Some updates
- auditd: migrate rules using deprecated syntax (`-w`, `-p` and `-k`). Also clean them up. - nftables: remove the usage of nexthdr for matching ipv6 packets. Also allow DHCP client traffic, IGMP and multicast DNS.
This commit is contained in:
parent
4040b1dcf4
commit
51a5a5a5b7
2
TODO.md
2
TODO.md
|
@ -20,7 +20,7 @@ Stuff that are planned to be added/changed.
|
|||
|
||||
## Cosmetic
|
||||
|
||||
- [ ] Packer + Terraform / Pulumi (zfs + btrfs VMs) for testing the playbook (need <https://github.com/digitalocean/go-libvirt/issues/171> implemented first)
|
||||
- [ ] Packer + Terraform / Pulumi (zfs + btrfs VMs) for testing the playbook
|
||||
|
||||
## Just in case I forget
|
||||
|
||||
|
|
|
@ -53,6 +53,7 @@ crond_provider:
|
|||
|
||||
syslog_provider:
|
||||
- busybox
|
||||
- logbookd
|
||||
- rsyslog
|
||||
- sysklogd
|
||||
|
||||
|
|
|
@ -23,24 +23,24 @@
|
|||
|
||||
## Audit the audit logs
|
||||
### Successful and unsuccessful attempts to read information from the audit records
|
||||
-w /var/log/audit/ -p wra -k auditlog
|
||||
-a always,exit -F arch=b64 -F dir=/var/log/audit/ -F perm=wra -F key=auditlog
|
||||
|
||||
## Auditd configuration
|
||||
### Modifications to audit configuration that occur while the audit collection functions are operating
|
||||
-w /etc/audit/ -p wa -k auditconfig
|
||||
-w /etc/libaudit.conf -p wa -k auditconfig
|
||||
-a always,exit -F arch=b64 -F dir=/etc/audit/ -F perm=wa -F key=auditconfig
|
||||
-a always,exit -F arch=b64 -F path=/etc/libaudit.conf -F perm=wa -F key=auditconfig
|
||||
|
||||
## Monitor for use of audit management tools
|
||||
-w /usr/sbin/auditctl -p x -k audittools
|
||||
-w /usr/sbin/auditd -p x -k audittools
|
||||
-w /usr/sbin/augenrules -p x -k audittools
|
||||
-a always,exit -F arch=b64 -F path=/usr/sbin/auditctl -F perm=x -F key=audittools
|
||||
-a always,exit -F arch=b64 -F path=/usr/sbin/auditd -F perm=x -F key=audittools
|
||||
-a always,exit -F arch=b64 -F path=/usr/sbin/augenrules -F perm=x -F key=audittools
|
||||
|
||||
## Access to all audit trails
|
||||
-a always,exit -F path=/usr/sbin/ausearch -F perm=x -k auditlog_local_access
|
||||
-a always,exit -F path=/usr/sbin/aureport -F perm=x -k auditlog_local_access
|
||||
-a always,exit -F path=/usr/bin/aulast -F perm=x -k auditlog_local_access
|
||||
-a always,exit -F path=/usr/bin/aulastlog -F perm=x -k auditlog_local_access
|
||||
-a always,exit -F path=/usr/bin/auvirt -F perm=x -k auditlog_local_access
|
||||
-a always,exit -F path=/usr/sbin/ausearch -F perm=x -F key=auditlog_local_access
|
||||
-a always,exit -F path=/usr/sbin/aureport -F perm=x -F key=auditlog_local_access
|
||||
-a always,exit -F path=/usr/bin/aulast -F perm=x -F key=auditlog_local_access
|
||||
-a always,exit -F path=/usr/bin/aulastlog -F perm=x -F key=auditlog_local_access
|
||||
-a always,exit -F path=/usr/bin/auvirt -F perm=x -F key=auditlog_local_access
|
||||
|
||||
# Filters ---------------------------------------------------------------------
|
||||
|
||||
|
@ -59,80 +59,78 @@
|
|||
{% endif %}
|
||||
|
||||
## High Volume Event Filter (especially on Linux Workstations)
|
||||
-a never,exit -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
|
||||
-a never,exit -F arch=b64 -F dir=/var/lock/lvm -k locklvm
|
||||
-a never,exit -F arch=b64 -F dir=/dev/shm -F key=sharedmemaccess
|
||||
-a never,exit -F arch=b64 -F dir=/var/lock/lvm -F key=locklvm
|
||||
|
||||
# Rules -----------------------------------------------------------------------
|
||||
|
||||
## Kernel parameters
|
||||
-w /etc/sysctl.conf -p wa -k sysctl
|
||||
-w /etc/sysctl.d -p wa -k sysctl
|
||||
-a always,exit -F arch=b64 -F path=/etc/sysctl.conf -F perm=wa -F key=sysctl
|
||||
-a always,exit -F arch=b64 -F dir=/etc/sysctl.d/ -F perm=wa -F key=sysctl
|
||||
|
||||
# Kernel module loading and unloading
|
||||
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules
|
||||
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules
|
||||
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules
|
||||
-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules
|
||||
-a always,exit -F arch=b64 -F perm=x -F auid!=-1 -F path=/sbin/insmod -F key=modules
|
||||
-a always,exit -F arch=b64 -F perm=x -F auid!=-1 -F path=/sbin/modprobe -F key=modules
|
||||
-a always,exit -F arch=b64 -F perm=x -F auid!=-1 -F path=/sbin/rmmod -F key=modules
|
||||
-a always,exit -F arch=b64 -S finit_module,init_module,delete_module -F auid!=-1 -F key=modules
|
||||
|
||||
## Modprobe configuration
|
||||
-w /etc/modprobe.conf -p wa -k modprobe
|
||||
-w /etc/modprobe.d -p wa -k modprobe
|
||||
-a always,exit -F arch=b64 -F path=/etc/modprobe.conf -F perm=wa -F key=modprobe
|
||||
-a always,exit -F arch=b64 -F dir=/etc/modprobe.d/ -F perm=wa -F key=modprobe
|
||||
|
||||
## KExec usage (all actions)
|
||||
-a always,exit -F arch=b64 -S kexec_load -k KEXEC
|
||||
-a always,exit -F arch=b64 -S kexec_load -F key=KEXEC
|
||||
|
||||
## Special files
|
||||
-a always,exit -F arch=b64 -S mknod -S mknodat -k specialfiles
|
||||
-a always,exit -F arch=b64 -S mknod,mknodat -F key=specialfiles
|
||||
|
||||
## Mount operations (only attributable)
|
||||
-a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount
|
||||
-a always,exit -F arch=b64 -S mount,umount2 -F auid!=-1 -F key=mount
|
||||
|
||||
## Change swap (only attributable)
|
||||
-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap
|
||||
-a always,exit -F arch=b64 -S swapon,swapoff -F auid!=-1 -F key=swap
|
||||
|
||||
## Time
|
||||
-a always,exit -F arch=b64 -F uid!=ntp -S adjtimex -S settimeofday -S clock_settime -k time
|
||||
-a always,exit -F arch=b64 -F uid!=ntp -S adjtimex,settimeofday,clock_settime -F key=time
|
||||
### Local time zone
|
||||
-w /etc/localtime -p wa -k localtime
|
||||
-a always,exit -F arch=b64 -F path=/etc/localtime -F perm=wa -F key=localtime
|
||||
|
||||
## Cron configuration & scheduled jobs
|
||||
-w /etc/fcron.allow -p wa -k cron
|
||||
-w /etc/fcron.deny -p wa -k cron
|
||||
-w /etc/cron.allow -p wa -k cron
|
||||
-w /etc/cron.deny -p wa -k cron
|
||||
-w /etc/crontabs -p wa -k cron
|
||||
-w /etc/cron.d -p wa -k cron
|
||||
-w /var/spool/cron/ -p wa -k cron
|
||||
-w /etc/periodic/15min/ -p wa -k cron
|
||||
-w /etc/periodic/hourly/ -p wa -k cron
|
||||
-w /etc/periodic/daily/ -p wa -k cron
|
||||
-w /etc/periodic/weekly/ -p wa -k cron
|
||||
-w /etc/periodic/monthly/ -p wa -k cron
|
||||
-a always,exit -F arch=b64 -F path=/etc/cron.allow -F perm=wa -F key=cron
|
||||
-a always,exit -F arch=b64 -F path=/etc/cron.deny -F perm=wa -F key=cron
|
||||
-a always,exit -F arch=b64 -F dir=/etc/fcron/ -F perm=wa -F key=cron
|
||||
-a always,exit -F arch=b64 -F dir=/etc/crontabs/ -F perm=wa -F key=cron
|
||||
-a always,exit -F arch=b64 -F dir=/etc/cron.d/ -F perm=wa -F key=cron
|
||||
-a always,exit -F arch=b64 -F dir=/var/spool/cron/ -F perm=wa -F key=cron
|
||||
-a always,exit -F arch=b64 -F dir=/var/spool/fcron/ -F perm=wa -F key=cron
|
||||
-a always,exit -F arch=b64 -F dir=/etc/periodic/ -F perm=wa -F key=cron
|
||||
|
||||
## User, group, password databases
|
||||
-w /etc/group -p wa -k etcgroup
|
||||
-w /etc/passwd -p wa -k etcpasswd
|
||||
-w /etc/shadow -k etcpasswd
|
||||
-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F key=etcgroup
|
||||
-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F key=etcpasswd
|
||||
-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F key=etcpasswd
|
||||
|
||||
# doas.conf file changes
|
||||
-w /etc/doas.conf -p wa -k actions
|
||||
-w /etc/doas.d/ -p wa -k actions
|
||||
# Changes to the privilege escalation programs' configurations
|
||||
-a always,exit -F arch=b64 -F path=/etc/doas.conf -F perm=wa -F key=actions
|
||||
-a always,exit -F arch=b64 -F path=/etc/please.ini -F perm=wa -F key=actions
|
||||
-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=actions
|
||||
-a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=actions
|
||||
|
||||
## Passwd
|
||||
-w /usr/bin/passwd -p x -k passwd_modification
|
||||
-a always,exit -F arch=b64 -F path=/usr/bin/passwd -F perm=x -F key=passwd_modification
|
||||
|
||||
## Tools to change group identifiers
|
||||
-w /usr/sbin/addgroup -p x -k group_modification
|
||||
-w /usr/sbin/adduser -p x -k user_modification
|
||||
-w /usr/sbin/delgroup -p x -k user_modification
|
||||
-w /usr/sbin/deluser -p x -k user_modification
|
||||
-a always,exit -F arch=b64 -F path=/usr/sbin/addgroup -F perm=x -F key=group_modification
|
||||
-a always,exit -F arch=b64 -F path=/usr/sbin/adduser -F perm=x -F key=user_modification
|
||||
-a always,exit -F arch=b64 -F path=/usr/sbin/delgroup -F perm=x -F key=user_modification
|
||||
-a always,exit -F arch=b64 -F path=/usr/sbin/deluser -F perm=x -F key=user_modification
|
||||
|
||||
## Login configuration and information
|
||||
-w /etc/securetty -p wa -k login
|
||||
-a always,exit -F arch=b64 -F path=/etc/securetty -F perm=wa -F key=login
|
||||
|
||||
## Network Environment
|
||||
### Changes to hostname
|
||||
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications
|
||||
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=network_modifications
|
||||
|
||||
### Successful IPv4 Connections
|
||||
-a always,exit -F arch=b64 -S connect -F a2=16 -F success=1 -F key=network_connect_4
|
||||
|
@ -141,68 +139,70 @@
|
|||
-a always,exit -F arch=b64 -S connect -F a2=28 -F success=1 -F key=network_connect_6
|
||||
|
||||
### Changes to other files
|
||||
-w /etc/hosts -p wa -k network_modifications
|
||||
-w /etc/netconfig -p wa -k network_modifications
|
||||
-w /etc/network/ -p wa -k network
|
||||
-a always,exit -F arch=b64 -F path=/etc/hosts -F perm=wa -F key=network_modifications
|
||||
-a always,exit -F arch=b64 -F path=/etc/netconfig -F perm=wa -F key=network_modifications
|
||||
-a always,exit -F arch=b64 -F dir=/etc/network/ -F perm=wa -F key=network
|
||||
|
||||
### Changes to issue
|
||||
-w /etc/issue -p wa -k etcissue
|
||||
-a always,exit -F arch=b64 -F path=/etc/issue -F perm=wa -F key=etcissue
|
||||
|
||||
## System startup scripts and service configurations
|
||||
-w /etc/inittab -p wa -k init
|
||||
-w /etc/init.d/ -p wa -k init
|
||||
-w /etc/conf.d/ -p wa -k init
|
||||
-a always,exit -F arch=b64 -F path=/etc/inittab -F perm=wa -F key=init
|
||||
-a always,exit -F arch=b64 -F dir=/etc/init.d/ -F perm=wa -F key=init
|
||||
-a always,exit -F arch=b64 -F dir=/etc/conf.d/ -F perm=wa -F key=init
|
||||
|
||||
## Pam configuration
|
||||
-w /etc/pam.d/ -p wa -k pam
|
||||
-w /etc/security/limits.conf -p wa -k pam
|
||||
-w /etc/security/limits.d -p wa -k pam
|
||||
-w /etc/security/pam_env.conf -p wa -k pam
|
||||
-w /etc/security/namespace.conf -p wa -k pam
|
||||
-w /etc/security/namespace.d -p wa -k pam
|
||||
-w /etc/security/namespace.init -p wa -k pam
|
||||
-a always,exit -F arch=b64 -F dir=/etc/pam.d/ -F perm=wa -F key=pam
|
||||
-a always,exit -F arch=b64 -F path=/etc/security/limits.conf -F perm=wa -F key=pam
|
||||
-a always,exit -F arch=b64 -F path=/etc/security/limits.d -F perm=wa -F key=pam
|
||||
-a always,exit -F arch=b64 -F path=/etc/security/pam_env.conf -F perm=wa -F key=pam
|
||||
-a always,exit -F arch=b64 -F path=/etc/security/namespace.conf -F perm=wa -F key=pam
|
||||
-a always,exit -F arch=b64 -F path=/etc/security/namespace.d -F perm=wa -F key=pam
|
||||
-a always,exit -F arch=b64 -F path=/etc/security/namespace.init -F perm=wa -F key=pam
|
||||
|
||||
## Critical elements access failures
|
||||
-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileaccess
|
||||
-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileaccess
|
||||
-a always,exit -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileaccess
|
||||
-a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileaccess
|
||||
-a always,exit -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileaccess
|
||||
-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileaccess
|
||||
-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileaccess
|
||||
-a always,exit -F arch=b64 -S open -F dir=/etc/ -F success=0 -F key=unauthedfileaccess
|
||||
-a always,exit -F arch=b64 -S open -F dir=/bin/ -F success=0 -F key=unauthedfileaccess
|
||||
-a always,exit -F arch=b64 -S open -F dir=/sbin/ -F success=0 -F key=unauthedfileaccess
|
||||
-a always,exit -F arch=b64 -S open -F dir=/usr/bin/ -F success=0 -F key=unauthedfileaccess
|
||||
-a always,exit -F arch=b64 -S open -F dir=/usr/sbin/ -F success=0 -F key=unauthedfileaccess
|
||||
-a always,exit -F arch=b64 -S open -F dir=/var/ -F success=0 -F key=unauthedfileaccess
|
||||
-a always,exit -F arch=b64 -S open -F dir=/home/ -F success=0 -F key=unauthedfileaccess
|
||||
|
||||
## Process ID change (switching accounts) applications
|
||||
-w /bin/su -p x -k priv_esc
|
||||
-w /usr/bin/doas -p x -k priv_esc
|
||||
-w /etc/doas.conf -p rw -k priv_esc
|
||||
-w /etc/doas.d/ -p rw -k priv_esc
|
||||
-a always,exit -F arch=b64 -F path=/bin/su -F perm=x -F key=priv_esc
|
||||
-a always,exit -F arch=b64 -F path=/usr/bin/doas -F perm=x -F key=priv_esc
|
||||
-a always,exit -F arch=b64 -F path=/usr/bin/please -F perm=x -F key=priv_esc
|
||||
-a always,exit -F arch=b64 -F path=/usr/bin/pleaseedit -F perm=x -F key=priv_esc
|
||||
-a always,exit -F arch=b64 -F path=/usr/bin/sudo -F perm=x -F key=priv_esc
|
||||
-a always,exit -F arch=b64 -F path=/usr/bin/sudoedit -F perm=x -F key=priv_esc
|
||||
|
||||
## Power state
|
||||
-w /sbin/poweroff -p x -k power
|
||||
-w /sbin/reboot -p x -k power
|
||||
-w /sbin/halt -p x -k power
|
||||
-a always,exit -F arch=b64 -F path=/sbin/poweroff -F perm=x -F key=power
|
||||
-a always,exit -F arch=b64 -F path=/sbin/reboot -F perm=x -F key=power
|
||||
-a always,exit -F arch=b64 -F path=/sbin/halt -F perm=x -F key=power
|
||||
|
||||
## Session initiation information
|
||||
-w /var/log/swtmp -p wa -k session
|
||||
-a always,exit -F arch=b64 -F dir=/var/log/swtmp/ -F perm=wa -F key=session
|
||||
|
||||
# Special Rules ---------------------------------------------------------------
|
||||
|
||||
## dbus-send invocation
|
||||
### may indicate privilege escalation CVE-2021-3560
|
||||
-w /usr/bin/dbus-send -p x -k dbus_send
|
||||
-w /usr/bin/gdbus -p x -k gdubs_call
|
||||
-a always,exit -F arch=b64 -F path=/usr/bin/dbus-send -F perm=x -F key=dbus_send
|
||||
-a always,exit -F arch=b64 -F path=/usr/bin/gdbus -F perm=x -F key=gdubs_call
|
||||
|
||||
## pkexec invocation
|
||||
### may indicate privilege escalation CVE-2021-4034
|
||||
-w /usr/bin/pkexec -p x -k pkexec
|
||||
-a always,exit -F arch=b64 -F path=/usr/bin/pkexec -F perm=x -F key=pkexec
|
||||
|
||||
## Injection
|
||||
### These rules watch for code injection by the ptrace facility.
|
||||
### This could indicate someone trying to do something bad or just debugging
|
||||
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection
|
||||
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection
|
||||
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection
|
||||
-a always,exit -F arch=b64 -S ptrace -k tracing
|
||||
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code_injection
|
||||
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data_injection
|
||||
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register_injection
|
||||
-a always,exit -F arch=b64 -S ptrace -F key=tracing
|
||||
|
||||
## Anonymous File Creation
|
||||
### These rules watch the use of memfd_create
|
||||
|
@ -212,24 +212,17 @@
|
|||
|
||||
## Privilege Abuse
|
||||
### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir.
|
||||
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=-1 -k power_abuse
|
||||
-a always,exit -F dir=/home/ -F auid=0 -F auid>=1000 -F auid!=-1 -F key=power_abuse
|
||||
|
||||
# Socket Creations
|
||||
# will catch both IPv4 and IPv6
|
||||
-a always,exit -F arch=b64 -S socket -F a0=2 -k exfiltration_over_other_network_medium
|
||||
-a always,exit -F arch=b64 -S socket -F a0=10 -k exfiltration_over_other_network_medium
|
||||
-a always,exit -F arch=b64 -S socket -F a0=2 -F key=exfiltration_over_other_network_medium
|
||||
-a always,exit -F arch=b64 -S socket -F a0=10 -F key=exfiltration_over_other_network_medium
|
||||
|
||||
# Software Management ---------------------------------------------------------
|
||||
-w /usr/bin/flatpak -p x -k software_mgmt
|
||||
-w /sbin/apk -p x -k software_mgmt
|
||||
-w /etc/apk/ -p wa -k software_mgmt
|
||||
|
||||
# Special Software ------------------------------------------------------------
|
||||
|
||||
## Virtualization stuff
|
||||
-w /usr/bin/qemu-system-x86_64 -p x -k qemu-system-x86_64
|
||||
-w /usr/bin/qemu-img -p x -k qemu-img
|
||||
-w /usr/bin/virt-manager -p x -k virt-manager
|
||||
-a always,exit -F arch=b64 -F path=/usr/bin/flatpak -F perm=x -F key=software_mgmt
|
||||
-a always,exit -F arch=b64 -F path=/sbin/apk -F perm=x -F key=software_mgmt
|
||||
-a always,exit -F arch=b64 -F dir=/etc/apk/ -F perm=wa -F key=software_mgmt
|
||||
|
||||
# High Volume Events ----------------------------------------------------------
|
||||
|
||||
|
@ -237,23 +230,23 @@
|
|||
|
||||
## File Access
|
||||
### Unauthorized Access (unsuccessful)
|
||||
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k file_access
|
||||
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k file_access
|
||||
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=file_access
|
||||
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=file_access
|
||||
|
||||
### Unsuccessful Creation
|
||||
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
|
||||
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation
|
||||
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F key=file_creation
|
||||
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=file_creation
|
||||
|
||||
### Unsuccessful Modification
|
||||
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification
|
||||
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification
|
||||
-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EACCES -F key=file_modification
|
||||
-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EPERM -F key=file_modification
|
||||
|
||||
## 32bit API Exploitation
|
||||
### If you are on a 64 bit platform, everything _should_ be running
|
||||
### in 64 bit mode. This rule will detect any use of the 32 bit syscalls
|
||||
### because this might be a sign of someone exploiting a hole in the 32
|
||||
### bit API.
|
||||
-a always,exit -F arch=b32 -S all -k 32bit_api
|
||||
-a always,exit -F arch=b32 -S all -F key=32bit_api
|
||||
|
||||
# Make The Configuration Immutable --------------------------------------------
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- name: libvirt | Install libvirt and qemu
|
||||
community.general.apk:
|
||||
name: libvirt-daemon, qemu-img, qemu-system-x86_64, qemu-modules
|
||||
name: libvirt-daemon, qemu-img, qemu-system-x86_64, qemu-system-arm, qemu-system-aarch64, qemu-modules
|
||||
state: present
|
||||
|
||||
# This is for PulseAudio
|
||||
|
|
|
@ -76,7 +76,12 @@ table inet filter {
|
|||
iif != lo ip6 daddr ::1/128 drop \
|
||||
comment "Block spoofing as localhost (IPv6)"
|
||||
|
||||
# Allow stuff first before the dynamic blacklisting
|
||||
udp dport mdns ip daddr 224.0.0.251 accept \
|
||||
comment "Accept mDNS"
|
||||
udp dport mdns ip6 daddr ff02::fb accept \
|
||||
comment "Accept mDNS"
|
||||
|
||||
jump input_dhcp_client
|
||||
jump input_icmp
|
||||
|
||||
# Blacklisting should be done before stateful accept rules
|
||||
|
@ -120,8 +125,17 @@ table inet filter {
|
|||
type filter hook output priority 0; policy accept;
|
||||
}
|
||||
|
||||
chain input_dhcp_client {
|
||||
udp sport 67 udp dport 68 accept \
|
||||
comment "Accept DHCP client input traffic"
|
||||
|
||||
ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \
|
||||
comment "Accept DHCPv6 replies from IPv6 link-local addresses"
|
||||
}
|
||||
|
||||
chain input_icmp {
|
||||
# ICMPv4
|
||||
ip protocol igmp accept \
|
||||
comment "Accept IGMP"
|
||||
|
||||
ip protocol icmp icmp type {
|
||||
echo-reply, # type 0
|
||||
|
@ -132,9 +146,7 @@ table inet filter {
|
|||
} limit rate 10/second burst 4 packets accept \
|
||||
comment "Accept ICMP"
|
||||
|
||||
# ICMPv6
|
||||
|
||||
ip6 nexthdr icmpv6 icmpv6 type {
|
||||
icmpv6 type {
|
||||
destination-unreachable, # type 1
|
||||
packet-too-big, # type 2
|
||||
time-exceeded, # type 3
|
||||
|
@ -144,7 +156,7 @@ table inet filter {
|
|||
} limit rate 10/second burst 4 packets accept \
|
||||
comment "Accept basic IPv6 functionality"
|
||||
|
||||
ip6 nexthdr icmpv6 icmpv6 type {
|
||||
icmpv6 type {
|
||||
nd-router-solicit, # type 133
|
||||
nd-router-advert, # type 134
|
||||
nd-neighbor-solicit, # type 135
|
||||
|
@ -152,15 +164,15 @@ table inet filter {
|
|||
} ip6 hoplimit 255 accept \
|
||||
comment "Allow IPv6 SLAAC"
|
||||
|
||||
ip6 nexthdr icmpv6 icmpv6 type {
|
||||
icmpv6 type {
|
||||
mld-listener-query, # type 130
|
||||
mld-listener-report, # type 131
|
||||
mld-listener-reduction, # type 132
|
||||
mld2-listener-report, # type 143
|
||||
} ip6 saddr fe80::/10 accept \
|
||||
comment "Allow IPv6 multicast listener discovery on link-local"
|
||||
|
||||
ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \
|
||||
comment "Accept DHCPv6 replies from IPv6 link-local addresses"
|
||||
}
|
||||
}
|
||||
|
||||
# The state of stateful objects saved on the nftables service stop.
|
||||
include "/var/lib/nftables/*.nft"
|
||||
|
|
Reference in New Issue