Last active
June 18, 2021 17:32
-
-
Save mike2194/3675ab0c3cc5b0d5a0e43b1ce4e39f1e to your computer and use it in GitHub Desktop.
auditd_baseline_rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Remove any existing rules | |
-D | |
# Buffer Size | |
## Feel free to increase this if the machine panic's | |
-b 8192 | |
# Failure Mode | |
## Possible values: 0 (silent), 1 (printk, print a failure message), 2 (panic, halt the system) | |
-f 1 | |
# Ignore errors | |
## e.g. caused by users or files not found in the local environment | |
-i# ___ ___ __ __ | |
# / | __ ______/ (_) /_____/ / | |
# / /| |/ / / / __ / / __/ __ / | |
# / ___ / /_/ / /_/ / / /_/ /_/ / | |
# /_/ |_\__,_/\__,_/_/\__/\__,_/ | |
# | |
# Linux Audit Daemon | |
# /etc/audit/audit.rules | |
# | |
# Based on rules published here: | |
# | |
# https://github.com/bfuzzy/auditd-attack | |
# https://github.com/Neo23x0/auditd | |
# | |
# Self Auditing --------------------------------------------------------------- | |
## Audit the audit logs | |
### Successful and unsuccessful attempts to read/write information from the audit records | |
-w /var/log/audit/ -k auditlog | |
## Auditd configuration | |
### Modifications to audit configuration that occur while the audit collection functions are operating | |
-w /etc/audit/ -p wa -k auditconfig | |
-w /etc/libaudit.conf -p wa -k auditconfig | |
-w /etc/audisp/ -p wa -k audispconfig | |
## Monitor for use of audit management tools | |
-w /sbin/auditctl -p x -k audittools | |
-w /sbin/auditd -p x -k audittools | |
# Filters --------------------------------------------------------------------- | |
### We put these early because audit is a first match wins system. | |
## Ignore SELinux AVC records | |
# bad practice!! | |
#-a always,exclude -F msgtype=AVC | |
## Ignore current working directory records | |
-a always,exclude -F msgtype=CWD | |
## Ignore EOE records (End Of Event, not needed) | |
-a always,exclude -F msgtype=EOE | |
## Cron jobs fill the logs with stuff we normally don't want (works with SELinux) | |
-a never,user -F subj_type=crond_t | |
-a exit,never -F subj_type=crond_t | |
## This prevents chrony from overwhelming the logs | |
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t | |
-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t | |
-a never,exit -F arch=b64 -S adjtimex -F auid=4294967295 -F uid=998 -F subj_type=chronyd_t | |
-a never,exit -F arch=b32 -S adjtimex -F auid=4294967295 -F uid=998 -F subj_type=chronyd_t | |
## This is not very interesting and wastes a lot of space if the server is public facing | |
-a always,exclude -F msgtype=CRYPTO_KEY_USER | |
## VMWare tools | |
-a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2 | |
-a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2 | |
### High Volume Event Filter (especially on Linux Workstations) | |
-a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess_filter | |
-a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess_filter | |
-a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm_filter | |
-a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm_filter | |
## More information on how to filter events | |
### https://access.redhat.com/solutions/2482221 | |
### Special files and swap ---------------------------------------------------- | |
## Special files | |
-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles | |
-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles | |
## Change swap (only attributable) | |
-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap | |
-a always,exit -F arch=b32 -S swapon -S swapoff -F auid!=-1 -k swap | |
#### Standard Rules ----------------------------------------------------------- | |
### T1215_Kernel_Modules_and_Extensions --------------------------------------- | |
## Kernel parameters | |
-w /etc/sysctl.conf -p wa -k T1215_Kernel_Modules_and_Extensions | |
## Kernel module loading and unloading | |
-a always,exit -F perm=x -F auid!=-1 -F path=/bin/kmod -k T1215_Kernel_Modules_and_Extensions | |
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k T1215_Kernel_Modules_and_Extensions | |
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k T1215_Kernel_Modules_and_Extensions | |
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k T1215_Kernel_Modules_and_Extensions | |
-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k T1215_Kernel_Modules_and_Extensions | |
-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k T1215_Kernel_Modules_and_Extensions | |
## Modprobe configuration | |
-w /etc/modprobe.conf -p wa -k T1215_Kernel_Modules_and_Extensions | |
-w /etc/modprobe.d/ -p wa -k T1215_Kernel_Modules_and_Extensions | |
## KExec usage (all actions) | |
-a always,exit -F arch=b64 -S kexec_load -k T1215_Kernel_Modules_and_Extensions_KEXEC | |
-a always,exit -F arch=b32 -S sys_kexec_load -k T1215_Kernel_Modules_and_Extensions_KEXEC | |
### T1099_Timestomp ----------------------------------------------------------- | |
## Time | |
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k T1099_Timestomp | |
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k T1099_Timestomp | |
-a always,exit -F arch=b32 -S clock_settime -k T1099_Timestomp | |
-a always,exit -F arch=b64 -S clock_settime -k T1099_Timestomp | |
-w /etc/localtime -p wa -k T1099_Timestomp | |
### T1079_Multilayer_Encryption ----------------------------------------------- | |
## Stunnel | |
-w /usr/sbin/stunnel -p x -k T1079_Multilayer_Encryption | |
### T1168_Local_Job_Scheduling ------------------------------------------------ | |
## Cron configuration & scheduled jobs | |
-w /etc/cron.allow -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/cron.deny -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/cron.d/ -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/cron.daily/ -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/cron.hourly/ -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/cron.monthly/ -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/cron.weekly/ -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/crontab -p wa -k T1168_Local_Job_Scheduling | |
-w /var/spool/cron/crontabs/ -k T1168_Local_Job_Scheduling | |
-w /etc/at.allow -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/at.deny -p wa -k T1168_Local_Job_Scheduling | |
-w /var/spool/at/ -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/anacrontab -p wa -k T1168_Local_Job_Scheduling | |
-w /usr/bin/crontab -p x -k T1168_Local_Job_Scheduling | |
## System startup scripts - not systemd | |
-w /etc/inittab -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/init.d/ -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/init/ -p wa -k T1168_Local_Job_Scheduling | |
### T1082_System_Information_Discovery ---------------------------------------- | |
## Login configuration and information | |
-w /etc/hostname -p r -k T1082_System_Information_Discovery | |
-w /sbin/iptables -p x -k T1082_System_Information_Discovery | |
-w /sbin/ifconfig -p x -k T1082_System_Information_Discovery | |
-w /etc/login.defs -p wa -k T1082_System_Information_Discovery | |
-w /etc/securetty -p wa -k T1082_System_Information_Discovery | |
-w /var/log/faillog -p wa -k T1082_System_Information_Discovery | |
-w /var/log/lastlog -p wa -k T1082_System_Information_Discovery | |
-w /var/log/tallylog -p wa -k T1082_System_Information_Discovery | |
### T1016_System_Network_Configuration_Discovery ------------------------------ | |
## Network Configuration Changes and Discovery | |
-w /etc/resolv.conf -k T1016_System_Network_Configuration_Discovery | |
-w /etc/hosts.allow -k T1016_System_Network_Configuration_Discovery | |
-w /etc/hosts.deny -k T1016_System_Network_Configuration_Discovery | |
-w /etc/hosts -k T1016_System_Network_Configuration_Discovery | |
-w /etc/sysconfig/network -k T1016_System_Network_Configuration_Discovery | |
-w /etc/sysconfig/network-scripts/ -k T1016_System_Network_Configuration_Discovery | |
-w /etc/network/ -p wa -k T1016_System_Network_Configuration_Discovery | |
-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -k T1016_System_Network_Configuration_Discovery | |
### T1052_Exfiltration_Over_Physical_Medium ----------------------------------- | |
## Mount operations (only attributable) | |
-a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k T1052_Exfiltration_Over_Physical_Medium | |
-a always,exit -F arch=b32 -S mount -S umount -S umount2 -F auid!=-1 -k T1052_Exfiltration_Over_Physical_Mediums | |
-w /usr/sbin/mount.fuse -p x -k T1052_Exfiltration_Over_Physical_Medium | |
### T1201_Password_Policy_Discovery ------------------------------------------- | |
## Pam configuration | |
-w /etc/pam.d/common-password -p wa -k T1201_Password_Policy_Discovery | |
-w /etc/pam.d/ -p wa -k T1071_Standard_Application_Layer_Protocol | |
-w /etc/security/limits.conf -p wa -k T1071_Standard_Application_Layer_Protocol | |
-w /etc/security/pam_env.conf -p wa -k T1071_Standard_Application_Layer_Protocol | |
-w /etc/security/namespace.conf -p wa -k T1071_Standard_Application_Layer_Protocol | |
-w /etc/security/namespace.init -p wa -k T1071_Standard_Application_Layer_Protocol | |
### T1021_Remote_Services ----------------------------------------------------- | |
## SSH configuration | |
-w /etc/ssh/sshd_config -k T1021_Remote_Services | |
## Login Related Events | |
-w /var/log/faillog -p wa -k T1021_Remote_Services | |
-w /var/log/lastlog -p wa -k T1021_Remote_Services | |
-w /var/log/tallylog -p wa -k T1021_Remote_Services | |
### T1501_Systemd_Service ----------------------------------------------------- | |
## Systemd | |
-w /bin/systemctl -p x -k T1501_Systemd_Service | |
-w /etc/systemd/ -p wa -k T1501_Systemd_Service | |
-w /lib/systemd/ -p wa -k T1501_Systemd_Service | |
-w /usr/bin/journalctl -p x -k T1501_Systemd_Service | |
### T1222_File_and_Directory_Permissions_Modification ------------------------- | |
## SELinux events that modify the system's Mandatory Access Controls (MAC) | |
-w /etc/selinux/ -p wa -k T1222_File_and_Directory_Permissions_Modification_SLinux | |
### T1108_Redundant_Access ---------------------------------------------------- | |
## Session initiation information | |
-w /var/run/utmp -p wa -k T1108_Redundant_Access | |
-w /var/log/btmp -p wa -k T1108_Redundant_Access | |
-w /var/log/wtmp -p wa -k T1108_Redundant_Access | |
### T1529_System_Shutdown_Reboot ---------------------------------------------- | |
## Power state | |
-w /sbin/shutdown -p x -k T1529_System_Shutdown_Reboot | |
-w /sbin/poweroff -p x -k T1529_System_Shutdown_Reboot | |
-w /sbin/reboot -p x -k T1529_System_Shutdown_Reboot | |
-w /sbin/halt -p x -k T1529_System_Shutdown_Reboot# Special Rules --------------------------------------------------------------- | |
### T1055_Process_Injection_32bit_api ----------------------------------------- | |
## Library search paths | |
-w /etc/ld.so.conf -p wa -k T1055_Process_Injection_ld | |
-w /etc/ld.so.preload -k T1055_Process_Injection_ld | |
## Injection | |
### These rules watch for code injection by the ptrace facility. | |
### This could indicate someone trying to do something bad or just debugging | |
-a always,exit -F arch=b32 -S ptrace -k T1055_Process_Injection_tracing | |
-a always,exit -F arch=b64 -S ptrace -k T1055_Process_Injection_tracing | |
-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k T1055_Process_Injection_code | |
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k T1055_Process_Injection_code | |
-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k T1055_Process_Injection_data | |
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k T1055_Process_Injection_data | |
-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k T1055_Process_Injection_register | |
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k T1055_Process_Injection_register | |
## 32bit API Exploitation | |
### If you are on a 64 bit platform, everything _should_ be running | |
### in 64 bit mode. This rule will detect any use of the 32 bit syscalls | |
### because this might be a sign of someone exploiting a hole in the 32 | |
### bit API. | |
-a always,exit -F arch=b32 -S all -k T1055_Process_Injection_32bit_api | |
### T1087_Account_Discovery --------------------------------------------------- | |
## Recon Related Events | |
-w /etc/group -p r -k T1087_Account_Discovery | |
-w /etc/passwd -p r -k T1087_Account_Discovery | |
-w /etc/gshadow -p r -k T1087_Account_Discovery | |
-w /etc/shadow -p r -k T1087_Account_Discovery | |
-w /etc/security/opasswd -p r -k T1087_Account_Discovery | |
-w /usr/sbin/nologin -k T1087_Account_Discovery | |
-w /sbin/nologin -k T1087_Account_Discovery | |
### T1033_System_Owner_User_Discovery ----------------------------------------- | |
## Recon Related Events | |
-w /usr/bin/whoami -p x -k T1033_System_Owner_User_Discovery | |
-w /usr/bin/who -p x -k T1033_System_Owner_User_Discovery | |
-w /usr/bin/w -p x -k T1033_System_Owner_User_Discovery | |
### T1082_System_Information_Discovery ---------------------------------------- | |
## Recon Related Events | |
-w /etc/aliases -p r -k T1082_System_Information_Discovery | |
-w /etc/issue -p r -k T1082_System_Information_Discovery | |
-w /etc/issue.net -p r -k T1082_System_Information_Discovery | |
-w /etc/redhat-release -p r -k T1082_System_Information_Discovery | |
-w /usr/bin/id -p x -k T1082_System_Information_Discovery | |
-w /usr/bin/uname -p x -k T1082_System_Information_Discovery | |
-w /etc/hostname -p r -k T1082_System_Information_Discovery | |
-w /sbin/iptables -p x -k T1082_System_Information_Discovery | |
-w /sbin/ifconfig -p x -k T1082_System_Information_Discovery | |
-w /etc/login.defs -p wa -k T1082_System_Information_Discovery | |
-w /etc/resolv.conf -k T1016_System_Network_Configuration_Discovery | |
-w /etc/hosts.allow -k T1016_System_Network_Configuration_Discovery | |
-w /etc/hosts.deny -k T1016_System_Network_Configuration_Discovery | |
-w /etc/securetty -p wa -k T1082_System_Information_Discovery | |
-w /var/log/faillog -p wa -k T1082_System_Information_Discovery | |
-w /var/log/lastlog -p wa -k T1082_System_Information_Discovery | |
-w /var/log/tallylog -p wa -k T1082_System_Information_Discovery | |
-w /usr/sbin/tcpdump -p x -k T1049_System_Network_Connections_discovery | |
-w /usr/sbin/traceroute -p x -k T1049_System_Network_Connections_discovery | |
-w /usr/bin/wireshark -p x -k T1049_System_Network_Connections_discovery | |
-w /usr/bin/rawshark -p x -k T1049_System_Network_Connections_discovery | |
### T1081_Credentials_In_Files ------------------------------------------------ | |
## Recon Related Events | |
-w /usr/bin/grep -p x -k T1081_Credentials_In_Files | |
-w /usr/bin/egrep -p x -k T1081_Credentials_In_Files | |
### T1057_Process_Discovery --------------------------------------------------- | |
## Recon Related Events | |
-w /usr/bin/ps -p x -k T1057_Process_Discovery | |
### T1219_Remote_Access_Tools ------------------------------------------------- | |
## Suspicious activity | |
-w /usr/bin/wget -p x -k T1219_Remote_Access_Tools | |
-w /usr/bin/curl -p x -k T1219_Remote_Access_Tools | |
-w /bin/nc.traditional -p x -k T1219_Remote_Access_Tools | |
-w /bin/nc -p x -k T1219_Remote_Access_Tools | |
-w /usr/bin/base64 -p x -k T1219_Remote_Access_Tools | |
-w /bin/netcat -p x -k T1219_Remote_Access_Tools | |
-w /usr/bin/ncat -p x -k T1219_Remote_Access_Tools | |
-w /usr/bin/ssh -p x -k T1219_Remote_Access_Tools | |
-w /usr/bin/socat -p x -k T1219_Remote_Access_Tools | |
-w /usr/bin/wireshark -p x -k T1219_Remote_Access_Tools | |
-w /usr/bin/rawshark -p x -k T1219_Remote_Access_Tools | |
-w /usr/bin/rdesktop -p x -k T1219_Remote_Access_Tools## Critical elements access failures - unauthedfileaccess | |
-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b32 -S open -F dir=/etc -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b32 -S open -F dir=/bin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b32 -S open -F dir=/sbin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b32 -S open -F dir=/usr/bin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b32 -S open -F dir=/usr/sbin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b32 -S open -F dir=/var -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b32 -S open -F dir=/home -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b32 -S open -F dir=/srv -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-w /bin/su -p x -k T1169_Sudo | |
-w /usr/bin/sudo -p x -k T1169_Sudo | |
-w /etc/sudoers -p rw -k T1169_Sudo | |
-a always,exit -S setresuid -F a0=0 -F exe=/usr/bin/sudo -k T1169_Sudo | |
# Admin power abuse | |
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -k T1169_Sudo | |
## Discretionary Access Control (DAC) modifications - perm_mod | |
-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid### T1072_third_party_software ------------------------------------------------- | |
## Software Management | |
# RPM (Redhat/CentOS/Fedora) | |
-w /usr/bin/rpm -p x -k T1072_third_party_software | |
-w /usr/bin/yum -p x -k T1072_third_party_software | |
-w /usr/bin/dnf -p x -k T1072_third_party_software | |
# YAST/Zypper/RPM (SuSE) | |
-w /sbin/yast -p x -k T1072_third_party_software | |
-w /sbin/yast2 -p x -k T1072_third_party_software | |
-w /bin/rpm -p x -k T1072_third_party_software | |
-w /usr/bin/zypper -k T1072_third_party_software | |
# DPKG / APT-GET (Debian/Ubuntu) | |
-w /usr/bin/dpkg -p x -k T1072_third_party_software | |
-w /usr/bin/apt-add-repository -p x -k T1072_third_party_software | |
-w /usr/bin/apt-get -p x -k T1072_third_party_software | |
-w /usr/bin/aptitude -p x -k T1072_third_party_software# add special watched software here or uncomment examples | |
# Special Software ------------------------------------------------------------ | |
### T1222_File_and_Directory_Permissions_Modification_Apparmor ---------------- | |
#-w /etc/apparmor/ -p wa -k T1222_File_and_Directory_Permissions_Modification_apparmor | |
#-w /etc/apparmor.d/ -p wa -k T1222_File_and_Directory_Permissions_Modification_apparmor | |
#-w /sbin/apparmor_parser -p x -k T1222_File_and_Directory_Permissions_Modification_apparmor | |
#-w /usr/sbin/aa-complain -p x -k T1222_File_and_Directory_Permissions_Modification_apparmor | |
#-w /usr/sbin/aa-disable -p x -k T1222_File_and_Directory_Permissions_Modification_apparmor | |
#-w /usr/sbin/aa-enforce -p x -k T1222_File_and_Directory_Permissions_Modification_apparmor | |
# | |
### GDS specific secrets | |
#-w /etc/puppet/ssl -p wa -k puppet_ssl | |
# | |
### IBM Bigfix BESClient | |
#-a exit,always -F arch=b64 -S open -F dir=/opt/BESClient -F success=0 -k soft_besclient | |
#-w /var/opt/BESClient/ -p wa -k soft_besclient | |
# | |
### CHEF https://www.chef.io/chef/ | |
#-w /etc/chef -p wa -k soft_chef | |
# | |
#### KVM | |
#-w /usr/bin/virsh -p x -k kvm | |
#-w /etc/libvirt/ -p w -k kvm | |
# | |
#### Docker | |
#-w /usr/bin/dockerd -p x -k docker | |
#-w /usr/bin/docker -p x -k docker | |
#-w /usr/bin/docker-containerd -p x -k docker | |
#-w /usr/bin/docker-runc -p x -k docker | |
#-w /var/lib/docker/ -p w -k docker | |
#-w /etc/docker/ -p w -k docker | |
#-w /etc/sysconfig/docker -p w -k docker | |
#-w /etc/sysconfig/docker-storage -p w -k docker | |
#-w /usr/lib/systemd/system/docker.service -p w -k docker | |
# | |
#### Kubelet | |
#-w /usr/bin/kubelet -p x -k kubelet | |
# | |
## Backup Software ------------------------------------------------------------ | |
## SUSE / Btrfs backup | |
#-w /usr/sbin/snapperd -p x -k snapperd_backup# add critical application data here | |
#-w /etc/myappliaction/app.conf -p rwa -k myapplicationkey | |
# High volume events - disable if it generates too much load | |
### T1107_File_Deletion ------------------------------------------------------- | |
## File Deletion Events by User | |
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k T1107_File_Deletion | |
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k T1107_File_Deletion | |
### T1070_Indicator_Removal_on_Host ------------------------------------------- | |
## File Deletion Events by Root | |
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k T1070_Indicator_Removal_on_Host | |
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k T1070_Indicator_Removal_on_Host | |
### T1005_Data_from_Local_System ---------------------------------------------- | |
## Data Copy(Local) | |
-w /usr/bin/cp -p x -k T1005_Data_from_Local_System | |
-w /usr/bin/dd -p x -k T1005_Data_from_Local_System### TOMCAT | |
# whitelist | |
-a exit,never -F dir=/srv/tomcat -F euid=tomcat -k tomcat_webignore_serving_dir | |
-a exit,never -F dir=/var/log/tomcat/ -F euid=tomcat -k tomcat_webignore_log_dir | |
-a exit,never -F dir=/var/cache/tomcat/ -F euid=tomcat -k tomcat_webignore_cache_dir | |
-a exit,never -F dir=/sys/fs/cgroup/memory/system.slice/tomcat.service/ -F euid=tomcat -k tomcat_webignore_memory_dir | |
-a exit,never -F dir=/sys/fs/cgroup/cpu,cpuacct/cpu.shares -F euid=tomcat -k tomcat_webignore_memory_dir | |
-a exit,never -F dir=/usr/share/tomcat/conf/tomcat-users.xml -F euid=tomcat -k tomcat_webignore_user_dir | |
-a exit,never -F dir=/usr/share/tomcat/work/ -F euid=tomcat -k tomcat_webignore_work_dir | |
-a exit,never -F dir=/usr/lib64/jvm -F euid=tomcat -F perm=xa -k tomcat_webignore_jvm_dir | |
# blacklist everything else | |
-a exit,always -F dir=/ -F euid=tomcat -F perm=rwxa -k T1190_Exploit_Public_Facing_Application_Tomcat | |
### NGINX | |
# whitelisting | |
-a exit,never -F dir=/srv/www/ -F euid=nginx -k nginx_webignor_serving_dir | |
-a exit,never -F dir=/var/log/nginx/ -F euid=nginx -k nginx_webignor_log_dir | |
# blacklist | |
-a exit,always -F dir=/ -F euid=nginx -F perm=rwxa -k T1190_Exploit_Public_Facing_Application_nginx | |
### APACHE | |
# whitelist | |
-a exit,never -F dir=/var/www/ -F euid=apache -k apache_webignor_serving_dir | |
-a exit,never -F dir=/var/log/httpd/ -F euid=apache -k apache_webignor_log_dir | |
-a exit,never -F dir=/etc/httpd/ -F euid=apache -F perm=wxa -k apache_webignor_etc_dir | |
-a exit,never -F path=/usr/share/zoneinfo/UTC -F euid=apache -F perm=wxa -k apache_webignor_tzinfo_dir | |
# blacklist | |
-a exit,always -F dir=/ -F euid=apache -F perm=rwxa -k T1190_Exploit_Public_Facing_Application_apache | |
#### Account related ---------------------------------------------------------- | |
### T1078_Valid_Accounts ------------------------------------------------------ | |
## Group | |
-w /etc/group -p wa -k T1078_Valid_Accounts_group | |
-w /etc/gshadow -k T1078_Valid_Accounts_group | |
-w /usr/sbin/groupadd -p x -k T1078_Valid_Accounts_group | |
-w /usr/sbin/groupmod -p x -k T1078_Valid_Accounts_group | |
-w /usr/sbin/addgroup -p x -k T1078_Valid_Accounts_group | |
## Sudoers file changes | |
-w /etc/sudoers -p wa -k T1078_Valid_Accounts_sudoers | |
## Passwd | |
-w /etc/shadow -k T1078_Valid_Accounts_passwd | |
-w /etc/security/opasswd -k T1078_Valid_Accounts_passwd | |
-w /etc/passwd -p wa -k T1078_Valid_Accounts_passwd | |
-w /usr/bin/passwd -p x -k T1078_Valid_Accounts_passwd | |
## Users | |
-w /usr/sbin/useradd -p x -k T1078_Valid_Accounts_user | |
-w /usr/sbin/usermod -p x -k T1078_Valid_Accounts_user | |
-w /usr/sbin/adduser -p x -k T1078_Valid_Accounts_user | |
# High Load | |
## Privleged Command Execution Related Events | |
-a exit,always -F arch=b64 -F euid=0 -S execve -k T1078_Valid_Accounts_priv_command | |
-a exit,always -F arch=b32 -F euid=0 -S execve -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/sbin/userdel -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/bin/chgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/bin/ping6 -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/sbin/pwck -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/sbin/suexec -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/sbin/newusers -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/sbin/groupdel -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/sbin/ccreds_validate -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
