Select Git revision
audit.rules 17.94 KiB
###################
# Debian defaults #
###################
### CONTROL RULES
# First rule - delete all.
-D
# Increase the buffers to survive stress events. Make this bigger for busy
# systems.
-b8192
# This determines how long to wait in burst of events.
--backlog_wait_time 0
# Set failure mode to syslog.
-f1
##################
# SLUB specifics #
##################
# based on:
# - https://github.com/bfuzzy/auditd-attack.git
# - https://github.com/chef-cookbooks/auditd.git
# format Filesystem rules ("watches"):
# -w <path-to-file> -p <permissions> -k <keyname>
# Watches can also be created using the syscall format, which allows for
# greater flexibility and options. However, it is very important to only
# use syscall rules when you have to since these affect performance!!!
# watch write access & attribute changes for /etc/passwd and shadow
-w /etc/passwd -p wa -k password
-w /etc/shadow -p wa -k password
# watch write access & attribute changes for apt repositories
-w /etc/apt -p wa -k repos
### Self Auditing --------------------------------------------------------
## Audit the audit logs
# (un-)successful attempts to read information from
# the audit records
-w /var/log/audit -p rwxa -k auditlog
## Auditd configuration
# Modifications to audit configuration that occur while the audit
# collection functions are operating
-w /etc/audit -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /etc/audisp -p wa -k audispconfig
# Monitor for use of audit management tools
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools
### Filters --------------------------------------------------------------
## We put these early because audit is a first match wins system.
# Ignore current working directory records
-a always,exclude -F msgtype=CWD
# Ignore EOE records (End Of Event, not needed)
-a always,exclude -F msgtype=EOE
# This is not very interesting and wastes a lot of space if the server is
# public facing
-a always,exclude -F msgtype=CRYPTO_KEY_USER
# Cron jobs fill the logs with stuff we normally don't want (works with
# SELinux)-a never,user -F subj_type=crond_t
-a exit,never -F subj_type=crond_t
-a never,exit -F path=/usr/sbin/cron -F success=0
# filter
# 4294967295 is just (unsigned long) -1. -1 means that loginuid was not set. This is normal behavior for processes that were not spawned by any login process (e.g. for daemons). loginuid is -1 by default; pam_loginuid module changes it to your user id whenever you login (in a tty/in DM/via ssh), and this value is preserved by child processes.
# https://stackoverflow.com/questions/22914627/some-uids-in-proc-pid-loginuid-are-strange
-a always,exclude -F msgtype=USER_AUTH -F auid=4294967295 -F uid=processing
-a always,exclude -F msgtype=USER_ACCT -F auid=4294967295 -F uid=processing
-a always,exclude -F msgtype=CRED_ACQ -F auid=4294967295 -F uid=processing
-a always,exclude -F msgtype=CRED_DISP -F auid=4294967295 -F uid=processing
-a always,exclude -F msgtype=USER_END
-a always,exclude -F msgtype=SERVICE_STOP
# VMWare tools
-a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2
# Check_MK/xinetd
-a never,exit -F arch=b64 -F msgtype=SYSCALL -S setuid -S setgid -S openat -S execve -F success=0 -F path=/usr/sbin/xinetd
-a never,exit -F msgtype=EXECVE -F a1=/usr/bin/check_mk_agent
-a never,exit -F msgtype=PATH -F name=/usr/bin/check_mk_agent
-a never,exit -F msgtype=PROCTITLE
## High Volume Event Filter (especially on Linux Workstations)
-a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
# -a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm
### Rules ----------------------------------------------------------------
## Kernel Related Events
-w /etc/sysctl.conf -p wa -k sysctl
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k T1215_Kernel_Modules_and_Extensions
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k T1215_Kernel_Modules_and_Extensions
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k T1215_Kernel_Modules_and_Extensions
-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k T1215_Kernel_Modules_and_Extensions
-w /etc/modprobe.conf -p wa -k T1215_Kernel_Modules_and_Extensions
# Time Related Events
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k T1099_Timestomp
-a always,exit -F arch=b64 -S clock_settime -k T1099_Timestomp
-w /etc/localtime -p wa -k T1099_Timestomp
# Cron configuration & scheduled jobs related events
-w /etc/cron.allow -p wa -k T1168_Local_Job_Scheduling
-w /etc/cron.deny -p wa -k T1168_Local_Job_Scheduling
-w /etc/cron.d -p wa -k T1168_Local_Job_Scheduling
-w /etc/cron.daily -p wa -k T1168_Local_Job_Scheduling
-w /etc/cron.hourly -p wa -k T1168_Local_Job_Scheduling
-w /etc/cron.monthly -p wa -k T1168_Local_Job_Scheduling
-w /etc/cron.weekly -p wa -k T1168_Local_Job_Scheduling
-w /etc/crontab -p wa -k T1168_Local_Job_Scheduling
-w /var/spool/cron/crontabs/ -k T1168_Local_Job_Scheduling
-w /etc/inittab -p wa -k T1168_Local_Job_Scheduling
-w /etc/init.d -p wa -k T1168_Local_Job_Scheduling
-w /etc/init -p wa -k T1168_Local_Job_Scheduling
-w /etc/at.allow -p wa -k T1168_Local_Job_Scheduling
-w /etc/at.deny -p wa -k T1168_Local_Job_Scheduling
-w /var/spool/at -p wa -k T1168_Local_Job_Scheduling
-w /etc/anacrontab -p wa -k T1168_Local_Job_Scheduling
# Account Related Events
-w /etc/sudoers -p wa -k T1078_Valid_Accounts
-w /usr/bin/passwd -p x -k T1078_Valid_Accounts
-w /usr/sbin/groupadd -p x -k T1078_Valid_Accounts
-w /usr/sbin/groupmod -p x -k T1078_Valid_Accounts
-w /usr/sbin/addgroup -p x -k T1078_Valid_Accounts
-w /usr/sbin/useradd -p x -k T1078_Valid_Accounts
-w /usr/sbin/usermod -p x -k T1078_Valid_Accounts
-w /usr/sbin/adduser -p x -k T1078_Valid_Accounts
# Privleged Command Execution Related Events-a exit,always -F arch=b64 -F euid=0 -S execve -k T1078_Valid_Accounts
-a always,exit -F path=/usr/sbin/userdel -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/bin/chgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/bin/ping6 -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/sbin/newusers -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/sbin/groupdel -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/bin/rlogin -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/bin/rcp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-a always,exit -F path=/usr/bin/newrole -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
# Media Export Related Events
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k T1052_Exfiltration_Over_Physical_Medium
# Session Related Events
-w /var/run/utmp -p wa -k T1108_Redundant_Access
-w /var/log/wtmp -p wa -k T1108_Redundant_Access
-w /var/log/btmp -p wa -k T1108_Redundant_Access
# Login Related Events
-w /var/log/faillog -p wa -k T1021_Remote_Services
-w /var/log/lastlog -p wa -k T1021_Remote_Services
-w /var/log/tallylog -p wa -k T1021_Remote_Services
# Pam Related Events
-w /etc/pam.d/ -p wa -k T1071_Standard_Application_Layer_Protocol
-w /etc/security/limits.conf -p wa -k T1071_Standard_Application_Layer_Protocol
-w /etc/security/pam_env.conf -p wa -k T1071_Standard_Application_Layer_Protocol
-w /etc/security/namespace.conf -p wa -k T1071_Standard_Application_Layer_Protocol
-w /etc/security/namespace.init -p wa -k T1071_Standard_Application_Layer_Protocol
-w /etc/pam.d/common-password -p wa -k T1201_Password_Policy_Discovery
# SSH Related Events
-w /etc/ssh/sshd_config -p rwxa -k T1021_Remote_Services
# C2 Releated Events - Log 64 bit processes (a2!=6e filters local unix socket calls)
#-a exit,always -F arch=b64 -S connect -F a2!=110 -k T1043_Commonly_Used_Port
# C2 Releated Events - Log 32 bit processes (a0=3 means only outbound sys_connect calls)
#-a exit,always -F arch=b32 -S socketcall -F a0=3 -k T1043_Commonly_Used_Port
# Priv Escalation Related Events
-w /bin/su -p x -k T1169_Sudo
-w /usr/bin/sudo -p x -k T1169_Sudo
-w /etc/sudoers -p rw -k T1169_Sudo
-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S execve -C auid!=uid -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid -k T1166_Seuid_and_Setgid
-a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid -F exit=EPERM -k T1166_Seuid_and_Setgid
-w /usr/bin -p wa -k T1068_Exploitation_for_Privilege_Escalation
# Recon Related Events
-w /etc/group -p wa -k T1087_Account_Discovery
-w /etc/passwd -p wa -k TT1087_Account_Discovery
-w /etc/gshadow -p rwxa -k T1087_Account_Discovery
-w /etc/shadow -p rwxa -k T1087_Account_Discovery
-w /etc/security/opasswd -p rwxa -k T1087_Account_Discovery
-w /usr/sbin/nologin -p rwxa -k T1087_Account_Discovery
-w /sbin/nologin -p rwxa -k T1087_Account_Discovery
-w /usr/bin/whoami -p x -k T1033_System_Owner_User_Discovery
-w /etc/hostname -p r -k T1082_System_Information_Discovery
-w /sbin/iptables -p x -k T1082_System_Information_Discovery
-w /sbin/ifconfig -p x -k T1082_System_Information_Discovery
-w /etc/login.defs -p wa -k T1082_System_Information_Discovery
-w /etc/resolv.conf -p rwxa -k T1016_System_Network_Configuration_Discovery
-w /etc/hosts.allow -p rwxa -k T1016_System_Network_Configuration_Discovery
-w /etc/hosts.deny -p rwxa -k T1016_System_Network_Configuration_Discovery
-w /etc/securetty -p wa -k T1082_System_Information_Discovery
-w /var/log/faillog -p wa -k T1082_System_Information_Discovery
-w /var/log/lastlog -p wa -k T1082_System_Information_Discovery
-w /var/log/tallylog -p wa -k T1082_System_Information_Discovery
-w /usr/sbin/tcpdump -p x -k T1049_System_Network_Connections_discovery
-w /usr/sbin/traceroute -p x -k T1049_System_Network_Connections_discovery
-w /usr/bin/wireshark -p x -k T1049_System_Network_Connections_discovery
-w /usr/bin/rawshark -p x -k T1049_System_Network_Connections_discovery
#-w /usr/bin/grep -p x -k T1081_Credentials_In_Files
#-w /usr/bin/egrep -p x -k T1081_Credentials_In_Files
#-w /usr/bin/ps -p x -k T1057_Process_Discovery
# Remote Access Related Events
-w /usr/bin/base64 -p x -k T1219_Remote_Access_Tools
-w /bin/nc -p x -k T1219_Remote_Access_Tools
-w /bin/netcat -p x -k T1219_Remote_Access_Tools
-w /usr/bin/ncat -p x -k T1219_Remote_Access_Tools
# Third Party Software - RPM (Redhat/CentOS)
-w /usr/bin/rpm -p x -k T1072_third_party_software
-w /usr/bin/yum -p x -k T1072_third_party_software
# Third Party Software - DPKG / APT-GET (Debian/Ubuntu)
-w /usr/bin/dpkg -p x -k T1072_third_party_software
-w /usr/bin/apt-add-repository -p x -k T1072_third_party_software
-w /usr/bin/apt-get -p x -k T1072_third_party_software
-w /usr/bin/aptitude -p x -k T1072_third_party_software
# Code injection Related Events
# Not specifically required by the STIG; but common sense items
# Optional - could indicate someone trying to do something bad or
# just debugging
-a always,exit -F arch=b64 -S ptrace -k T1055_Process_Injection
# Code injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k T1055_Process_Injection
# Data injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k T1055_Process_Injection
# Register injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k T1055_Process_Injection
# Shell configuration Persistence Related Events
-w /etc/profile.d -p rwxa -k T1156_bash_profile_and_bashrc-w /etc/profile -p rwxa -k T1156_bash_profile_and_bashrc
-w /etc/shells -p rwxa -k T1156_bash_profile_and_bashrc
-w /etc/bashrc -p rwxa -k T1156_bash_profile_and_bashrc
-w /etc/csh.cshrc -p rwxa -k T1156_bash_profile_and_bashrc
-w /etc/csh.login -p rwxa -k T1156_bash_profile_and_bashrc
# Things that could affect system locale
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
#-w /etc/sysconfig/network -p wa -k system-locale
# System startup and shutdown
-a always,exit -F arch=b64 -S execve -F path=/sbin/reboot -k reboot
-a always,exit -F arch=b64 -S execve -F path=/sbin/init -k reboot
-a always,exit -F arch=b64 -S execve -F path=/sbin/poweroff -k reboot
-a always,exit -F arch=b64 -S execve -F path=/sbin/shutdown -k reboot
# Changes to hostname
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications
# Changes to other files
-w /etc/hosts -p wa -k network_modifications
-w /etc/network -p wa -k network
-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -k network_modifications
# Changes to issue
-w /etc/issue -p wa -k etcissue
-w /etc/issue.net -p wa -k etcissue
# Library search paths
-w /etc/ld.so.conf -p wa -k libpath
# Systemd
-w /bin/systemctl -p x -k systemd
-w /etc/systemd -p wa -k systemd
# 32bit API Exploitation
# If you are on a 64 bit platform, everything _should_ be running in 64
# bit mode. This rule will detect any use of the 32 bit syscalls because
# this might be a sign of someone exploiting a hole in the 32 bit API.
-a always,exit -F arch=b32 -S all -k 32bit_api
# reload rules from disk to overwrite temporary rules in memory
-R /etc/audit/audit.rules
# show active rules: sudo auditctl -l
# find related event for passwd file: ausearch -f /etc/passwd