254 lines
12 KiB
Django/Jinja
254 lines
12 KiB
Django/Jinja
# /etc/audit/audit.rules
|
|
# Adapted from https://github.com/Neo23x0/auditd/blob/master/audit.rules
|
|
# Ref:
|
|
# - auditctl(8)
|
|
# - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-defining_audit_rules_and_controls
|
|
|
|
# Remove any existing rules
|
|
-D
|
|
|
|
# Buffer Size
|
|
## Feel free to increase this if the machine panic's
|
|
-b 8192
|
|
|
|
# Failure Mode
|
|
## Possible values: 0 (silent), 1 (printk, print a failure message), 2 (panic, halt the system)
|
|
-f 1
|
|
|
|
# Ignore errors
|
|
## e.g. caused by users or files not found in the local environment
|
|
-i
|
|
|
|
# Self Auditing ---------------------------------------------------------------
|
|
|
|
## Audit the audit logs
|
|
### Successful and unsuccessful attempts to read information from the audit records
|
|
-a always,exit -F arch=b64 -F dir=/var/log/audit/ -F perm=wra -F key=auditlog
|
|
|
|
## Auditd configuration
|
|
### Modifications to audit configuration that occur while the audit collection functions are operating
|
|
-a always,exit -F arch=b64 -F dir=/etc/audit/ -F perm=wa -F key=auditconfig
|
|
-a always,exit -F arch=b64 -F path=/etc/libaudit.conf -F perm=wa -F key=auditconfig
|
|
|
|
## Monitor for use of audit management tools
|
|
-a always,exit -F arch=b64 -F path=/usr/sbin/auditctl -F perm=x -F key=audittools
|
|
-a always,exit -F arch=b64 -F path=/usr/sbin/auditd -F perm=x -F key=audittools
|
|
-a always,exit -F arch=b64 -F path=/usr/sbin/augenrules -F perm=x -F key=audittools
|
|
|
|
## Access to all audit trails
|
|
-a always,exit -F path=/usr/sbin/ausearch -F perm=x -F key=auditlog_local_access
|
|
-a always,exit -F path=/usr/sbin/aureport -F perm=x -F key=auditlog_local_access
|
|
-a always,exit -F path=/usr/bin/aulast -F perm=x -F key=auditlog_local_access
|
|
-a always,exit -F path=/usr/bin/aulastlog -F perm=x -F key=auditlog_local_access
|
|
-a always,exit -F path=/usr/bin/auvirt -F perm=x -F key=auditlog_local_access
|
|
|
|
# Filters ---------------------------------------------------------------------
|
|
|
|
### We put these early because audit is a first match wins system.
|
|
|
|
## Ignore current working directory records
|
|
-a always,exclude -F msgtype=CWD
|
|
|
|
## This is not very interesting and wastes a lot of space if the server is public facing
|
|
-a always,exclude -F msgtype=CRYPTO_KEY_USER
|
|
|
|
# This prevents ntpd daemons from overwhelming the logs
|
|
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=ntp
|
|
{% if ntp_client == 'chrony' %}
|
|
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony
|
|
{% endif %}
|
|
|
|
## High Volume Event Filter (especially on Linux Workstations)
|
|
-a never,exit -F arch=b64 -F dir=/dev/shm -F key=sharedmemaccess
|
|
-a never,exit -F arch=b64 -F dir=/var/lock/lvm -F key=locklvm
|
|
|
|
# Rules -----------------------------------------------------------------------
|
|
|
|
## Kernel parameters
|
|
-a always,exit -F arch=b64 -F path=/etc/sysctl.conf -F perm=wa -F key=sysctl
|
|
-a always,exit -F arch=b64 -F dir=/etc/sysctl.d/ -F perm=wa -F key=sysctl
|
|
|
|
# Kernel module loading and unloading
|
|
-a always,exit -F arch=b64 -F perm=x -F auid!=-1 -F path=/sbin/insmod -F key=modules
|
|
-a always,exit -F arch=b64 -F perm=x -F auid!=-1 -F path=/sbin/modprobe -F key=modules
|
|
-a always,exit -F arch=b64 -F perm=x -F auid!=-1 -F path=/sbin/rmmod -F key=modules
|
|
-a always,exit -F arch=b64 -S finit_module,init_module,delete_module -F auid!=-1 -F key=modules
|
|
|
|
## Modprobe configuration
|
|
-a always,exit -F arch=b64 -F path=/etc/modprobe.conf -F perm=wa -F key=modprobe
|
|
-a always,exit -F arch=b64 -F dir=/etc/modprobe.d/ -F perm=wa -F key=modprobe
|
|
|
|
## KExec usage (all actions)
|
|
-a always,exit -F arch=b64 -S kexec_load -F key=KEXEC
|
|
|
|
## Special files
|
|
-a always,exit -F arch=b64 -S mknod,mknodat -F key=specialfiles
|
|
|
|
## Mount operations (only attributable)
|
|
-a always,exit -F arch=b64 -S mount,umount2 -F auid!=-1 -F key=mount
|
|
|
|
## Change swap (only attributable)
|
|
-a always,exit -F arch=b64 -S swapon,swapoff -F auid!=-1 -F key=swap
|
|
|
|
## Time
|
|
-a always,exit -F arch=b64 -F uid!=ntp -S adjtimex,settimeofday,clock_settime -F key=time
|
|
### Local time zone
|
|
-a always,exit -F arch=b64 -F path=/etc/localtime -F perm=wa -F key=localtime
|
|
|
|
## Cron configuration & scheduled jobs
|
|
-a always,exit -F arch=b64 -F path=/etc/cron.allow -F perm=wa -F key=cron
|
|
-a always,exit -F arch=b64 -F path=/etc/cron.deny -F perm=wa -F key=cron
|
|
-a always,exit -F arch=b64 -F dir=/etc/fcron/ -F perm=wa -F key=cron
|
|
-a always,exit -F arch=b64 -F dir=/etc/crontabs/ -F perm=wa -F key=cron
|
|
-a always,exit -F arch=b64 -F dir=/etc/cron.d/ -F perm=wa -F key=cron
|
|
-a always,exit -F arch=b64 -F dir=/var/spool/cron/ -F perm=wa -F key=cron
|
|
-a always,exit -F arch=b64 -F dir=/var/spool/fcron/ -F perm=wa -F key=cron
|
|
-a always,exit -F arch=b64 -F dir=/etc/periodic/ -F perm=wa -F key=cron
|
|
|
|
## User, group, password databases
|
|
-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F key=etcgroup
|
|
-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F key=etcpasswd
|
|
-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F key=etcpasswd
|
|
|
|
# Changes to the privilege escalation programs' configurations
|
|
-a always,exit -F arch=b64 -F path=/etc/doas.conf -F perm=wa -F key=actions
|
|
-a always,exit -F arch=b64 -F path=/etc/please.ini -F perm=wa -F key=actions
|
|
-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=actions
|
|
-a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=actions
|
|
|
|
## Passwd
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/passwd -F perm=x -F key=passwd_modification
|
|
|
|
## Tools to change group identifiers
|
|
-a always,exit -F arch=b64 -F path=/usr/sbin/addgroup -F perm=x -F key=group_modification
|
|
-a always,exit -F arch=b64 -F path=/usr/sbin/adduser -F perm=x -F key=user_modification
|
|
-a always,exit -F arch=b64 -F path=/usr/sbin/delgroup -F perm=x -F key=user_modification
|
|
-a always,exit -F arch=b64 -F path=/usr/sbin/deluser -F perm=x -F key=user_modification
|
|
|
|
## Login configuration and information
|
|
-a always,exit -F arch=b64 -F path=/etc/securetty -F perm=wa -F key=login
|
|
|
|
## Network Environment
|
|
### Changes to hostname
|
|
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=network_modifications
|
|
|
|
### Successful IPv4 Connections
|
|
-a always,exit -F arch=b64 -S connect -F a2=16 -F success=1 -F key=network_connect_4
|
|
|
|
### Successful IPv6 Connections
|
|
-a always,exit -F arch=b64 -S connect -F a2=28 -F success=1 -F key=network_connect_6
|
|
|
|
### Changes to other files
|
|
-a always,exit -F arch=b64 -F path=/etc/hosts -F perm=wa -F key=network_modifications
|
|
-a always,exit -F arch=b64 -F path=/etc/netconfig -F perm=wa -F key=network_modifications
|
|
-a always,exit -F arch=b64 -F dir=/etc/network/ -F perm=wa -F key=network
|
|
|
|
### Changes to issue
|
|
-a always,exit -F arch=b64 -F path=/etc/issue -F perm=wa -F key=etcissue
|
|
|
|
## System startup scripts and service configurations
|
|
-a always,exit -F arch=b64 -F path=/etc/inittab -F perm=wa -F key=init
|
|
-a always,exit -F arch=b64 -F dir=/etc/init.d/ -F perm=wa -F key=init
|
|
-a always,exit -F arch=b64 -F dir=/etc/conf.d/ -F perm=wa -F key=init
|
|
|
|
## Pam configuration
|
|
-a always,exit -F arch=b64 -F dir=/etc/pam.d/ -F perm=wa -F key=pam
|
|
-a always,exit -F arch=b64 -F path=/etc/security/limits.conf -F perm=wa -F key=pam
|
|
-a always,exit -F arch=b64 -F path=/etc/security/limits.d -F perm=wa -F key=pam
|
|
-a always,exit -F arch=b64 -F path=/etc/security/pam_env.conf -F perm=wa -F key=pam
|
|
-a always,exit -F arch=b64 -F path=/etc/security/namespace.conf -F perm=wa -F key=pam
|
|
-a always,exit -F arch=b64 -F path=/etc/security/namespace.d -F perm=wa -F key=pam
|
|
-a always,exit -F arch=b64 -F path=/etc/security/namespace.init -F perm=wa -F key=pam
|
|
|
|
## Critical elements access failures
|
|
-a always,exit -F arch=b64 -S open -F dir=/etc/ -F success=0 -F key=unauthedfileaccess
|
|
-a always,exit -F arch=b64 -S open -F dir=/bin/ -F success=0 -F key=unauthedfileaccess
|
|
-a always,exit -F arch=b64 -S open -F dir=/sbin/ -F success=0 -F key=unauthedfileaccess
|
|
-a always,exit -F arch=b64 -S open -F dir=/usr/bin/ -F success=0 -F key=unauthedfileaccess
|
|
-a always,exit -F arch=b64 -S open -F dir=/usr/sbin/ -F success=0 -F key=unauthedfileaccess
|
|
-a always,exit -F arch=b64 -S open -F dir=/var/ -F success=0 -F key=unauthedfileaccess
|
|
-a always,exit -F arch=b64 -S open -F dir=/home/ -F success=0 -F key=unauthedfileaccess
|
|
|
|
## Process ID change (switching accounts) applications
|
|
-a always,exit -F arch=b64 -F path=/bin/su -F perm=x -F key=priv_esc
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/doas -F perm=x -F key=priv_esc
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/please -F perm=x -F key=priv_esc
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/pleaseedit -F perm=x -F key=priv_esc
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/sudo -F perm=x -F key=priv_esc
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/sudoedit -F perm=x -F key=priv_esc
|
|
|
|
## Power state
|
|
-a always,exit -F arch=b64 -F path=/sbin/poweroff -F perm=x -F key=power
|
|
-a always,exit -F arch=b64 -F path=/sbin/reboot -F perm=x -F key=power
|
|
-a always,exit -F arch=b64 -F path=/sbin/halt -F perm=x -F key=power
|
|
|
|
## Session initiation information
|
|
-a always,exit -F arch=b64 -F dir=/var/log/swtmp/ -F perm=wa -F key=session
|
|
|
|
# Special Rules ---------------------------------------------------------------
|
|
|
|
## dbus-send invocation
|
|
### may indicate privilege escalation CVE-2021-3560
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/dbus-send -F perm=x -F key=dbus_send
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/gdbus -F perm=x -F key=gdubs_call
|
|
|
|
## pkexec invocation
|
|
### may indicate privilege escalation CVE-2021-4034
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/pkexec -F perm=x -F key=pkexec
|
|
|
|
## Injection
|
|
### These rules watch for code injection by the ptrace facility.
|
|
### This could indicate someone trying to do something bad or just debugging
|
|
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code_injection
|
|
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data_injection
|
|
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register_injection
|
|
-a always,exit -F arch=b64 -S ptrace -F key=tracing
|
|
|
|
## Anonymous File Creation
|
|
### These rules watch the use of memfd_create
|
|
### "memfd_create" creates anonymous file and returns a file descriptor to access it
|
|
### When combined with "fexecve" can be used to stealthily run binaries in memory without touching disk
|
|
-a always,exit -F arch=b64 -S memfd_create -F key=anon_file_create
|
|
|
|
## Privilege Abuse
|
|
### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir.
|
|
-a always,exit -F dir=/home/ -F auid=0 -F auid>=1000 -F auid!=-1 -F key=power_abuse
|
|
|
|
# Socket Creations
|
|
# will catch both IPv4 and IPv6
|
|
-a always,exit -F arch=b64 -S socket -F a0=2 -F key=exfiltration_over_other_network_medium
|
|
-a always,exit -F arch=b64 -S socket -F a0=10 -F key=exfiltration_over_other_network_medium
|
|
|
|
# Software Management ---------------------------------------------------------
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/flatpak -F perm=x -F key=software_mgmt
|
|
-a always,exit -F arch=b64 -F path=/sbin/apk -F perm=x -F key=software_mgmt
|
|
-a always,exit -F arch=b64 -F dir=/etc/apk/ -F perm=wa -F key=software_mgmt
|
|
|
|
# High Volume Events ----------------------------------------------------------
|
|
|
|
## Disable these rules if they create too many events in your environment
|
|
|
|
## File Access
|
|
### Unauthorized Access (unsuccessful)
|
|
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=file_access
|
|
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=file_access
|
|
|
|
### Unsuccessful Creation
|
|
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F key=file_creation
|
|
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=file_creation
|
|
|
|
### Unsuccessful Modification
|
|
-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EACCES -F key=file_modification
|
|
-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EPERM -F key=file_modification
|
|
|
|
## 32bit API Exploitation
|
|
### If you are on a 64 bit platform, everything _should_ be running
|
|
### in 64 bit mode. This rule will detect any use of the 32 bit syscalls
|
|
### because this might be a sign of someone exploiting a hole in the 32
|
|
### bit API.
|
|
-a always,exit -F arch=b32 -S all -F key=32bit_api
|
|
|
|
# Make The Configuration Immutable --------------------------------------------
|
|
|
|
##-e 2
|