##-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/Xorg -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/rlogin -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/rsh -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/kgrantpty -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/rcp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/newrole -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/kpac_dhcp_helper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
### T1043_Commonly_Used_Port -------------------------------------------------- | |
##C2 Releated Events | |
#Log 64 bit processes (a2!=6e filters local unix socket calls) | |
-a exit,always -F arch=b64 -S connect -F a2!=110 -k T1043_Commonly_Used_Port | |
#Log 32 bit processes (a0=3 means only outbound sys_connect calls) | |
-a exit,always -F arch=b32 -S socketcall -F a0=3 -k T1043_Commonly_Used_Port## File Access | |
### Unauthorized Access (unsuccessful) | |
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k unsuccessful_file_access | |
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k unsuccessful_file_access | |
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k unsuccessful_file_access | |
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k unsuccessful_file_access | |
### Unsuccessful Creation | |
-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k unsuccessful_file_creation | |
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k unsuccessful_file_creation | |
-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k unsuccessful_file_creation | |
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k unsuccessful_file_creation | |
### Unsuccessful Modification | |
-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k unsuccessful_file_modification | |
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k unsuccessful_file_modification | |
-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k unsuccessful_file_modification | |
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k unsuccessful_file_modification | |
# Make the configuration immutable --------------------------------------------- | |
#-e 2 | |
# Normal activation ------------------------------------------------------------- | |
-e 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Name: AuditD Baseline Rules | |
# Author: nshadov@ravencloud.net | |
# Date: 2016-06-02 | |
# Desc: Baseline auditd audit configuration, without machine/organization specific entries. | |
# Target system: DEBIAN/UBUNTU (64 BIT) | |
# Based on 'https://www.suse.com/documentation/sled10/audit_sp1/data/cha_audit_scenarios.html' | |
# VERSION: 1.0 | |
# TODO: | |
# * ADD KEYS TO GROUP OF RECORDS | |
# * SCOPE FOR USERS (UID: 10 000-12 000) | |
################### | |
### BASE CONFIG ### | |
################### | |
### DELETE ALL PREVIOUS RULES | |
-D | |
### INCREASE LOG BUFFER | |
-b 8192 | |
### FAILURE FLAG (2 - KERNEL PANIC, 1 - PRINTK, 0 - SILENT) | |
-f 1 | |
##################### | |
### AUDITD CONFIG ### | |
##################### | |
### LOG FILE WATCHES (WRITE AND ATTRIBUTE CHANGE) | |
-w /var/log/audit/ -k baseline-audit-logs | |
-w /var/log/audit/audit.log -k baseline-audit-logs | |
### AUDITD CONFIG | |
-w /etc/audit/auditd.conf -p wa -k baseline-audit-conf | |
-w /etc/audit/audit.rules -p wa -k baseline-audit-conf | |
-w /etc/libaudit.conf -p wa -k baseline-audit-conf | |
-w /etc/default/auditd -p wa -k baseline-audit-conf | |
################################################ | |
### FILESYSTEM RULES (DIR/FILES, ATTRIBUTES) ### | |
################################################ | |
-a exit,always -F arch=b64 -S chmod -S chown -S fchown -S lchown -k baseline-filesystem-perm | |
-a exit,always -F arch=b64 -S creat -S truncate -S ftruncate -k baseline-filesystem-create | |
-a exit,always -F arch=b64 -S mkdir -S rmdir -k baseline-filesystem-dir | |
-a exit,always -F arch=b64 -S unlink -S rename -S link -S symlink -k baseline-filesystem-link | |
# | |
# -a exit,always -F arch=b64 -S open # IMPORTNANT FOR SYSTEMS WITH HIGHLY CONFIDENTIAL DATA | |
# | |
-a exit,always -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k baseline-filesystem-attrib | |
-a exit,always -F arch=b64 -S mknod -k baseline-filesystem-mknod | |
-a exit,always -F arch=b64 -S mount -S umount2 -k baseline-filesystem-mount | |
############################ | |
### SYSTEM CONFIGURATION ### | |
############################ | |
### STARTUP | |
-w /var/spool/at -k baseline-system-startup | |
-w /etc/at.allow -k baseline-system-startup | |
-w /etc/at.deny -k baseline-system-startup | |
-w /etc/cron.allow -p wa -k baseline-system-startup | |
-w /etc/cron.deny -p wa -k baseline-system-startup | |
-w /etc/cron.d/ -p wa -k baseline-system-startup | |
-w /etc/cron.daily/ -p wa -k baseline-system-startup | |
-w /etc/cron.hourly/ -p wa -k baseline-system-startup | |
-w /etc/cron.monthly/ -p wa -k baseline-system-startup | |
-w /etc/cron.weekly/ -p wa -k baseline-system-startup | |
-w /etc/crontab -p wa -k baseline-system-startup | |
-w /var/spool/cron/root -k baseline-system-startup | |
### USERS/GROUPS | |
-w /etc/group -p wa -k baseline-user-conf | |
-w /etc/passwd -p wa -k baseline-user-conf | |
-w /etc/shadow -k baseline-user-conf | |
### SECURITY LOGS | |
-w /etc/login.defs -p wa -k baseline-user-logs | |
-w /etc/securetty -k baseline-user-logs | |
-w /var/log/faillog -k baseline-user-logs | |
-w /var/log/lastlog -k baseline-user-logs | |
### HOSTNAME CONFIG | |
-a exit,always -F arch=b64 -S sethostname -k baseline-system-hostname | |
-w /etc/issue -p wa -k baseline-system-banner | |
-w /etc/issue.net -p wa -k baseline-system-banner | |
-w /etc/hosts -p wa -k baseline-system-network | |
-w /etc/inittab -p wa -k baseline-system-startup | |
-w /etc/init.d/ -p wa -k baseline-system-startup | |
-w /etc/init.d/auditd -p wa -k baseline-system-startup | |
-w /etc/ld.so.conf -p wa -k baseline-system-lib | |
-w /etc/localtime -p wa -k baseline-system-time | |
-w /etc/sysctl.conf -p wa -k baseline-system-kernel | |
-w /etc/modprobe.conf.d/ -k baseline-system-kernel | |
-w /etc/modprobe.conf.local -p wa -k baseline-system-kernel | |
-w /etc/modprobe.conf -p wa -k baseline-system-kernel | |
### PAM | |
-w /etc/pam.d/ -k baseline-login-conf | |
### ALIASES | |
-w /etc/aliases -p wa -k baseline-user-shell | |
-w /etc/postfix/ -p wa -k baseline-service-postfix | |
### SERVICES | |
-w /etc/ssh/sshd_config -k baseline-system-login | |
### TASKS/PROCESSES | |
-a exit,always -F arch=b64 -S umask -k baseline-filesystem-perm | |
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -k baseline-system-time | |
-a exit,always -F arch=b64 -S kill -k baseline-service-kill | |
######################### | |
### SYSCALL AGRUMENTS ### | |
######################### | |
# | |
### ACCESS TO FILES (R_OK, R_OK|W_OK, R_OK|W_OK|X_OK) | |
# | |
#-a entry,always -S access -F a1=4 | |
#-a entry,always -S access -F a1=6 | |
#-a entry,always -S access -F a1=7 | |
# | |
### SOCKETS | |
# | |
# IPv6 | |
#-a entry, always -S socketcall -F a0=1 -F a1=10 | |
#-a entry, always -S socketcall -F a0=5 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## This file is automatically generated from /etc/audit/rules.d | |
-D | |
-b 8192 | |
-f 1 | |
-i | |
-w /var/log/audit/ -k auditlog | |
-w /etc/audit/ -p wa -k auditconfig | |
-w /etc/libaudit.conf -p wa -k auditconfig | |
-w /etc/audisp/ -p wa -k audispconfig | |
-w /sbin/auditctl -p x -k audittools | |
-w /sbin/auditd -p x -k audittools | |
-a always,exclude -F msgtype=CWD | |
-a always,exclude -F msgtype=EOE | |
-a never,user -F subj_type=crond_t | |
-a exit,never -F subj_type=crond_t | |
-a always,exclude -F msgtype=CRYPTO_KEY_USER | |
-a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2 | |
-a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2 | |
-a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess_filter | |
-a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess_filter | |
-a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm_filter | |
-a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm_filter | |
-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles | |
-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles | |
-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap | |
-a always,exit -F arch=b32 -S swapon -S swapoff -F auid!=-1 -k swap | |
-w /etc/sysctl.conf -p wa -k T1215_Kernel_Modules_and_Extensions | |
-a always,exit -F perm=x -F auid!=-1 -F path=/bin/kmod -k T1215_Kernel_Modules_and_Extensions | |
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k T1215_Kernel_Modules_and_Extensions | |
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k T1215_Kernel_Modules_and_Extensions | |
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k T1215_Kernel_Modules_and_Extensions | |
-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k T1215_Kernel_Modules_and_Extensions | |
-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k T1215_Kernel_Modules_and_Extensions | |
-w /etc/modprobe.conf -p wa -k T1215_Kernel_Modules_and_Extensions | |
-w /etc/modprobe.d/ -p wa -k T1215_Kernel_Modules_and_Extensions | |
-a always,exit -F arch=b64 -S kexec_load -k T1215_Kernel_Modules_and_Extensions_KEXEC | |
-a always,exit -F arch=b32 -S sys_kexec_load -k T1215_Kernel_Modules_and_Extensions_KEXEC | |
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k T1099_Timestomp | |
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k T1099_Timestomp | |
-a always,exit -F arch=b32 -S clock_settime -k T1099_Timestomp | |
-a always,exit -F arch=b64 -S clock_settime -k T1099_Timestomp | |
-w /etc/localtime -p wa -k T1099_Timestomp | |
-w /usr/sbin/stunnel -p x -k T1079_Multilayer_Encryption | |
-w /etc/cron.allow -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/cron.deny -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/cron.d/ -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/cron.daily/ -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/cron.hourly/ -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/cron.monthly/ -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/cron.weekly/ -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/crontab -p wa -k T1168_Local_Job_Scheduling | |
-w /var/spool/cron/crontabs/ -k T1168_Local_Job_Scheduling | |
-w /etc/at.allow -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/at.deny -p wa -k T1168_Local_Job_Scheduling | |
-w /var/spool/at/ -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/anacrontab -p wa -k T1168_Local_Job_Scheduling | |
-w /usr/bin/crontab -p x -k T1168_Local_Job_Scheduling | |
-w /etc/inittab -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/init.d/ -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/init/ -p wa -k T1168_Local_Job_Scheduling | |
-w /etc/hostname -p r -k T1082_System_Information_Discovery | |
-w /sbin/iptables -p x -k T1082_System_Information_Discovery | |
-w /sbin/ifconfig -p x -k T1082_System_Information_Discovery | |
-w /etc/login.defs -p wa -k T1082_System_Information_Discovery | |
-w /etc/securetty -p wa -k T1082_System_Information_Discovery | |
-w /var/log/faillog -p wa -k T1082_System_Information_Discovery | |
-w /var/log/lastlog -p wa -k T1082_System_Information_Discovery | |
-w /var/log/tallylog -p wa -k T1082_System_Information_Discovery | |
-w /etc/resolv.conf -k T1016_System_Network_Configuration_Discovery | |
-w /etc/hosts.allow -k T1016_System_Network_Configuration_Discovery | |
-w /etc/hosts.deny -k T1016_System_Network_Configuration_Discovery | |
-w /etc/hosts -k T1016_System_Network_Configuration_Discovery | |
-w /etc/network/ -p wa -k T1016_System_Network_Configuration_Discovery | |
-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -k T1016_System_Network_Configuration_Discovery | |
-a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k T1052_Exfiltration_Over_Physical_Medium | |
-a always,exit -F arch=b32 -S mount -S umount -S umount2 -F auid!=-1 -k T1052_Exfiltration_Over_Physical_Mediums | |
-w /usr/sbin/mount.fuse -p x -k T1052_Exfiltration_Over_Physical_Medium | |
-w /etc/pam.d/common-password -p wa -k T1201_Password_Policy_Discovery | |
-w /etc/pam.d/ -p wa -k T1071_Standard_Application_Layer_Protocol | |
-w /etc/security/limits.conf -p wa -k T1071_Standard_Application_Layer_Protocol | |
-w /etc/security/pam_env.conf -p wa -k T1071_Standard_Application_Layer_Protocol | |
-w /etc/security/namespace.conf -p wa -k T1071_Standard_Application_Layer_Protocol | |
-w /etc/security/namespace.init -p wa -k T1071_Standard_Application_Layer_Protocol | |
-w /etc/ssh/sshd_config -k T1021_Remote_Services | |
-w /var/log/faillog -p wa -k T1021_Remote_Services | |
-w /var/log/lastlog -p wa -k T1021_Remote_Services | |
-w /var/log/tallylog -p wa -k T1021_Remote_Services | |
-w /bin/systemctl -p x -k T1501_Systemd_Service | |
-w /etc/systemd/ -p wa -k T1501_Systemd_Service | |
-w /lib/systemd/ -p wa -k T1501_Systemd_Service | |
-w /usr/bin/journalctl -p x -k T1501_Systemd_Service | |
-w /etc/selinux/ -p wa -k T1222_File_and_Directory_Permissions_Modification_SLinux | |
-w /var/run/utmp -p wa -k T1108_Redundant_Access | |
-w /var/log/btmp -p wa -k T1108_Redundant_Access | |
-w /var/log/wtmp -p wa -k T1108_Redundant_Access | |
-w /sbin/shutdown -p x -k T1529_System_Shutdown_Reboot | |
-w /sbin/poweroff -p x -k T1529_System_Shutdown_Reboot | |
-w /sbin/reboot -p x -k T1529_System_Shutdown_Reboot | |
-w /sbin/halt -p x -k T1529_System_Shutdown_Reboot | |
# Special Rules --------------------------------------------------------------- | |
-w /etc/ld.so.conf -p wa -k T1055_Process_Injection_ld | |
-w /etc/ld.so.preload -k T1055_Process_Injection_ld | |
-a always,exit -F arch=b32 -S ptrace -k T1055_Process_Injection_tracing | |
-a always,exit -F arch=b64 -S ptrace -k T1055_Process_Injection_tracing | |
-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k T1055_Process_Injection_code | |
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k T1055_Process_Injection_code | |
-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k T1055_Process_Injection_data | |
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k T1055_Process_Injection_data | |
-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k T1055_Process_Injection_register | |
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k T1055_Process_Injection_register | |
-a always,exit -F arch=b32 -S all -k T1055_Process_Injection_32bit_api | |
-w /etc/group -p r -k T1087_Account_Discovery | |
-w /etc/passwd -p r -k T1087_Account_Discovery | |
-w /etc/gshadow -p r -k T1087_Account_Discovery | |
-w /etc/shadow -p r -k T1087_Account_Discovery | |
-w /etc/security/opasswd -p r -k T1087_Account_Discovery | |
-w /usr/sbin/nologin -k T1087_Account_Discovery | |
-w /sbin/nologin -k T1087_Account_Discovery | |
-w /usr/bin/whoami -p x -k T1033_System_Owner_User_Discovery | |
-w /usr/bin/who -p x -k T1033_System_Owner_User_Discovery | |
-w /usr/bin/w -p x -k T1033_System_Owner_User_Discovery | |
-w /etc/aliases -p r -k T1082_System_Information_Discovery | |
-w /etc/issue -p r -k T1082_System_Information_Discovery | |
-w /etc/issue.net -p r -k T1082_System_Information_Discovery | |
-w /etc/redhat-release -p r -k T1082_System_Information_Discovery | |
-w /usr/bin/id -p x -k T1082_System_Information_Discovery | |
-w /usr/bin/uname -p x -k T1082_System_Information_Discovery | |
-w /etc/hostname -p r -k T1082_System_Information_Discovery | |
-w /sbin/iptables -p x -k T1082_System_Information_Discovery | |
-w /sbin/ifconfig -p x -k T1082_System_Information_Discovery | |
-w /etc/login.defs -p wa -k T1082_System_Information_Discovery | |
-w /etc/resolv.conf -k T1016_System_Network_Configuration_Discovery | |
-w /etc/hosts.allow -k T1016_System_Network_Configuration_Discovery | |
-w /etc/hosts.deny -k T1016_System_Network_Configuration_Discovery | |
-w /etc/securetty -p wa -k T1082_System_Information_Discovery | |
-w /var/log/faillog -p wa -k T1082_System_Information_Discovery | |
-w /var/log/lastlog -p wa -k T1082_System_Information_Discovery | |
-w /var/log/tallylog -p wa -k T1082_System_Information_Discovery | |
-w /usr/sbin/tcpdump -p x -k T1049_System_Network_Connections_discovery | |
-w /usr/sbin/traceroute -p x -k T1049_System_Network_Connections_discovery | |
-w /usr/bin/wireshark -p x -k T1049_System_Network_Connections_discovery | |
-w /usr/bin/rawshark -p x -k T1049_System_Network_Connections_discovery | |
-w /usr/bin/grep -p x -k T1081_Credentials_In_Files | |
-w /usr/bin/egrep -p x -k T1081_Credentials_In_Files | |
-w /usr/bin/ps -p x -k T1057_Process_Discovery | |
-w /usr/bin/wget -p x -k T1219_Remote_Access_Tools | |
-w /usr/bin/curl -p x -k T1219_Remote_Access_Tools | |
-w /bin/nc.traditional -p x -k T1219_Remote_Access_Tools | |
-w /bin/nc -p x -k T1219_Remote_Access_Tools | |
-w /usr/bin/base64 -p x -k T1219_Remote_Access_Tools | |
-w /bin/netcat -p x -k T1219_Remote_Access_Tools | |
-w /usr/bin/ncat -p x -k T1219_Remote_Access_Tools | |
-w /usr/bin/ssh -p x -k T1219_Remote_Access_Tools | |
-w /usr/bin/socat -p x -k T1219_Remote_Access_Tools | |
-w /usr/bin/wireshark -p x -k T1219_Remote_Access_Tools | |
-w /usr/bin/rawshark -p x -k T1219_Remote_Access_Tools | |
-w /usr/bin/rdesktop -p x -k T1219_Remote_Access_Tools | |
## Critical elements access failures - unauthedfileaccess | |
-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b32 -S open -F dir=/etc -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b32 -S open -F dir=/bin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b32 -S open -F dir=/sbin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b32 -S open -F dir=/usr/bin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b32 -S open -F dir=/usr/sbin -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b32 -S open -F dir=/var -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b32 -S open -F dir=/home -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-a exit,always -F arch=b32 -S open -F dir=/srv -F success=0 -k T1068_Exploitation_for_Privilege_Escalation | |
-w /bin/su -p x -k T1169_Sudo | |
-w /usr/bin/sudo -p x -k T1169_Sudo | |
-w /etc/sudoers -p rw -k T1169_Sudo | |
-a always,exit -F arch=b32 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -k T1169_Sudo | |
-a always,exit -F arch=b64 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -k T1169_Sudo | |
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -k T1169_Sudo | |
-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid | |
### T1072_third_party_software ------------------------------------------------- | |
-w /usr/bin/rpm -p x -k T1072_third_party_software | |
-w /usr/bin/yum -p x -k T1072_third_party_software | |
-w /usr/bin/dnf -p x -k T1072_third_party_software | |
-w /sbin/yast -p x -k T1072_third_party_software | |
-w /sbin/yast2 -p x -k T1072_third_party_software | |
-w /bin/rpm -p x -k T1072_third_party_software | |
-w /usr/bin/zypper -k T1072_third_party_software | |
-w /usr/bin/dpkg -p x -k T1072_third_party_software | |
-w /usr/bin/apt-add-repository -p x -k T1072_third_party_software | |
-w /usr/bin/apt-get -p x -k T1072_third_party_software | |
-w /usr/bin/aptitude -p x -k T1072_third_party_software | |
# add special watched software here or uncomment examples | |
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k T1107_File_Deletion | |
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k T1107_File_Deletion | |
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k T1070_Indicator_Removal_on_Host | |
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k T1070_Indicator_Removal_on_Host | |
-w /usr/bin/cp -p x -k T1005_Data_from_Local_System | |
-w /usr/bin/dd -p x -k T1005_Data_from_Local_System | |
### NGINX | |
-a exit,never -F dir=/srv/www/ -F euid=nginx -k nginx_webignor_serving_dir | |
-a exit,never -F dir=/var/log/nginx/ -F euid=nginx -k nginx_webignor_log_dir | |
-a exit,always -F dir=/ -F euid=nginx -F perm=rwxa -k T1190_Exploit_Public_Facing_Application_nginx | |
### APACHE | |
-a exit,never -F dir=/var/www/ -F euid=apache -k apache_webignor_serving_dir | |
-a exit,never -F dir=/var/log/httpd/ -F euid=apache -k apache_webignor_log_dir | |
-a exit,never -F dir=/etc/httpd/ -F euid=apache -F perm=wxa -k apache_webignor_etc_dir | |
-a exit,never -F path=/usr/share/zoneinfo/UTC -F euid=apache -F perm=wxa -k apache_webignor_tzinfo_dir | |
-a exit,always -F dir=/ -F euid=apache -F perm=rwxa -k T1190_Exploit_Public_Facing_Application_apache | |
-w /etc/group -p wa -k T1078_Valid_Accounts_group | |
-w /etc/gshadow -k T1078_Valid_Accounts_group | |
-w /usr/sbin/groupadd -p x -k T1078_Valid_Accounts_group | |
-w /usr/sbin/groupmod -p x -k T1078_Valid_Accounts_group | |
-w /usr/sbin/addgroup -p x -k T1078_Valid_Accounts_group | |
-w /etc/sudoers -p wa -k T1078_Valid_Accounts_sudoers | |
-w /etc/shadow -k T1078_Valid_Accounts_passwd | |
-w /etc/security/opasswd -k T1078_Valid_Accounts_passwd | |
-w /etc/passwd -p wa -k T1078_Valid_Accounts_passwd | |
-w /usr/bin/passwd -p x -k T1078_Valid_Accounts_passwd | |
-w /usr/sbin/useradd -p x -k T1078_Valid_Accounts_user | |
-w /usr/sbin/usermod -p x -k T1078_Valid_Accounts_user | |
-w /usr/sbin/adduser -p x -k T1078_Valid_Accounts_user | |
-a exit,always -F arch=b64 -F euid=0 -S execve -k T1078_Valid_Accounts_priv_command | |
-a exit,always -F arch=b32 -F euid=0 -S execve -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/sbin/userdel -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/bin/chgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/bin/ping6 -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/sbin/pwck -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/sbin/suexec -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/sbin/newusers -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/sbin/groupdel -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/sbin/ccreds_validate -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/Xorg -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/rlogin -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/rsh -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/kgrantpty -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/rcp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/newrole -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a always,exit -F path=/usr/bin/kpac_dhcp_helper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts_priv_command | |
-a exit,always -F arch=b64 -S connect -F a2!=110 -k T1043_Commonly_Used_Port | |
-a exit,always -F arch=b32 -S socketcall -F a0=3 -k T1043_Commonly_Used_Port | |
## File Access | |
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k unsuccessful_file_access | |
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k unsuccessful_file_access | |
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k unsuccessful_file_access | |
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k unsuccessful_file_access | |
-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k unsuccessful_file_creation | |
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k unsuccessful_file_creation | |
-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k unsuccessful_file_creation | |
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k unsuccessful_file_creation | |
-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k unsuccessful_file_modification | |
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k unsuccessful_file_modification | |
-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k unsuccessful_file_modification | |
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k unsuccessful_file_modification | |
-e 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment