprobe.conf.local -p wa -k baseline-system-kernel
-w /etc/modprobe.conf -p wa -k baseline-system-kernel
### PAM
-w /etc/pam.d/ -k baseline-login-conf
### ALIASES
-w /etc/aliases -p wa -k baseline-user-shell
-w /etc/postfix/ -p wa -k baseline-service-postfix
### SERVICES
-w /etc/ssh/sshd_config -k baseline-system-login
### TASKS/PROCESSES
-a exit,always -F arch=b64 -S umask -k baseline-filesystem-perm
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -k baseline-system-time
-a exit,always -F arch=b64 -S kill -k baseline-service-kill
#########################
### SYSCALL AGRUMENTS ###
#########################
#
### ACCESS TO FILES (R_OK, R_OK|W_OK, R_OK|W_OK|X_OK)
#
#-a entry,always -S access -F a1=4
#-a entry,always -S access -F a1=6
#-a entry,always -S access -F a1=7
#
### SOCKETS
#
# IPv6
#-a entry, always -S socketcall -F a0=1 -F a1=10
#-a entry, always -S socketcall -F a0=5
Raw
paxos.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
-i
-w /var/log/audit/ -k auditlog
-w /etc/audit/ -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /etc/audisp/ -p wa -k audispconfig
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools
-a always,exclude -F msgtype=CWD
-a always,exclude -F msgtype=EOE
-a never,user -F subj_type=crond_t
-a exit,never -F subj_type=crond_t
-a always,exclude -F msgtype=CRYPTO_KEY_USER
-a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2
-a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2
-a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess_filter
-a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess_filter
-a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm_filter
-a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm_filter
-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles
-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles
-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap
-a always,exit -F arch=b32 -S swapon -S swapoff -F auid!=-1 -k swap
-w /etc/sysctl.conf -p wa -k T1215_Kernel_Modules_and_Extensions
-a always,exit -F perm=x -F auid!=-1 -F path=/bin/kmod -k T1215_Kernel_Modules_and_Extensions
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k T1215_Kernel_Modules_and_Extensions
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k T1215_Kernel_Modules_and_Extensions
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k T1215_Kernel_Modules_and_Extensions
-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k T1215_Kernel_Modules_and_Extensions
-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k T1215_Kernel_Modules_and_Extensions
-w /etc/modprobe.conf -p wa -k T1215_Kernel_Modules_and_Extensions
-w /etc/modprobe.d/ -p wa -k T1215_Kernel_Modules_and_Extensions
-a always,exit -F arch=b64 -S kexec_load -k T1215_Kernel_Modules_and_Extensions_KEXEC
-a always,exit -F arch=b32 -S sys_kexec_load -k T1215_Kernel_Modules_and_Extensions_KEXEC
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k T1099_Timestomp
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k T1099_Timestomp
-a always,exit -F arch=b32 -S clock_settime -k T1099_Timestomp
-a always,exit -F arch=b64 -S clock_settime -k T1099_Timestomp
-w /etc/localtime -p wa -k T1099_Timestomp
-w /usr/sbin/stunnel -p x -k T1079_Multilayer_Encryption
-w /etc/cron.allow -p wa -k T1168_Local_Job_Scheduling
-w /etc/cron.deny -p wa -k T1168_Local_Job_Scheduling
-w /etc/cron.d/ -p wa -k T1168_Local_Job_Scheduling
-w /etc/cron.daily/ -p wa -k T1168_Local_Job_Scheduling
-w /etc/cron.hourly/ -p wa -k T1168_Local_Job_Scheduling
-w /etc/cron.monthly/ -p wa -k T1168_Local_Job_Scheduling
-w /etc/cron.weekly/ -p wa -k T1168_Local_Job_Scheduling
-w /etc/crontab -p wa -k T1168_Local_Job_Scheduling
-w /var/spool/cron/crontabs/ -k T1168_Local_Job_Scheduling
-w /etc/at.allow -p wa -k T1168_Local_Job_Scheduling
-w /etc/at.deny -p wa -k T1168_Local_Job_Scheduling
-w /var/spool/at/ -p wa -k T1168_Local_Job_Scheduling
-w /etc/anacrontab -p wa -k T1168_Local_Job_Scheduling
-w /usr/bin/crontab -p x -k T1168_Local_Job_Scheduling
-w /etc/inittab -p wa -k T1168_Local_Job_Scheduling
-w /etc/init.d/ -p wa -k T1168_Local_Job_Scheduling
-w /etc/init/ -p wa -k T1168_Local_Job_Scheduling
-w /etc/hostname -p r -k T1082_System_Information_Discovery
-w /sbin/iptables -p x -k T1082_System_Information_Discovery
-w /sbin/ifconfig -p x -k T1082_System_Information_Discovery
-w /etc/login.defs -p wa -k T1082_System_Information_Discovery
-w /etc/securetty -p wa -k T1082_System_Information_Discovery
-w /var/log/faillog -p wa -k T1082_System_Information_Discovery
-w /var/log/lastlog -p wa -k T1082_System_Information_Discovery
-w /var/log/tallylog -p wa -k T1082_System_Information_Discovery
-w /etc/resolv.conf -k T1016_System_Network_Configuration_Discovery
-w /etc/hosts.allow -k T1016_System_Network_Configuration_Discovery
-w /etc/hosts.deny -k T1016_System_Network_Configuration_Discovery
-w /etc/hosts -k T1016_System_Network_Configuration_Discovery
-w /etc/network/ -p wa -k T1016_System_Network_Configuration_Discovery
-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -k T1016_System_Network_Configuration_Discovery
-a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k T1052_Exfiltration_Over_Physical_Medium
-a always,exit -F arch=b32 -S mount -S umount -S umount2 -F auid!=-1 -k T1052_Exfiltration_Over_Physical_Mediums
-w /usr/sbin/mount.fuse -p x -k T1052_Exfiltration_Over_Physical_Medium
-w /etc/pam.d/common-password -p wa -k T1201_Password_Policy_Discovery
-w /etc/pam.d/ -p wa -k T1071_Standard_Application_Layer_Protocol
-w /etc/security/limits.conf -p wa -k T1071_Standard_Application_Layer_Protocol
-w /etc/security/pam_env.conf -p wa -k T1071_Standard_Application_Layer_Protocol
-w /etc/security/namespace.conf -p wa -k T1071_Standard_Application_Layer_Protocol
-w /etc/security/namespace.init -p wa -k T1071_Standard_Application_Layer_Protocol
-w /etc/ssh/sshd_config -k T1021_Remote_Services
-w /var/log/faillog -p wa -k T1021_Remote_Services
-w /var/log/lastlog -p wa -k T1021_Remote_Services
-w /var/log/tallylog -p wa -k T1021_Remote_Services
-w /bin/systemctl -p x -k T1501_Systemd_Service
-w /etc/systemd/ -p wa -k T1501_Systemd_Service
-w /lib/systemd/ -p wa -k T1501_Systemd_Service
-w /usr/bin/journalctl -p x -k T1501_Systemd_Service
-w /etc/selinux/ -p wa -k T1222_File_and_Directory_Permissions_Modification_SLinux
-w /var/run/utmp -p wa -k T1108_Redundant_Access
-w /var/log/btmp -p wa -k T1108_Redundant_Access
-w /var/log/wtmp -p wa -k T1108_Redundant_Access
-w /sbin/shutdown -p x -k T1529_System_Shutdown_Reboot
-w /sbin/poweroff -p x -k T1529_System_Shutdown_Reboot
-w /sbin/reboot -p x -k T1529_System_Shutdown_Reboot
-w /sbin/halt -p x -k T1529_System_Shutdown_Reboot
# Special Rules ---------------------------------------------------------------
-w /etc/ld.so.conf -p wa -k T1055_Process_Injection_ld
-w /etc/ld.so.preload -k T1055_Process_Injection_ld
-a always,exit -F arch=b32 -S ptrace -k T1055_Process_Injection_tracing
-a always,exit -F arch=b64 -S ptrace -k T1055_Process_Injection_tracing
-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k T1055_Process_Injection_code
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k T1055_Process_Injection_code
-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k T1055_Process_Injection_data
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k T1055_Process_Injection_data
-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k T1055_Process_Injection_register
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k T1055_Process_Injection_register
-a always,exit -F arch=b32 -S all -k T1055_Process_Injection_32bit_api
-w /etc/group -p r -k T1087_Account_Discovery
-w /etc/passwd -p r -k T1087_Account_Discovery
-w /etc/gshadow -p r -k T1087_Account_Discovery
-w /etc/shadow -p r -k T1087_Account_Discovery
-w /etc/security/opasswd -p r -k T1087_Account_Discovery
-w /usr/sbin/nologin -k T1087_Account_Discovery
-w /sbin/nologin -k T1087_Account_Discovery
-w /usr/bin/whoami -p x -k T1033_System_Owner_User_Discovery
-w /usr/bin/who -p x -k T1033_System_Owner_User_Discovery
-w /usr/bin/w -p x -k T1033_System_Owner_User_Discovery
-w /etc/aliases -p r -k T1082_System_Information_Discovery
-w /etc/issue -p r -k T1082_System_Information_Discovery
-w /etc/issue.net -p r -k T1082_System_Information_Discovery
-w /etc/redhat-release -p r -k T1082_System_Information_Discovery
-w /usr/bin/id -p x -k T1082_System_Information_Discovery
-w /usr/bin/uname -p x -k T1082_System_Information_Discovery
-w /etc/hostname -p r -k T1082_System_Information_Discovery
-w /sbin/iptables -p x -k T1082_System_Information_Discovery
-w /sbin/ifconfig -p x -k T1082_System_Information_Discovery
-w /etc/login.defs -p wa -k T1082_System_Information_Discovery
-w /etc/resolv.conf -k T1016_System_Network_Configuration_Discovery
-w /etc/hosts.allow -k T1016_System_Network_Configuration_Discovery
-w /etc/hosts.deny -k T1016_System_Network_Configuration_Discovery
-w /etc/securetty -p wa -k T1082_System_Information_Discovery
-w /var/log/faillog -p wa -k T1082_System_Information_Discovery
-w /var/log/lastlog -p wa -k T1082_System_Information_Discovery
-w /var/log/tallylog -p wa -k T1082_System_Information_Discovery
-w /usr/sbin/tcpdump -p x -k T1049_System_Network_Connections_discovery
-w /usr/sbin/traceroute -p x -k T1049_System_Network_Connections_discovery
-w /usr/bin/wireshark -p x -k T1049_System_Network_Connections_discovery
-w /usr/bin/rawshark -p x -k T1049_System_Network_Connections_discovery
-w /usr/bin/grep -p x -k T1081_Credentials_In_Files
-w /usr/bin/egrep -p x -k T1081_Credentials_In_Files
-w /usr/bin/ps -p x -k T1057_Process_Discovery
-w /usr/bin/wget -p x -k T1219_Remote_Access_Tools
-w /usr/bin/curl -p x -k T1219_Remote_Access_Tools
-w /bin/nc.traditional -p x -k T1219_Remote_Access_Tools
-w /bin/nc -p x -k T1219_Remote_Access_Tools
-w /usr/bin/base64 -p x -k T1219_Remote_Access_Tools
-w /bin/netcat -p x -k T1219_Remote_Access_Tools
-w /usr/bin/ncat -p x -k T1219_Remote_Access_Tools
-w /usr/bin/ssh -p x -k T1219_Remote_Access_Tools
-w /usr/bin/socat -p x -k T1219_Remote_Access_Tools
-w /usr/bin/wireshark -p x -k T1219_Remote_Access_Tools
-w /usr/bin/rawshark -p x -k T1219_Remote_Access_Tools
-w /usr/bin/rdesktop -p x -k T1219_Remote_Access_Tools
## Critical elements access failures - unauthedfileaccess
-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b32 -S open -F dir=/etc -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b32 -S open -F dir=/bin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b32 -S open -F dir=/sbin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b32 -S open -F dir=/usr/bin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b32 -S open -F dir=/usr/sbin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b32 -S open -F dir=/var -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b32 -S open -F dir=/home -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-a exit,always -F arch=b32 -S open -F dir=/srv -F success=0 -k T1068_Exploitation_for_Privilege_Escalation
-w /bin/su -p x -k T1169_Sudo
-w /usr/bin/sudo -p x -k T1169_Sudo
-w /etc/sudoers -p rw -k T1169_Sudo
-a always,exit -F arch=b32 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -k T1169_Sudo
-a always,exit -F arch=b64 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -k T1169_Sudo
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -k T1169_Sudo
-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
### T1072_third_party_software -------------------------------------------------
-w /usr/bin/rpm -p x -k T1072_third_party_software
-w /usr/bin/yum -p x -k T1072_third_party_software
-w /usr/bin/dnf -p x -k T1072_third_party_software
-w /sbin/yast -p x -k T1072_third_party_software
-w /sbin/yast2 -p x -k T1072_third_party_software
-w /bin/rpm -p x -k T1072_third_party_software
-w /usr/bin/zypper -k T1072_third_party_software
-w /usr/bin/dpkg -p x -k T1072_third_party_software
-w /usr/bin/apt-add-repository -p x -k T1072_third_party_software
-w /usr/bin/apt-get -p x -k T1072_third_party_software
-w /usr/bin/aptitude -p x -k T1072_third_party_software
# add special watched software here or uncomment examples
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k T1107_File_Deletion
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k T1107_File_Deletion
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k T1070_Indicator_Removal_on_Host
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k T1070_Indicator_Removal_on_Host
-w /usr/bin/cp -p x -k T1005_Data_from_Local_System
-w /usr/bin/dd -p x -k T1005_Data_from_Local_System
### NGINX
-a exit,never -F dir=/srv/www/ -F euid=nginx -k nginx_webignor_serving_dir
-a exit,never -F dir=/var/log/nginx/ -F euid=nginx -k nginx_webignor_log_dir
-a exit,always -F dir=/ -F euid=nginx -F perm=rwxa -k T1190_Exploit_Public_Facing_Application_nginx
### APACHE
-a exit,never -F dir=/var/www/ -F euid=apache -k apache_webignor_serving_dir
-a exit,never -F dir=/var/log/httpd/ -F euid=apache -k apache_webignor_log_dir
-a exit,never -F dir=/etc/httpd/ -F euid=apache -F perm=wxa -k apache_webignor_etc_dir
-a exit,never -F path=/usr/share/zoneinfo/UTC -F euid=apache -F perm=wxa -k apache_webignor_tzinfo_dir
-a exit,always -F dir=/ -F euid=apache -F perm=rwxa -k T1190_Exploit_Public_Facing_Application_apache
-w /etc/group -p wa -k T1078_Valid_Accounts_group
-w /etc/gshadow -k T1078_Valid_Accounts_group
-w /usr/sbin/groupadd -p x -k T1078_Valid_Accounts_group
-w /usr/sbin/groupmod -p x -k T1078_Valid_Accounts_group
-w /usr/sbin/addgroup -p x -k T1078_Valid_Accounts_group
-w /etc/sudoers -p wa -k T1078_Valid_Accounts_sudoers
-w /etc/shadow -k T1078_Valid_Accounts_passwd
-w /etc/security/opasswd -k T1078_Valid_Accounts_passwd
-w /etc/passwd -p wa -k T1078_Valid_Accounts_passwd
-w /usr/bin/passwd -p x -k T1078_Valid_Accounts_passwd
-w /usr/sbin/useradd -p x -k T1078_Valid_Accounts_user
-w /usr/sbin/usermod -p x -k T1078_Valid_Accounts_user
-w /usr/sbin/adduser -p x -k T1078_Valid_Accounts_user
-a exit,always -F arch=b64 -F euid=0 -S execve -k T1078_Valid_Accounts_priv_command
-a exit,always -F arch=b32 -F euid=0 -S execve -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/sbin/userdel -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/bin/chgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/bin/ping6 -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/sbin/pwck -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/sbin/suexec -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/sbin/newusers -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/sbin/groupdel -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/sbin/ccreds_validate -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/Xorg -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/rlogin -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/rsh -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/kgrantpty -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/rcp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/newrole -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a always,exit -F path=/usr/bin/kpac_dhcp_helper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command
-a exit,always -F arch=b64 -S connect -F a2!=110 -k T1043_Commonly_Used_Port
-a exit,always -F arch=b32 -S socketcall -F a0=3 -k T1043_Commonly_Used_Port
## File Access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k unsuccessful_file_access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k unsuccessful_file_access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k unsuccessful_file_access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k unsuccessful_file_access
-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k unsuccessful_file_creation
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k unsuccessful_file_creation
-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k unsuccessful_file_creation
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k unsuccessful_file_creation
-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k unsuccessful_file_modification
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k unsuccessful_file_modification
-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k unsuccessful_file_modification
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k unsuccessful_file_modification
-e 1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment