├── .github └── workflows │ └── test-rules.yml ├── LICENSE ├── README.md └── audit.rules /.github/workflows/test-rules.yml: -------------------------------------------------------------------------------- 1 | # Auditd Config Testing 2 | 3 | name: Auditd Syntax Checks 4 | 5 | on: 6 | # Triggers the workflow on push or pull request events but only for the "master" branch 7 | push: 8 | branches: 9 | - master 10 | pull_request: 11 | branches: 12 | - master 13 | 14 | # A workflow run is made up of one or more jobs that can run sequentially or in parallel 15 | jobs: 16 | # This workflow contains a single job called "build" 17 | build: 18 | # The type of runner that the job will run on 19 | runs-on: ubuntu-latest 20 | 21 | # Steps represent a sequence of tasks that will be executed as part of the job 22 | steps: 23 | # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it 24 | - uses: actions/checkout@v3 25 | 26 | - name: Update package information 27 | run: sudo apt update 28 | 29 | - name: Install auditd 30 | run: sudo apt install -y auditd 31 | 32 | - name: Start auditd 33 | run: if ! (systemctl is-active auditd); then sudo systemctl start auditd; fi 34 | 35 | - name: Remove default rules 36 | run: | 37 | sudo ls -l /etc/audit/rules.d/ 38 | sudo rm /etc/audit/audit.rules 39 | sudo rm -rf /etc/audit/rules.d 40 | sudo mkdir /etc/audit/rules.d 41 | 42 | - name: Copy rules file to rules directory 43 | run: sudo cp $GITHUB_WORKSPACE/audit.rules /etc/audit/rules.d/ 44 | 45 | - name: Check rules 46 | run: sudo augenrules --check 2>&1 47 | 48 | # This will load the compiled rules file, check how many lines are in it, and display each line if successful 49 | - name: Load rules 50 | run: | 51 | sudo augenrules --load 2>&1 52 | sudo wc -l /etc/audit/audit.rules 53 | sudo auditctl -l 54 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![Actively Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d) 2 | 3 | ___ ___ __ __ 4 | / | __ ______/ (_) /_____/ / 5 | / /| |/ / / / __ / / __/ __ / 6 | / ___ / /_/ / /_/ / / /_/ /_/ / 7 | /_/ |_\__,_/\__,_/_/\__/\__,_/ 8 | 9 | Best Practice Auditd Configuration 10 | 11 | ## Idea 12 | 13 | The idea of this auditd configuration is to provide a basic configuration that 14 | 15 | - works out-of-the-box on all major Linux distributions 16 | - fits most use cases 17 | - produces a reasonable amount of log data 18 | - covers security relevant activity 19 | - is easy to read (different sections, many comments) 20 | 21 | ## Sources 22 | 23 | The configuration is based on the following sources 24 | 25 | Gov.uk auditd rules 26 | https://github.com/gds-operations/puppet-auditd/pull/1 27 | 28 | CentOS 7 hardening 29 | https://highon.coffee/blog/security-harden-centos-7/#auditd---audit-daemon 30 | 31 | Linux audit repo 32 | https://github.com/linux-audit/audit-userspace/tree/master/rules 33 | 34 | Auditd high performance linux auditing 35 | https://linux-audit.com/tuning-auditd-high-performance-linux-auditing/ 36 | 37 | ### Further rules 38 | 39 | Not all of these rules have been included. 40 | 41 | For PCI DSS compliance see: 42 | https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules 43 | 44 | For NISPOM compliance see: 45 | https://github.com/linux-audit/audit-userspace/blob/master/rules/30-nispom.rules 46 | 47 | ## Video Explanations by IppSec 48 | 49 | IppSec captured a video that explains how to detect the exploitation of the OMIGOD vulnerability using auditd. In that video, he walks you through the audit configuration maintained in this repo and explains how to use it. I highly recommend this video to get a better understanding of what is happening in the config. 50 | 51 | https://www.youtube.com/watch?v=lc1i9h1GyMA 52 | 53 | ## Contribution 54 | 55 | Please contribute your changes as pull requests 56 | -------------------------------------------------------------------------------- /audit.rules: -------------------------------------------------------------------------------- 1 | # ___ ___ __ __ 2 | # / | __ ______/ (_) /_____/ / 3 | # / /| |/ / / / __ / / __/ __ / 4 | # / ___ / /_/ / /_/ / / /_/ /_/ / 5 | # /_/ |_\__,_/\__,_/_/\__/\__,_/ 6 | # 7 | # Linux Audit Daemon - Best Practice Configuration 8 | # /etc/audit/audit.rules 9 | # 10 | # Compiled by Florian Roth 11 | # 12 | # Created : 2017/12/05 13 | # Modified : 2023/01/25 14 | # 15 | # Based on rules published here: 16 | # Gov.uk auditd rules 17 | # https://github.com/gds-operations/puppet-auditd/pull/1 18 | # CentOS 7 hardening 19 | # https://highon.coffee/blog/security-harden-centos-7/#auditd---audit-daemon 20 | # Linux audit repo 21 | # https://github.com/linux-audit/audit-userspace/tree/master/rules 22 | # Auditd high performance linux auditing 23 | # https://linux-audit.com/tuning-auditd-high-performance-linux-auditing/ 24 | # 25 | # Further rules 26 | # For PCI DSS compliance see: 27 | # https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules 28 | # For NISPOM compliance see: 29 | # https://github.com/linux-audit/audit-userspace/blob/master/rules/30-nispom.rules 30 | 31 | # Remove any existing rules 32 | -D 33 | 34 | # Buffer Size 35 | ## Feel free to increase this if the machine panic's 36 | -b 8192 37 | 38 | # Failure Mode 39 | ## Possible values: 0 (silent), 1 (printk, print a failure message), 2 (panic, halt the system) 40 | -f 1 41 | 42 | # Ignore errors 43 | ## e.g. caused by users or files not found in the local environment 44 | -i 45 | 46 | # Self Auditing --------------------------------------------------------------- 47 | 48 | ## Audit the audit logs 49 | ### Successful and unsuccessful attempts to read information from the audit records 50 | -w /var/log/audit/ -p wra -k auditlog 51 | -w /var/audit/ -p wra -k auditlog 52 | 53 | ## Auditd configuration 54 | ### Modifications to audit configuration that occur while the audit collection functions are operating 55 | -w /etc/audit/ -p wa -k auditconfig 56 | -w /etc/libaudit.conf -p wa -k auditconfig 57 | -w /etc/audisp/ -p wa -k audispconfig 58 | 59 | ## Monitor for use of audit management tools 60 | -w /sbin/auditctl -p x -k audittools 61 | -w /sbin/auditd -p x -k audittools 62 | -w /usr/sbin/auditd -p x -k audittools 63 | -w /usr/sbin/augenrules -p x -k audittools 64 | 65 | ## Access to all audit trails 66 | 67 | -a always,exit -F path=/usr/sbin/ausearch -F perm=x -k audittools 68 | -a always,exit -F path=/usr/sbin/aureport -F perm=x -k audittools 69 | -a always,exit -F path=/usr/sbin/aulast -F perm=x -k audittools 70 | -a always,exit -F path=/usr/sbin/aulastlogin -F perm=x -k audittools 71 | -a always,exit -F path=/usr/sbin/auvirt -F perm=x -k audittools 72 | 73 | # Filters --------------------------------------------------------------------- 74 | 75 | ### We put these early because audit is a first match wins system. 76 | 77 | ## Ignore current working directory records 78 | -a always,exclude -F msgtype=CWD 79 | 80 | ## Cron jobs fill the logs with stuff we normally don't want (works with SELinux) 81 | -a never,user -F subj_type=crond_t 82 | -a never,exit -F subj_type=crond_t 83 | 84 | ## This prevents chrony from overwhelming the logs 85 | -a never,exit -F arch=b64 -S adjtimex -F auid=-1 -F uid=chrony -F subj_type=chronyd_t 86 | 87 | ## This is not very interesting and wastes a lot of space if the server is public facing 88 | -a always,exclude -F msgtype=CRYPTO_KEY_USER 89 | 90 | ## Open VM Tools 91 | -a exit,never -F arch=b64 -S all -F exe=/usr/bin/vmtoolsd 92 | 93 | ## High Volume Event Filter (especially on Linux Workstations) 94 | -a never,exit -F arch=b32 -F dir=/dev/shm/ -F key=sharedmemaccess 95 | -a never,exit -F arch=b64 -F dir=/dev/shm/ -F key=sharedmemaccess 96 | 97 | -a never,exit -F arch=b32 -F dir=/var/lock/lvm/ -F key=locklvm 98 | -a never,exit -F arch=b64 -F dir=/var/lock/lvm/ -F key=locklvm 99 | 100 | ## Filebeat 101 | ### https://www.elastic.co/guide/en/beats/filebeat/current/directory-layout.html 102 | 103 | -a never,exit -F arch=b32 -F path=/opt/filebeat -F perm=wa -F key=filebeat 104 | -a never,exit -F arch=b64 -F path=/opt/filebeat -F perm=wa -F key=filebeat 105 | 106 | -a always,exit -F arch=b32 -F dir=/etc/filebeat/ -F perm=wa -F key=filebeat 107 | -a always,exit -F arch=b64 -F dir=/etc/filebeat/ -F perm=wa -F key=filebeat 108 | 109 | -a always,exit -F arch=b32 -F dir=/usr/share/filebeat/ -F perm=wa -F key=filebeat 110 | -a always,exit -F arch=b64 -F dir=/usr/share/filebeat/ -F perm=wa -F key=filebeat 111 | 112 | -a always,exit -F arch=b64 -F dir=/usr/share/filebeat/bin/ -F perm=x -F key=filebeat 113 | -a always,exit -F arch=b32 -F dir=/usr/share/filebeat/bin/ -F perm=x -F key=filebeat 114 | 115 | ### macOS 116 | #### https://www.elastic.co/guide/en/beats/filebeat/7.17/directory-layout.html 117 | -a always,exit -F arch=b32 -F path=/usr/local/var/homebrew/linked/filebeat-full -F perm=x -F key=filebeat 118 | -a always,exit -F arch=b64 -F path=/usr/local/var/homebrew/linked/filebeat-full -F perm=x -F key=filebeat 119 | 120 | -a always,exit -F arch=b32 -F dir=/usr/local/var/homebrew/linked/filebeat-full/bin/ -F perm=x -F key=filebeat 121 | -a always,exit -F arch=b64 -F dir=/usr/local/var/homebrew/linked/filebeat-full/bin/ -F perm=x -F key=filebeat 122 | 123 | -a always,exit -F arch=b32 -F dir=/usr/local/etc/filebeat/ -F perm=wa -F key=filebeat 124 | -a always,exit -F arch=b64 -F dir=/usr/local/etc/filebeat/ -F perm=wa -F key=filebeat 125 | 126 | ## More information on how to filter events 127 | ### https://access.redhat.com/solutions/2482221 128 | 129 | # Rules ----------------------------------------------------------------------- 130 | 131 | ## Kernel parameters 132 | -w /etc/sysctl.conf -p wa -k sysctl 133 | -w /etc/sysctl.d -p wa -k sysctl 134 | 135 | ## Kernel module loading and unloading 136 | -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules 137 | -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules 138 | -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules 139 | -a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules 140 | 141 | ## Modprobe configuration 142 | -w /etc/modprobe.conf -p wa -k modprobe 143 | -w /etc/modprobe.d -p wa -k modprobe 144 | 145 | ## KExec usage (all actions) 146 | -a always,exit -F arch=b64 -S kexec_load -k KEXEC 147 | 148 | ## Special files 149 | -a always,exit -F arch=b64 -S mknod -S mknodat -k specialfiles 150 | 151 | ## Mount operations (only attributable) 152 | -a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount 153 | 154 | ### NFS mount 155 | -a always,exit -F path=/sbin/mount.nfs -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 156 | -a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 157 | 158 | ## Change swap (only attributable) 159 | -a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap 160 | 161 | ## Time 162 | -a always,exit -F arch=b64 -F uid!=ntp -S adjtimex -S settimeofday -S clock_settime -k time 163 | ### Local time zone 164 | -w /etc/localtime -p wa -k localtime 165 | 166 | ## Stunnel 167 | -w /usr/sbin/stunnel -p x -k stunnel 168 | -w /usr/bin/stunnel -p x -k stunnel 169 | 170 | ## Cron configuration & scheduled jobs 171 | -w /etc/cron.allow -p wa -k cron 172 | -w /etc/cron.deny -p wa -k cron 173 | -w /etc/cron.d/ -p wa -k cron 174 | -w /etc/cron.daily/ -p wa -k cron 175 | -w /etc/cron.hourly/ -p wa -k cron 176 | -w /etc/cron.monthly/ -p wa -k cron 177 | -w /etc/cron.weekly/ -p wa -k cron 178 | -w /etc/crontab -p wa -k cron 179 | -w /var/spool/cron/ -p wa -k cron 180 | 181 | ## User, group, password databases 182 | -w /etc/group -p wa -k etcgroup 183 | -w /etc/passwd -p wa -k etcpasswd 184 | -w /etc/gshadow -k etcgroup 185 | -w /etc/shadow -k etcpasswd 186 | -w /etc/security/opasswd -k opasswd 187 | 188 | ## Sudoers file changes 189 | -w /etc/sudoers -p wa -k actions 190 | -w /etc/sudoers.d/ -p wa -k actions 191 | 192 | ## Passwd 193 | -w /usr/bin/passwd -p x -k passwd_modification 194 | 195 | ## Tools to change group identifiers 196 | -w /usr/sbin/groupadd -p x -k group_modification 197 | -w /usr/sbin/groupmod -p x -k group_modification 198 | -w /usr/sbin/addgroup -p x -k group_modification 199 | -w /usr/sbin/useradd -p x -k user_modification 200 | -w /usr/sbin/userdel -p x -k user_modification 201 | -w /usr/sbin/usermod -p x -k user_modification 202 | -w /usr/sbin/adduser -p x -k user_modification 203 | 204 | ## Login configuration and information 205 | -w /etc/login.defs -p wa -k login 206 | -w /etc/securetty -p wa -k login 207 | -w /var/log/faillog -p wa -k login 208 | -w /var/log/lastlog -p wa -k login 209 | -w /var/log/tallylog -p wa -k login 210 | 211 | ## Network Environment 212 | ### Changes to hostname 213 | -a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications 214 | 215 | ### Detect Remote Shell Use 216 | -a always,exit -F arch=b64 -F exe=/bin/bash -F success=1 -S connect -k remote_shell 217 | -a always,exit -F arch=b64 -F exe=/usr/bin/bash -F success=1 -S connect -k remote_shell 218 | 219 | ### Successful IPv4 Connections 220 | -a always,exit -F arch=b64 -S connect -F a2=16 -F success=1 -F key=network_connect_4 221 | 222 | ### Successful IPv6 Connections 223 | -a always,exit -F arch=b64 -S connect -F a2=28 -F success=1 -F key=network_connect_6 224 | 225 | ### Changes to other files 226 | -w /etc/hosts -p wa -k network_modifications 227 | -w /etc/sysconfig/network -p wa -k network_modifications 228 | -w /etc/sysconfig/network-scripts -p w -k network_modifications 229 | -w /etc/network/ -p wa -k network 230 | -a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -k network_modifications 231 | 232 | ### Changes to issue 233 | -w /etc/issue -p wa -k etcissue 234 | -w /etc/issue.net -p wa -k etcissue 235 | 236 | ## System startup scripts 237 | -w /etc/inittab -p wa -k init 238 | -w /etc/init.d/ -p wa -k init 239 | -w /etc/init/ -p wa -k init 240 | 241 | ## Library search paths 242 | -w /etc/ld.so.conf -p wa -k libpath 243 | -w /etc/ld.so.conf.d -p wa -k libpath 244 | 245 | ## Systemwide library preloads (LD_PRELOAD) 246 | -w /etc/ld.so.preload -p wa -k systemwide_preloads 247 | 248 | ## Pam configuration 249 | -w /etc/pam.d/ -p wa -k pam 250 | -w /etc/security/limits.conf -p wa -k pam 251 | -w /etc/security/limits.d -p wa -k pam 252 | -w /etc/security/pam_env.conf -p wa -k pam 253 | -w /etc/security/namespace.conf -p wa -k pam 254 | -w /etc/security/namespace.d -p wa -k pam 255 | -w /etc/security/namespace.init -p wa -k pam 256 | 257 | ## Mail configuration 258 | -w /etc/aliases -p wa -k mail 259 | -w /etc/postfix/ -p wa -k mail 260 | -w /etc/exim4/ -p wa -k mail 261 | 262 | ## SSH configuration 263 | -w /etc/ssh/sshd_config -k sshd 264 | -w /etc/ssh/sshd_config.d -k sshd 265 | 266 | ## root ssh key tampering 267 | -w /root/.ssh -p wa -k rootkey 268 | 269 | # Systemd 270 | -w /bin/systemctl -p x -k systemd 271 | -w /etc/systemd/ -p wa -k systemd 272 | -w /usr/lib/systemd -p wa -k systemd 273 | 274 | ## https://systemd.network/systemd.generator.html 275 | -w /etc/systemd/system-generators/ -p wa -k systemd_generator 276 | -w /usr/local/lib/systemd/system-generators/ -p wa -k systemd_generator 277 | -w /usr/lib/systemd/system-generators -p wa -k systemd_generator 278 | 279 | -w /etc/systemd/user-generators/ -p wa -k systemd_generator 280 | -w /usr/local/lib/systemd/user-generators/ -p wa -k systemd_generator 281 | -w /lib/systemd/system-generators/ -p wa -k systemd_generator 282 | 283 | ## SELinux events that modify the system's Mandatory Access Controls (MAC) 284 | -w /etc/selinux/ -p wa -k mac_policy 285 | 286 | ## Critical elements access failures 287 | -a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileaccess 288 | -a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileaccess 289 | -a always,exit -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileaccess 290 | -a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileaccess 291 | -a always,exit -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileaccess 292 | -a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileaccess 293 | -a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileaccess 294 | -a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileaccess 295 | 296 | ## Process ID change (switching accounts) applications 297 | -w /bin/su -p x -k priv_esc 298 | -w /usr/bin/sudo -p x -k priv_esc 299 | 300 | ## Power state 301 | -w /sbin/shutdown -p x -k power 302 | -w /sbin/poweroff -p x -k power 303 | -w /sbin/reboot -p x -k power 304 | -w /sbin/halt -p x -k power 305 | 306 | ## Session initiation information 307 | -w /var/run/utmp -p wa -k session 308 | -w /var/log/btmp -p wa -k session 309 | -w /var/log/wtmp -p wa -k session 310 | 311 | ## Discretionary Access Control (DAC) modifications 312 | -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=-1 -k perm_mod 313 | -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=-1 -k perm_mod 314 | -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_mod 315 | -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod 316 | -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=-1 -k perm_mod 317 | -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=-1 -k perm_mod 318 | -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod 319 | -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod 320 | -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=-1 -k perm_mod 321 | -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod 322 | -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod 323 | -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_mod 324 | -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=-1 -k perm_mod 325 | 326 | # Special Rules --------------------------------------------------------------- 327 | 328 | ## Reconnaissance 329 | -w /usr/bin/whoami -p x -k recon 330 | -w /usr/bin/id -p x -k recon 331 | -w /bin/hostname -p x -k recon 332 | -w /bin/uname -p x -k recon 333 | -w /etc/issue -p r -k recon 334 | -w /etc/hostname -p r -k recon 335 | 336 | ## Suspicious activity 337 | -w /usr/bin/wget -p x -k susp_activity 338 | -w /usr/bin/curl -p x -k susp_activity 339 | -w /usr/bin/base64 -p x -k susp_activity 340 | -w /bin/nc -p x -k susp_activity 341 | -w /bin/netcat -p x -k susp_activity 342 | -w /usr/bin/ncat -p x -k susp_activity 343 | -w /usr/bin/ss -p x -k susp_activity 344 | -w /usr/bin/netstat -p x -k susp_activity 345 | -w /usr/bin/ssh -p x -k susp_activity 346 | -w /usr/bin/scp -p x -k susp_activity 347 | -w /usr/bin/sftp -p x -k susp_activity 348 | -w /usr/bin/ftp -p x -k susp_activity 349 | -w /usr/bin/socat -p x -k susp_activity 350 | -w /usr/bin/wireshark -p x -k susp_activity 351 | -w /usr/bin/tshark -p x -k susp_activity 352 | -w /usr/bin/rawshark -p x -k susp_activity 353 | -w /usr/bin/rdesktop -p x -k susp_activity 354 | -w /usr/local/bin/rdesktop -p x -k susp_activity 355 | -w /usr/bin/wlfreerdp -p x -k susp_activity 356 | -w /usr/bin/xfreerdp -p x -k susp_activity 357 | -w /usr/local/bin/xfreerdp -p x -k susp_activity 358 | -w /usr/bin/nmap -p x -k susp_activity 359 | 360 | ### uftp 361 | ### https://sourceforge.net/projects/uftp-multicast/ 362 | ### UFTP is an encrypted multicast file transfer program, designed to securely, reliably, 363 | ### and efficiently transfer files to multiple receivers simultaneously. 364 | ### FTP also has the capability to communicate over disjoint networks separated by one or 365 | ### more firewalls (NAT traversal) and without full end-to-end multicast capability 366 | ### (multicast tunneling) through the use of a UFTP proxy server. 367 | ### T1133_External_Remote_Services 368 | -w /usr/bin/uftp -p x -k susp_activity 369 | -w /usr/sbin/uftp -p x -k susp_activity 370 | 371 | -w /lib/systemd/system/uftp.service -k susp_activity 372 | -w /usr/lib/systemd/system/uftp.service -k susp_activity 373 | 374 | ### atftpd 375 | ### https://sourceforge.net/projects/atftp/ 376 | ### https://github.com/madmartin/atftp 377 | ### atftp is a client/server implementation of the TFTP protocol that implements RFCs 1350, 2090, 2347, 2348, 2349 and 7440. 378 | ### The server is multi-threaded and the client presents a friendly interface using libreadline. 379 | ### T1133_External_Remote_Services 380 | -w /usr/bin/atftpd -p x -k susp_activity 381 | -w /usr/sbin/atftpd -p x -k susp_activity 382 | 383 | -w /usr/bin/in.tftpd -p x -k susp_activity 384 | -w /usr/sbin/in.tftpd -p x -k susp_activity 385 | 386 | -w /lib/systemd/system/atftpd.service -k susp_activity 387 | -w /usr/lib/systemd/system/atftpd.service -k susp_activity 388 | 389 | -w /lib/systemd/system/atftpd.socket -k susp_activity 390 | -w /usr/lib/systemd/system/atftpd.socket -k susp_activity 391 | 392 | ## sssd 393 | -a always,exit -F path=/usr/libexec/sssd/p11_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 394 | -a always,exit -F path=/usr/libexec/sssd/krb5_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 395 | -a always,exit -F path=/usr/libexec/sssd/ldap_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 396 | -a always,exit -F path=/usr/libexec/sssd/selinux_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 397 | -a always,exit -F path=/usr/libexec/sssd/proxy_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 398 | 399 | ## vte-2.91 400 | -a always,exit -F path=/lib64/vte-2.91/gnome-pty-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 401 | -a always,exit -F path=/usr/lib64/vte-2.91/gnome-pty-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 402 | 403 | ## T1002 Data Compressed 404 | 405 | -w /usr/bin/zip -p x -k Data_Compressed 406 | -w /usr/bin/gzip -p x -k Data_Compressed 407 | -w /usr/bin/tar -p x -k Data_Compressed 408 | -w /usr/bin/bzip2 -p x -k Data_Compressed 409 | 410 | -w /usr/bin/lzip -p x -k Data_Compressed 411 | -w /usr/local/bin/lzip -p x -k Data_Compressed 412 | 413 | -w /usr/bin/lz4 -p x -k Data_Compressed 414 | -w /usr/local/bin/lz4 -p x -k Data_Compressed 415 | 416 | -w /usr/bin/lzop -p x -k Data_Compressed 417 | -w /usr/local/bin/lzop -p x -k Data_Compressed 418 | 419 | -w /usr/bin/plzip -p x -k Data_Compressed 420 | -w /usr/local/bin/plzip -p x -k Data_Compressed 421 | 422 | -w /usr/bin/pbzip2 -p x -k Data_Compressed 423 | -w /usr/local/bin/pbzip2 -p x -k Data_Compressed 424 | 425 | -w /usr/bin/lbzip2 -p x -k Data_Compressed 426 | -w /usr/local/bin/lbzip2 -p x -k Data_Compressed 427 | 428 | -w /usr/bin/pixz -p x -k Data_Compressed 429 | -w /usr/local/bin/pixz -p x -k Data_Compressed 430 | 431 | -w /usr/bin/pigz -p x -k Data_Compressed 432 | -w /usr/local/bin/pigz -p x -k Data_Compressed 433 | -w /usr/bin/unpigz -p x -k Data_Compressed 434 | -w /usr/local/bin/unpigz -p x -k Data_Compressed 435 | 436 | -w /usr/bin/zstd -p x -k Data_Compressed 437 | -w /usr/local/bin/zstd -p x -k Data_Compressed 438 | 439 | ## gzexe 440 | -a always,exit -F arch=b32 -F path=/usr/bin/gzexe -F perm=x -F key=Data_Compressed 441 | -a always,exit -F arch=b64 -F path=/usr/bin/gzexe -F perm=x -F key=Data_Compressed 442 | 443 | -a always,exit -F arch=b32 -F path=/usr/sbin/gzexe -F perm=x -F key=Data_Compressed 444 | -a always,exit -F arch=b64 -F path=/usr/sbin/gzexe -F perm=x -F key=Data_Compressed 445 | 446 | ### macOS 447 | 448 | -a always,exit -F arch=b32 -F path=/usr/local/bin/gzexe -F perm=x -F key=Data_Compressed 449 | -a always,exit -F arch=b64 -F path=/usr/local/bin/gzexe -F perm=x -F key=Data_Compressed 450 | 451 | ### https://www.rkeene.org/oss/dact 452 | -a always,exit -F arch=b32 -F path=/usr/bin/dact -F perm=x -F key=Data_Compressed 453 | -a always,exit -F arch=b64 -F path=/usr/bin/dact -F perm=x -F key=Data_Compressed 454 | 455 | -a always,exit -F arch=b32 -F path=/usr/sbin/dact -F perm=x -F key=Data_Compressed 456 | -a always,exit -F arch=b64 -F path=/usr/sbin/dact -F perm=x -F key=Data_Compressed 457 | 458 | -a always,exit -F arch=b32 -F path=/usr/local/bin/dact -F perm=x -F key=Data_Compressed 459 | -a always,exit -F arch=b64 -F path=/usr/local/bin/dact -F perm=x -F key=Data_Compressed 460 | 461 | ## Added to catch netcat on Ubuntu 462 | -w /bin/nc.openbsd -p x -k susp_activity 463 | -w /bin/nc.traditional -p x -k susp_activity 464 | 465 | ## Sbin suspicious activity 466 | -w /sbin/iptables -p x -k sbin_susp 467 | -w /sbin/ip6tables -p x -k sbin_susp 468 | -w /sbin/ifconfig -p x -k sbin_susp 469 | -w /usr/sbin/arptables -p x -k sbin_susp 470 | -w /usr/sbin/ebtables -p x -k sbin_susp 471 | -w /sbin/xtables-nft-multi -p x -k sbin_susp 472 | -w /usr/sbin/nft -p x -k sbin_susp 473 | -w /usr/sbin/tcpdump -p x -k sbin_susp 474 | -w /usr/sbin/traceroute -p x -k sbin_susp 475 | -w /usr/sbin/ufw -p x -k sbin_susp 476 | 477 | ### kde4 478 | -a always,exit -F path=/usr/libexec/kde4/kpac_dhcp_helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts 479 | -a always,exit -F path=/usr/libexec/kde4/kdesud -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts 480 | 481 | ## dbus-send invocation 482 | ### may indicate privilege escalation CVE-2021-3560 483 | -w /usr/bin/dbus-send -p x -k dbus_send 484 | -w /usr/bin/gdbus -p x -k gdubs_call 485 | 486 | ## setfiles 487 | -a always,exit -F path=/usr/bin/setfiles -F perm=x -F auid>=500 -F auid!=4294967295 -k -F T1078_Valid_Accounts 488 | -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=500 -F auid!=4294967295 -k -F T1078_Valid_Accounts 489 | 490 | ### dbus 491 | -a always,exit -F path=/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 492 | -a always,exit -F path=/usr/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 493 | 494 | ## pkexec invocation 495 | ### may indicate privilege escalation CVE-2021-4034 496 | -w /usr/bin/pkexec -p x -k pkexec 497 | 498 | ## Suspicious shells 499 | -w /bin/ash -p x -k susp_shell 500 | -w /bin/csh -p x -k susp_shell 501 | -w /bin/fish -p x -k susp_shell 502 | -w /bin/tcsh -p x -k susp_shell 503 | -w /bin/tclsh -p x -k susp_shell 504 | -w /bin/xonsh -p x -k susp_shell 505 | -w /usr/local/bin/xonsh -p x -k susp_shell 506 | -w /bin/open -p x -k susp_shell 507 | -w /bin/rbash -p x -k susp_shell 508 | 509 | ### https://gtfobins.github.io/gtfobins/wish/ 510 | -w /bin/wish -p x -k susp_shell 511 | -w /usr/bin/wish -p x -k susp_shell 512 | 513 | ### https://gtfobins.github.io/gtfobins/yash/ 514 | -w /bin/yash -p x -k susp_shell 515 | -w /usr/bin/yash -p x -k susp_shell 516 | 517 | # Web Server Activity 518 | ## Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33 519 | -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www 520 | 521 | ### https://clustershell.readthedocs.io/ 522 | -w /bin/clush -p x -k susp_shell 523 | -w /usr/local/bin/clush -p x -k susp_shell 524 | -w /etc/clustershell/clush.conf -p x -k susp_shell 525 | 526 | ### https://github.com/tmux/tmux 527 | -w /bin/tmux -p x -k susp_shell 528 | -w /usr/local/bin/tmux -p x -k susp_shell 529 | 530 | ## Shell/profile configurations 531 | -w /etc/profile.d/ -p wa -k shell_profiles 532 | -w /etc/profile -p wa -k shell_profiles 533 | -w /etc/shells -p wa -k shell_profiles 534 | -w /etc/bashrc -p wa -k shell_profiles 535 | -w /etc/csh.cshrc -p wa -k shell_profiles 536 | -w /etc/csh.login -p wa -k shell_profiles 537 | -w /etc/fish/ -p wa -k shell_profiles 538 | -w /etc/zsh/ -p wa -k shell_profiles 539 | 540 | ### https://github.com/xxh/xxh 541 | -w /usr/local/bin/xxh.bash -p x -k susp_shell 542 | -w /usr/local/bin/xxh.xsh -p x -k susp_shell 543 | -w /usr/local/bin/xxh.zsh -p x -k susp_shell 544 | 545 | ## Injection 546 | ### These rules watch for code injection by the ptrace facility. 547 | ### This could indicate someone trying to do something bad or just debugging 548 | -a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection 549 | -a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection 550 | -a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection 551 | -a always,exit -F arch=b64 -S ptrace -k tracing 552 | 553 | ## Anonymous File Creation 554 | ### These rules watch the use of memfd_create 555 | ### "memfd_create" creates anonymous file and returns a file descriptor to access it 556 | ### When combined with "fexecve" can be used to stealthily run binaries in memory without touching disk 557 | -a always,exit -F arch=b64 -S memfd_create -F key=anon_file_create 558 | 559 | ## Privilege Abuse 560 | ### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir. 561 | -a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -k power_abuse 562 | 563 | # Socket Creations 564 | # will catch both IPv4 and IPv6 565 | 566 | -a always,exit -F arch=b32 -S socket -F a0=2 -k network_socket_created 567 | -a always,exit -F arch=b64 -S socket -F a0=2 -k network_socket_created 568 | 569 | -a always,exit -F arch=b32 -S socket -F a0=10 -k network_socket_created 570 | -a always,exit -F arch=b64 -S socket -F a0=10 -k network_socket_created 571 | 572 | # Software Management --------------------------------------------------------- 573 | 574 | # RPM (Redhat/CentOS) 575 | -w /usr/bin/rpm -p x -k software_mgmt 576 | -w /usr/bin/yum -p x -k software_mgmt 577 | 578 | # DNF (Fedora/RedHat 8/CentOS 8) 579 | -w /usr/bin/dnf -p x -k software_mgmt 580 | 581 | # YAST/Zypper/RPM (SuSE) 582 | -w /sbin/yast -p x -k software_mgmt 583 | -w /sbin/yast2 -p x -k software_mgmt 584 | -w /bin/rpm -p x -k software_mgmt 585 | -w /usr/bin/zypper -k software_mgmt 586 | 587 | # DPKG / APT-GET (Debian/Ubuntu) 588 | -w /usr/bin/dpkg -p x -k software_mgmt 589 | -w /usr/bin/apt -p x -k software_mgmt 590 | -w /usr/bin/apt-add-repository -p x -k software_mgmt 591 | -w /usr/bin/apt-get -p x -k software_mgmt 592 | -w /usr/bin/aptitude -p x -k software_mgmt 593 | -w /usr/bin/wajig -p x -k software_mgmt 594 | -w /usr/bin/snap -p x -k software_mgmt 595 | 596 | # PIP(3) (Python installs) 597 | -w /usr/bin/pip -p x -k third_party_software_mgmt 598 | -w /usr/local/bin/pip -p x -k third_party_software_mgmt 599 | -w /usr/bin/pip3 -p x -k third_party_software_mgmt 600 | -w /usr/local/bin/pip3 -p x -k third_party_software_mgmt 601 | -w /usr/bin/pipx -p x -k third_party_software_mgmt 602 | -w /usr/local/bin/pipx -p x -k third_party_software_mgmt 603 | 604 | # npm 605 | ## T1072 third party software 606 | ## https://www.npmjs.com 607 | ## https://docs.npmjs.com/cli/v6/commands/npm-audit 608 | -w /usr/bin/npm -p x -k third_party_software_mgmt 609 | 610 | # Comprehensive Perl Archive Network (CPAN) (CPAN installs) 611 | ## T1072 third party software 612 | ## https://www.cpan.org 613 | -w /usr/bin/cpan -p x -k third_party_software_mgmt 614 | 615 | # Ruby (RubyGems installs) 616 | ## T1072 third party software 617 | ## https://rubygems.org 618 | -w /usr/bin/gem -p x -k third_party_software_mgmt 619 | 620 | # LuaRocks (Lua installs) 621 | ## T1072 third party software 622 | ## https://luarocks.org 623 | -w /usr/bin/luarocks -p x -k third_party_software_mgmt 624 | 625 | # Pacman (Arch Linux) 626 | ## https://wiki.archlinux.org/title/Pacman 627 | ## T1072 third party software 628 | -w /etc/pacman.conf -p x -k third_party_software_mgmt 629 | -w /etc/pacman.d -p x -k third_party_software_mgmt 630 | 631 | # Special Software ------------------------------------------------------------ 632 | 633 | ## GDS specific secrets 634 | -w /etc/puppet/ssl -p wa -k puppet_ssl 635 | 636 | ## IBM Bigfix BESClient 637 | -a always,exit -F arch=b64 -S open -F dir=/opt/BESClient -F success=0 -k soft_besclient 638 | -w /var/opt/BESClient/ -p wa -k soft_besclient 639 | 640 | ## CHEF https://www.chef.io/chef/ 641 | -w /etc/chef -p wa -k soft_chef 642 | 643 | ## Salt 644 | ## https://saltproject.io/ 645 | ## https://docs.saltproject.io/en/latest/ref/configuration/master.html 646 | -w /etc/salt -p wa -k soft_salt 647 | -w /usr/local/etc/salt -p wa -k soft_salt 648 | 649 | ## Otter 650 | ## https://inedo.com/otter 651 | -w /etc/otter -p wa -k soft_otter 652 | 653 | ## T1081 Credentials In Files 654 | -w /usr/bin/grep -p x -k string_search 655 | -w /usr/bin/egrep -p x -k string_search 656 | -w /usr/bin/ugrep -p x -k string_search 657 | 658 | ### https://github.com/tmbinc/bgrep 659 | -w /usr/bin/bgrep -p x -k string_search 660 | 661 | ### https://github.com/BurntSushi/ripgrep 662 | -w /usr/bin/rg -p x -k string_search 663 | 664 | ### https://github.com/awgn/cgrep 665 | 666 | -w /usr/bin/cgrep -p x -k string_search 667 | 668 | ### https://github.com/jpr5/ngrep 669 | -w /usr/bin/ngrep -p x -k string_search 670 | 671 | ### https://github.com/vrothberg/vgrep 672 | -w /usr/bin/vgrep -p x -k string_search 673 | 674 | ### https://github.com/monochromegane/the_platinum_searcher 675 | -w /usr/bin/pt -p x -k string_search 676 | 677 | ### https://github.com/gvansickle/ucg 678 | -w /usr/bin/ucg -p x -k string_search 679 | 680 | ### https://github.com/ggreer/the_silver_searcher 681 | -w /usr/bin/ag -p x -k string_search 682 | 683 | ### https://github.com/beyondgrep/ack3 684 | ### https://beyondgrep.com 685 | -w /usr/bin/ack -p x -k string_search 686 | -w /usr/local/bin/ack -p x -k string_search 687 | -w /usr/bin/semgrep -p x -k string_search 688 | 689 | # CrowdStrike Falcon 690 | # Identify CrowdStrike Falcon Sensor updates 691 | -a always,exit -F arch=b32 -F path=/etc/crowdstrike/falcon-sensor.conf -p wa -F key=falcon_sensor_update 692 | -a always,exit -F arch=b64 -F path=/etc/crowdstrike/falcon-sensor.conf -p wa -F key=falcon_sensor_update 693 | 694 | -a always,exit -F arch=b32 -F path=/usr/lib/crowdstrike/falcon-sensor.conf -p wa -F key=falcon_sensor_update 695 | -a always,exit -F arch=b64 -F path=/usr/lib/crowdstrike/falcon-sensor.conf -p wa -F key=falcon_sensor_update 696 | 697 | # Identify CrowdStrike Falcon Sensor 698 | -a always,exit -F arch=b32 -F dir=/etc/crowdstrike/ -p wa -F key=falcon_sensor 699 | -a always,exit -F arch=b64 -F dir=/etc/crowdstrike/ -p wa -F key=falcon_sensor 700 | 701 | -a always,exit -F arch=b32 -F dir=/usr/lib/crowdstrike/ -p wa -F key=falcon_sensor 702 | -a always,exit -F arch=b64 -F dir=/usr/lib/crowdstrike/ -p wa -F key=falcon_sensor 703 | 704 | -a always,exit -F arch=b32 -F dir=/opt/CrowdStrike/ -p wa -F key=falcon_sensor 705 | -a always,exit -F arch=b64 -F dir=/opt/CrowdStrike/ -p wa -F key=falcon_sensor 706 | 707 | -a always,exit -F arch=b32 -F dir=/var/log/crowdstrike/ -p wa -F key=falcon_sensor 708 | -a always,exit -F arch=b64 -F dir=/var/log/crowdstrike/ -p wa -F key=falcon_sensor 709 | 710 | # Identify CrowdStrike Falcon Agent activity 711 | -a always,exit -F arch=b32 -F path=/usr/bin/falcon-scout -p x -F key=falcon_agent 712 | -a always,exit -F arch=b64 -F path=/usr/bin/falcon-scout -p x -F key=falcon_agent 713 | 714 | -a always,exit -F arch=b32 -F path=/usr/bin/falcon-agent -p x -F key=falcon_agent 715 | -a always,exit -F arch=b64 -F path=/usr/bin/falcon-agent -p x -F key=falcon_agent 716 | 717 | # Identify CrowdStrike Falcon Sensor network 718 | -a always,exit -F arch=b32 -S connect -F dir=+ -F obj=/opt/CrowdStrike/falcon-sensor -F key=crowdstrike_network 719 | -a always,exit -F arch=b64 -S connect -F dir=+ -F obj=/opt/CrowdStrike/falcon-sensor -F key=crowdstrike_network 720 | 721 | ## Docker 722 | -w /usr/bin/dockerd -k docker 723 | -w /usr/bin/docker -k docker 724 | -w /usr/bin/docker-containerd -k docker 725 | -w /usr/bin/docker-runc -k docker 726 | -w /var/lib/docker -p wa -k docker 727 | -w /etc/docker -k docker 728 | -w /etc/sysconfig/docker -k docker 729 | -w /etc/sysconfig/docker-storage -k docker 730 | -w /usr/lib/systemd/system/docker.service -k docker 731 | -w /usr/lib/systemd/system/docker.socket -k docker 732 | 733 | ## Virtualization stuff 734 | -w /usr/bin/qemu-system-x86_64 -p x -k qemu-system-x86_64 735 | -w /usr/bin/qemu-img -p x -k qemu-img 736 | -w /usr/bin/qemu-kvm -p x -k qemu-kvm 737 | -w /usr/bin/qemu -p x -k qemu 738 | -w /usr/bin/virtualbox -p x -k virtualbox 739 | -w /usr/bin/virt-manager -p x -k virt-manager 740 | -w /usr/bin/VBoxManage -p x -k VBoxManage 741 | 742 | ## Kubelet 743 | -w /usr/bin/kubelet -k kubelet 744 | 745 | # ipc system call 746 | # /usr/include/linux/ipc.h 747 | 748 | ## msgctl 749 | #-a always,exit -S ipc -F a0=14 -k Inter-Process_Communication 750 | ## msgget 751 | #-a always,exit -S ipc -F a0=13 -k Inter-Process_Communication 752 | ## Use these lines on x86_64, ia64 instead 753 | -a always,exit -F arch=b64 -S msgctl -k Inter-Process_Communication 754 | -a always,exit -F arch=b64 -S msgget -k Inter-Process_Communication 755 | 756 | ## semctl 757 | #-a always,exit -S ipc -F a0=3 -k Inter-Process_Communication 758 | ## semget 759 | #-a always,exit -S ipc -F a0=2 -k Inter-Process_Communication 760 | ## semop 761 | #-a always,exit -S ipc -F a0=1 -k Inter-Process_Communication 762 | ## semtimedop 763 | #-a always,exit -S ipc -F a0=4 -k Inter-Process_Communication 764 | ## Use these lines on x86_64, ia64 instead 765 | -a always,exit -F arch=b64 -S semctl -k Inter-Process_Communication 766 | -a always,exit -F arch=b64 -S semget -k Inter-Process_Communication 767 | -a always,exit -F arch=b64 -S semop -k Inter-Process_Communication 768 | -a always,exit -F arch=b64 -S semtimedop -k Inter-Process_Communication 769 | 770 | ## shmctl 771 | #-a always,exit -S ipc -F a0=24 -k Inter-Process_Communication 772 | ## shmget 773 | #-a always,exit -S ipc -F a0=23 -k Inter-Process_Communication 774 | ## Use these lines on x86_64, ia64 instead 775 | -a always,exit -F arch=b64 -S shmctl -k Inter-Process_Communication 776 | -a always,exit -F arch=b64 -S shmget -k Inter-Process_Communication 777 | 778 | # High Volume Events ---------------------------------------------------------- 779 | 780 | ## Disable these rules if they create too many events in your environment 781 | 782 | ## Common Shells 783 | -w /bin/bash -p x -k susp_shell 784 | -w /bin/dash -p x -k susp_shell 785 | -w /bin/busybox -p x -k susp_shell 786 | -w /bin/zsh -p x -k susp_shell 787 | -w /bin/sh -p x -k susp_shell 788 | -w /bin/ksh -p x -k susp_shell 789 | 790 | ## Root command executions 791 | -a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -k rootcmd 792 | 793 | ## File Deletion Events by User 794 | -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -k delete 795 | 796 | ## File Access 797 | ### Unauthorized Access (unsuccessful) 798 | -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k file_access 799 | -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k file_access 800 | 801 | ### Unsuccessful Creation 802 | -a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation 803 | -a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation 804 | 805 | ### Unsuccessful Modification 806 | -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification 807 | -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification 808 | 809 | ## 32bit ABI Exploitation 810 | ### https://github.com/linux-audit/audit-userspace/blob/c014eec64b3a16c004f4a75e5792a4ac2fcc0df2/rules/21-no32bit.rules 811 | ### If you are on a 64 bit platform, everything _should_ be running 812 | ### in 64 bit mode. This rule will detect any use of the 32 bit syscalls 813 | ### because this might be a sign of someone exploiting a hole in the 32 814 | ### bit ABI. 815 | -a always,exit -F arch=b32 -S all -k 32bit_abi 816 | 817 | # Make The Configuration Immutable -------------------------------------------- 818 | 819 | ##-e 2 820 | --------------------------------------------------------------------------------