Skip to content
Snippets Groups Projects
Select Git revision
  • 73101a6574f2f7529766b074536ab5971bfc11e5
  • master default protected
  • diag
  • version1.3-archivematica
  • version1.2-archivematica
  • version1.1-archivematica
  • version1.0-archivematica
  • version1.0-rosetta
8 results

report.pm

Blame
  • audit.rules 17.94 KiB
    ###################
    # Debian defaults #
    ###################
    
    ### CONTROL RULES
    
    # First rule - delete all.
    -D
    
    # Increase the buffers to survive stress events. Make this bigger for busy
    # systems.
    -b8192
    
    # This determines how long to wait in burst of events.
    --backlog_wait_time 0
    
    # Set failure mode to syslog.
    -f1
    
    ##################
    # SLUB specifics #
    ##################
    
    # based on:
    # - https://github.com/bfuzzy/auditd-attack.git
    # - https://github.com/chef-cookbooks/auditd.git
    # format Filesystem rules ("watches"):
    #         -w <path-to-file> -p <permissions> -k <keyname>
    # Watches can also be created using the syscall format, which allows for
    # greater flexibility and options. However, it is very important to only
    # use syscall rules when you have to since these affect performance!!!
    
    # watch write access & attribute changes for /etc/passwd and shadow
    -w /etc/passwd -p wa -k password
    -w /etc/shadow -p wa -k password
    
    # watch write access & attribute changes for apt repositories
    -w /etc/apt -p wa -k repos
    
    ### Self Auditing --------------------------------------------------------
    ## Audit the audit logs
    # (un-)successful attempts to read information from
    # the audit records
    -w /var/log/audit -p rwxa -k auditlog
    
    ## Auditd configuration
    # Modifications to audit configuration that occur while the audit
    # collection functions are operating
    -w /etc/audit         -p wa -k auditconfig
    -w /etc/libaudit.conf -p wa -k auditconfig
    -w /etc/audisp        -p wa -k audispconfig
    
    # Monitor for use of audit management tools
    -w /sbin/auditctl -p x -k audittools
    -w /sbin/auditd   -p x -k audittools
    
    ### Filters --------------------------------------------------------------
    ## We put these early because audit is a first match wins system.
    # Ignore current working directory records
    -a always,exclude -F msgtype=CWD
    
    # Ignore EOE records (End Of Event, not needed)
    -a always,exclude -F msgtype=EOE
    
    # This is not very interesting and wastes a lot of space if the server is
    # public facing
    -a always,exclude -F msgtype=CRYPTO_KEY_USER
    
    # Cron jobs fill the logs with stuff we normally don't want (works with
    # SELinux)
    -a never,user -F subj_type=crond_t
    -a exit,never -F subj_type=crond_t
    -a never,exit -F path=/usr/sbin/cron -F success=0
    
    # filter
    # 4294967295 is just (unsigned long) -1. -1 means that loginuid was not set. This is normal behavior for processes that were not spawned by any login process (e.g. for daemons). loginuid is -1 by default; pam_loginuid module changes it to your user id whenever you login (in a tty/in DM/via ssh), and this value is preserved by child processes.
    # https://stackoverflow.com/questions/22914627/some-uids-in-proc-pid-loginuid-are-strange
    -a always,exclude -F msgtype=USER_AUTH -F auid=4294967295 -F uid=processing
    -a always,exclude -F msgtype=USER_ACCT -F auid=4294967295 -F uid=processing
    -a always,exclude -F msgtype=CRED_ACQ  -F auid=4294967295 -F uid=processing
    -a always,exclude -F msgtype=CRED_DISP -F auid=4294967295 -F uid=processing
    -a always,exclude -F msgtype=USER_END
    -a always,exclude -F msgtype=SERVICE_STOP
    
    # VMWare tools
    -a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2
    
    # Check_MK/xinetd
    -a never,exit -F arch=b64 -F msgtype=SYSCALL   -S setuid -S setgid -S openat -S execve -F success=0 -F path=/usr/sbin/xinetd
    -a never,exit             -F msgtype=EXECVE    -F a1=/usr/bin/check_mk_agent
    -a never,exit             -F msgtype=PATH      -F name=/usr/bin/check_mk_agent
    -a never,exit             -F msgtype=PROCTITLE
    
    ## High Volume Event Filter (especially on Linux Workstations)
    -a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
    # -a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm
    
    ### Rules ----------------------------------------------------------------
    ## Kernel Related Events
    -w /etc/sysctl.conf -p wa -k sysctl
    -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod                              -k T1215_Kernel_Modules_and_Extensions
    -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe                            -k T1215_Kernel_Modules_and_Extensions
    -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod                               -k T1215_Kernel_Modules_and_Extensions
    -a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k T1215_Kernel_Modules_and_Extensions
    -w /etc/modprobe.conf -p wa                                                            -k T1215_Kernel_Modules_and_Extensions
    
    # Time Related Events
    -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k T1099_Timestomp
    -a always,exit -F arch=b64 -S clock_settime                             -k T1099_Timestomp
    -w /etc/localtime -p wa                                                 -k T1099_Timestomp
    
    # Cron configuration & scheduled jobs related events
    -w /etc/cron.allow -p wa     -k T1168_Local_Job_Scheduling
    -w /etc/cron.deny -p wa      -k T1168_Local_Job_Scheduling
    -w /etc/cron.d -p wa         -k T1168_Local_Job_Scheduling
    -w /etc/cron.daily -p wa     -k T1168_Local_Job_Scheduling
    -w /etc/cron.hourly -p wa    -k T1168_Local_Job_Scheduling
    -w /etc/cron.monthly -p wa   -k T1168_Local_Job_Scheduling
    -w /etc/cron.weekly -p wa    -k T1168_Local_Job_Scheduling
    -w /etc/crontab -p wa        -k T1168_Local_Job_Scheduling
    -w /var/spool/cron/crontabs/ -k T1168_Local_Job_Scheduling
    -w /etc/inittab -p wa        -k T1168_Local_Job_Scheduling
    -w /etc/init.d -p wa         -k T1168_Local_Job_Scheduling
    -w /etc/init -p wa           -k T1168_Local_Job_Scheduling
    -w /etc/at.allow -p wa       -k T1168_Local_Job_Scheduling
    -w /etc/at.deny -p wa        -k T1168_Local_Job_Scheduling
    -w /var/spool/at -p wa       -k T1168_Local_Job_Scheduling
    -w /etc/anacrontab -p wa     -k T1168_Local_Job_Scheduling
    
    # Account Related Events
    -w /etc/sudoers -p wa      -k T1078_Valid_Accounts
    -w /usr/bin/passwd -p x    -k T1078_Valid_Accounts
    -w /usr/sbin/groupadd -p x -k T1078_Valid_Accounts
    -w /usr/sbin/groupmod -p x -k T1078_Valid_Accounts
    -w /usr/sbin/addgroup -p x -k T1078_Valid_Accounts
    -w /usr/sbin/useradd -p x  -k T1078_Valid_Accounts
    -w /usr/sbin/usermod -p x  -k T1078_Valid_Accounts
    -w /usr/sbin/adduser -p x  -k T1078_Valid_Accounts
    
    # Privleged Command Execution Related Events
    -a exit,always -F arch=b64 -F euid=0 -S execve                                              -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/sbin/userdel         -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/bin/ping                 -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/bin/umount               -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/bin/mount                -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/bin/su                   -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/bin/chgrp                -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/bin/ping6                -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/sbin/unix_chkpwd         -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/sbin/usermod         -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/sbin/newusers        -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/sbin/groupdel        -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/sbin/semanage        -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/sbin/userhelper      -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/bin/rlogin           -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/bin/sudoedit         -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/bin/at               -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/bin/gpasswd          -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/bin/crontab          -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/bin/sudo             -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/bin/rcp              -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/bin/passwd           -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/bin/chsh             -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/bin/chfn             -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/bin/chage            -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/bin/setfacl          -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/bin/chacl            -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/bin/chcon            -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/bin/newgrp           -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    -a always,exit -F path=/usr/bin/newrole          -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
    
    # Media Export Related Events
    -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k T1052_Exfiltration_Over_Physical_Medium
    
    # Session Related Events
    -w /var/run/utmp -p wa -k T1108_Redundant_Access
    -w /var/log/wtmp -p wa -k T1108_Redundant_Access
    -w /var/log/btmp -p wa -k T1108_Redundant_Access
    
    # Login Related Events
    -w /var/log/faillog  -p wa -k T1021_Remote_Services
    -w /var/log/lastlog  -p wa -k T1021_Remote_Services
    -w /var/log/tallylog -p wa -k T1021_Remote_Services
    
    # Pam Related Events
    -w /etc/pam.d/                  -p wa -k T1071_Standard_Application_Layer_Protocol
    -w /etc/security/limits.conf    -p wa -k T1071_Standard_Application_Layer_Protocol
    -w /etc/security/pam_env.conf   -p wa -k T1071_Standard_Application_Layer_Protocol
    -w /etc/security/namespace.conf -p wa -k T1071_Standard_Application_Layer_Protocol
    -w /etc/security/namespace.init -p wa -k T1071_Standard_Application_Layer_Protocol
    -w /etc/pam.d/common-password   -p wa -k T1201_Password_Policy_Discovery
    
    # SSH Related Events
    -w /etc/ssh/sshd_config -p rwxa -k T1021_Remote_Services
    
    # C2 Releated Events - Log 64 bit processes (a2!=6e filters local unix socket calls)
    #-a exit,always -F arch=b64 -S connect -F a2!=110 -k T1043_Commonly_Used_Port
    # C2 Releated Events - Log 32 bit processes (a0=3 means only outbound sys_connect calls)
    #-a exit,always -F arch=b32 -S socketcall -F a0=3 -k T1043_Commonly_Used_Port
    
    # Priv Escalation Related Events
    -w /bin/su -p x -k T1169_Sudo
    -w /usr/bin/sudo -p x -k T1169_Sudo
    -w /etc/sudoers -p rw -k T1169_Sudo
    -a always,exit -F arch=b64 -S chmod        -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
    -a always,exit -F arch=b64 -S chown        -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
    -a always,exit -F arch=b64 -S fchmod       -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
    -a always,exit -F arch=b64 -S fchmodat     -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
    -a always,exit -F arch=b64 -S fchown       -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
    -a always,exit -F arch=b64 -S fchownat     -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
    -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
    -a always,exit -F arch=b64 -S fsetxattr    -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
    -a always,exit -F arch=b64 -S lchown       -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
    -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
    -a always,exit -F arch=b64 -S lsetxattr    -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
    -a always,exit -F arch=b64 -S removexattr  -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
    -a always,exit -F arch=b64 -S setxattr     -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
    -a always,exit -F arch=b64 -S execve       -C auid!=uid                     -k T1166_Seuid_and_Setgid
    -a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid               -k T1166_Seuid_and_Setgid
    -a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid -F exit=EPERM -k T1166_Seuid_and_Setgid
    -w /usr/bin -p wa -k T1068_Exploitation_for_Privilege_Escalation
    
    # Recon Related Events
    -w /etc/group            -p wa   -k T1087_Account_Discovery
    -w /etc/passwd           -p wa   -k TT1087_Account_Discovery
    -w /etc/gshadow          -p rwxa -k T1087_Account_Discovery
    -w /etc/shadow           -p rwxa -k T1087_Account_Discovery
    -w /etc/security/opasswd -p rwxa -k T1087_Account_Discovery
    -w /usr/sbin/nologin     -p rwxa -k T1087_Account_Discovery
    -w /sbin/nologin         -p rwxa -k T1087_Account_Discovery
    -w /usr/bin/whoami       -p x    -k T1033_System_Owner_User_Discovery
    -w /etc/hostname         -p r    -k T1082_System_Information_Discovery
    -w /sbin/iptables        -p x    -k T1082_System_Information_Discovery
    -w /sbin/ifconfig        -p x    -k T1082_System_Information_Discovery
    -w /etc/login.defs       -p wa   -k T1082_System_Information_Discovery
    -w /etc/resolv.conf      -p rwxa -k T1016_System_Network_Configuration_Discovery
    -w /etc/hosts.allow      -p rwxa -k T1016_System_Network_Configuration_Discovery
    -w /etc/hosts.deny       -p rwxa -k T1016_System_Network_Configuration_Discovery
    -w /etc/securetty        -p wa   -k T1082_System_Information_Discovery
    -w /var/log/faillog      -p wa   -k T1082_System_Information_Discovery
    -w /var/log/lastlog      -p wa   -k T1082_System_Information_Discovery
    -w /var/log/tallylog     -p wa   -k T1082_System_Information_Discovery
    -w /usr/sbin/tcpdump     -p x    -k T1049_System_Network_Connections_discovery
    -w /usr/sbin/traceroute  -p x    -k T1049_System_Network_Connections_discovery
    -w /usr/bin/wireshark    -p x    -k T1049_System_Network_Connections_discovery
    -w /usr/bin/rawshark     -p x    -k T1049_System_Network_Connections_discovery
    #-w /usr/bin/grep         -p x    -k T1081_Credentials_In_Files
    #-w /usr/bin/egrep        -p x    -k T1081_Credentials_In_Files
    #-w /usr/bin/ps           -p x    -k T1057_Process_Discovery
    
    # Remote Access Related Events
    -w /usr/bin/base64 -p x -k T1219_Remote_Access_Tools
    -w /bin/nc         -p x -k T1219_Remote_Access_Tools
    -w /bin/netcat     -p x -k T1219_Remote_Access_Tools
    -w /usr/bin/ncat   -p x -k T1219_Remote_Access_Tools
    
    # Third Party Software - RPM (Redhat/CentOS)
    -w /usr/bin/rpm -p x -k T1072_third_party_software
    -w /usr/bin/yum -p x -k T1072_third_party_software
    # Third Party Software - DPKG / APT-GET (Debian/Ubuntu)
    -w /usr/bin/dpkg               -p x -k T1072_third_party_software
    -w /usr/bin/apt-add-repository -p x -k T1072_third_party_software
    -w /usr/bin/apt-get            -p x -k T1072_third_party_software
    -w /usr/bin/aptitude           -p x -k T1072_third_party_software
    
    # Code injection Related Events
    # Not specifically required by the STIG; but common sense items
    # Optional - could indicate someone trying to do something bad or
    # just debugging
    -a always,exit -F arch=b64 -S ptrace -k T1055_Process_Injection
    # Code injection
    -a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k T1055_Process_Injection
    # Data injection
    -a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k T1055_Process_Injection
    # Register injection
    -a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k T1055_Process_Injection
    
    # Shell configuration Persistence Related Events
    -w /etc/profile.d -p rwxa -k T1156_bash_profile_and_bashrc
    -w /etc/profile   -p rwxa -k T1156_bash_profile_and_bashrc
    -w /etc/shells    -p rwxa -k T1156_bash_profile_and_bashrc
    -w /etc/bashrc    -p rwxa -k T1156_bash_profile_and_bashrc
    -w /etc/csh.cshrc -p rwxa -k T1156_bash_profile_and_bashrc
    -w /etc/csh.login -p rwxa -k T1156_bash_profile_and_bashrc
    
    # Things that could affect system locale
    -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
    -w /etc/issue             -p wa                            -k system-locale
    -w /etc/issue.net         -p wa                            -k system-locale
    -w /etc/hosts             -p wa                            -k system-locale
    #-w /etc/sysconfig/network -p wa                            -k system-locale
    
    # System startup and shutdown
    -a always,exit -F arch=b64 -S execve -F path=/sbin/reboot   -k reboot
    -a always,exit -F arch=b64 -S execve -F path=/sbin/init     -k reboot
    -a always,exit -F arch=b64 -S execve -F path=/sbin/poweroff -k reboot
    -a always,exit -F arch=b64 -S execve -F path=/sbin/shutdown -k reboot
    
    # Changes to hostname
    -a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications
    
    # Changes to other files
    -w /etc/hosts             -p wa -k network_modifications
    -w /etc/network           -p wa -k network
    -a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -k network_modifications
    
    # Changes to issue
    -w /etc/issue     -p wa -k etcissue
    -w /etc/issue.net -p wa -k etcissue
    
    # Library search paths
    -w /etc/ld.so.conf -p wa -k libpath
    
    # Systemd
    -w /bin/systemctl -p x  -k systemd
    -w /etc/systemd   -p wa -k systemd
    
    # 32bit API Exploitation
    # If you are on a 64 bit platform, everything _should_ be running in 64
    # bit mode. This rule will detect any use of the 32 bit syscalls because
    # this might be a sign of someone exploiting a hole in the 32 bit API.
    -a always,exit -F arch=b32 -S all -k 32bit_api
    
    # reload rules from disk to overwrite temporary rules in memory
    -R /etc/audit/audit.rules
    
    # show active rules: sudo auditctl -l
    # find related event for passwd file: ausearch -f /etc/passwd