Skip to content

Instantly share code, notes, and snippets.

@timb-machine
Last active August 1, 2023 05:58
Show Gist options
  • Save timb-machine/ba98213151c72d9655290f6207665fe7 to your computer and use it in GitHub Desktop.
Save timb-machine/ba98213151c72d9655290f6207665fe7 to your computer and use it in GitHub Desktop.
unix-audit DSL prototype
platformtags:
- "linux"
checks:
- type: "Informational"
checks:
- name: "Platform"
exec:
- command: "uname"
stderr: true
encode: ""
- type: "File System"
checks:
- name: "Partitions"
exec:
- command: "mount"
- name: "Important files"
file:
- name: "/etc/shadow"
glob: false
permission: true
hash: false
contents: true
stderr: true
encode: ""
- name: "/Users/*/.ssh/id_*sa"
glob: true
permission: true
hash: true
contents: false
stderr: false
encode: ""
directory:
- path: "/etc/init.d"
glob: false
permission: true
hash: false
contents: true
stderr: true
encode: ""
- path: "/Users/*/.ssh"
glob: true
permission: true
hash: true
contents: true
stderr: true
encode: "base64"
search:
- path: "/Users/*/.ssh/"
glob: true
hash: false
contents: true
stderr: false
encode: ""
- path: "/opt"
glob: false
permissions: "-o+w"
permission: true
hash: false
contents: false
stderr: false
encode: ""
- path: "/var/www"
glob: false
mask: ".htpasswd*"
hash: true
permission: true
contents: true
stderr: false
encode: ""
- path: "/"
glob: false
permissions: "-u+s"
permission: true
hash: false
contents: true
stderr: true
encode: "base64"
- path: "/"
glob: false
user: ""
permission: true
hash: false
contents: false
stderr: false
encode: ""
- path: "/"
glob: false
group: ""
permission: true
hash: false
contents: false
stderr: false
encode: ""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment