From 5d4b7f0c64ae6e2cf9a35691b8fe434491f537c6 Mon Sep 17 00:00:00 2001
From: juju4 <juju4@users.noreply.github.com>
Date: Sun, 15 Nov 2020 13:01:45 -0500
Subject: [PATCH] sync rules with Neo23x0/auditd

---
 README.md                     |  1 +
 defaults/main.yml             | 68 +++++++++++++++++------------------
 templates/01-start.rules.j2   |  4 +++
 templates/60-neo23x0.rules.j2 | 27 ++++++++++++++
 4 files changed, 66 insertions(+), 34 deletions(-)

diff --git a/README.md b/README.md
index f5d4b96..69040c0 100644
--- a/README.md
+++ b/README.md
@@ -62,6 +62,7 @@ $ vagrant ssh
 * https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-system_auditing.html
 * https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-starting_the_audit_service.html
 * https://github.com/bfuzzy/auditd-attack
+* https://github.com/Neo23x0/auditd/
 
 ## License
 
diff --git a/defaults/main.yml b/defaults/main.yml
index 21a91ea..9c92a13 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -19,12 +19,8 @@ auditd_sensitive_files:
 auditd_log_binaries_exec:
   - /usr/bin/perl
   - /usr/bin/python
+  - /usr/bin/python3
   - /usr/bin/ruby
-  - /usr/bin/ruby1.9.1
-  - /usr/bin/ruby2.0
-  - /usr/bin/ruby2.1
-  - /usr/bin/ruby2.2
-  - /usr/bin/ruby2.3
 
 # This variable controls wether files not managed by this role will be purged
 # from the rules configuration directory
@@ -56,50 +52,54 @@ auditd_exclusion_rules:
 # cron jobs
   - '-a never,user -F subj_type=crond_t'
 # VMWare tools
-  - '-a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2'
-  - '-a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2'
-  - '-a exit,never -F dir=/var/lock/lvm'
-#  - '-a exit,never -F dir=/path/to/directory'
-#  - '-a exit,never -F path=/path/to/file'
-#  - '-a exit,never -F auid=<UID>'
+  - '-a never,exit -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2'
+  - '-a never,exit -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2'
+  - '-a never,exit -F dir=/var/lock/lvm'
+# High Volume Event Filter (especially on Linux Workstations)
+  - '-a never,exit -F arch=b32 -F dir=/dev/shm -k sharedmemaccess'
+  - '-a never,exit -F arch=b64 -F dir=/dev/shm -k sharedmemaccess'
+#  - '-a never,exit -F dir=/path/to/directory'
+#  - '-a never,exit -F path=/path/to/file'
+#  - '-a never,exit -F auid=<UID>'
 
 # This set use 'exe' filter which is available on more recent auditd (RHEL7.3+, Ubuntu Xenial+)
 auditd_exclusion_rules2:
 # uncommon_syscall
-  - '-a exit,never -F arch=b64 -F uid=0 -F auid=4294967295 -S prctl -F exe=/usr/sbin/sshd'
-  - '-a exit,never -F arch=b64 -F uid=0 -F auid=4294967295 -S prctl -F exe=/usr/lib/openssh/sftp-server'
-  - '-a exit,never -F arch=b64 -S prctl -F exe=/lib/systemd/systemd-journald'
-  - '-a exit,never -F arch=b64 -S prctl -F exe=/lib/systemd/systemd-udevd'
-  - '-a exit,never -F arch=b64 -S prctl -F exe=/bin/systemctl'
+  - '-a never,exit -F arch=b64 -F uid=0 -F auid=4294967295 -S prctl -F exe=/usr/sbin/sshd'
+  - '-a never,exit -F arch=b64 -F uid=0 -F auid=4294967295 -S prctl -F exe=/usr/lib/openssh/sftp-server'
+  - '-a never,exit -F arch=b64 -S prctl -F exe=/lib/systemd/systemd-journald'
+  - '-a never,exit -F arch=b64 -S prctl -F exe=/lib/systemd/systemd-udevd'
+  - '-a never,exit -F arch=b64 -S prctl -F exe=/bin/systemctl'
 # admin_user_home
-  - '-a exit,never -F arch=b64 -F dir=/home/ -F uid=0 -F auid=4294967295 -S lstat -F exe=/sbin/cgrulesengd'
-  - '-a exit,never -F arch=b64 -F dir=/home/ -F uid=0 -F auid=4294967295 -S lstat -S stat -S open -S inotify_add_watch
+  - '-a never,exit -F arch=b64 -F dir=/home/ -F uid=0 -F auid=4294967295 -S lstat -F exe=/sbin/cgrulesengd'
+  - '-a never,exit -F arch=b64 -F dir=/home/ -F uid=0 -F auid=4294967295 -S lstat -S stat -S open -S inotify_add_watch
         -S openat -S newfstatat -F exe=/usr/bin/osqueryd'
 # unauthfileacess: setroubleshoot
-  - '-a exit,never -F arch=b64 -S open -F success=0 -F uid=996 -F auid=4294967295 -F exe=/usr/bin/rpm'
-  - '-a exit,never -F arch=b64 -S open -F success=0 -F uid=104 -F auid=4294967295 -F exe=/usr/sbin/rsyslogd -F dir=/var/log'
+  - '-a never,exit -F arch=b64 -S open -F success=0 -F uid=996 -F auid=4294967295 -F exe=/usr/bin/rpm'
+  - '-a never,exit -F arch=b64 -S open -F success=0 -F uid=104 -F auid=4294967295 -F exe=/usr/sbin/rsyslogd -F dir=/var/log'
 # specialfiles
-  - '-a exit,never -F arch=b64 -S mknod -F success=0 -F uid=996 -F auid=4294967295 -F exe=/usr/lib/systemd/systemd-logind'
+  - '-a never,exit -F arch=b64 -S mknod -F success=0 -F uid=996 -F auid=4294967295 -F exe=/usr/lib/systemd/systemd-logind'
 # etcpasswd
-  - '-a exit,never -F arch=b64 -F path=/etc/shadow -F uid=0 -F auid=4294967295 -S open -F exe=/usr/sbin/crond'
-  - '-a exit,never -F arch=b64 -F path=/etc/shadow -F uid=0 -F auid=4294967295 -S open -F exe=/usr/sbin/sshd'
-  - '-a exit,never -F arch=b64 -F path=/etc/shadow -F uid=0 -F auid=4294967295 -S open -F exe=/usr/sbin/unix_chkpwd'
+  - '-a never,exit -F arch=b64 -F path=/etc/shadow -F uid=0 -F auid=4294967295 -S open -F exe=/usr/sbin/crond'
+  - '-a never,exit -F arch=b64 -F path=/etc/shadow -F uid=0 -F auid=4294967295 -S open -F exe=/usr/sbin/sshd'
+  - '-a never,exit -F arch=b64 -F path=/etc/shadow -F uid=0 -F auid=4294967295 -S open -F exe=/usr/sbin/unix_chkpwd'
 # rootcmd
-  - '-a exit,never -F arch=b64 -F uid=0 -F auid=4294967295 -S execve -F exe=/usr/sbin/sshd'
-  - '-a exit,never -F arch=b64 -F uid=0 -F auid=4294967295 -S execve -F exe=/usr/sbin/sshd'
-  - '-a exit,never -F arch=b64 -F uid=0 -F auid=4294967295 -S execve -F exe=/bin/sleep'
-  - '-a exit,never -F arch=b64 -F uid=0 -F auid=0 -S execve -F exe=/usr/bin/env'
-  - '-a exit,never -F arch=b64 -F uid=0 -F auid=4294967295 -S execve -F exe=/usr/bin/dirname'
-  - '-a exit,never -F arch=b64 -F uid=0 -F auid=0 -S execve -F exe=/usr/bin/dirname'
+  - '-a never,exit -F arch=b64 -F uid=0 -F auid=4294967295 -S execve -F exe=/usr/sbin/sshd'
+  - '-a never,exit -F arch=b64 -F uid=0 -F auid=4294967295 -S execve -F exe=/usr/sbin/sshd'
+  - '-a never,exit -F arch=b64 -F uid=0 -F auid=4294967295 -S execve -F exe=/bin/sleep'
+  - '-a never,exit -F arch=b64 -F uid=0 -F auid=0 -S execve -F exe=/usr/bin/env'
+  - '-a never,exit -F arch=b64 -F uid=0 -F auid=4294967295 -S execve -F exe=/usr/bin/dirname'
+  - '-a never,exit -F arch=b64 -F uid=0 -F auid=0 -S execve -F exe=/usr/bin/dirname'
 
 auditd_exclusion_rules_debian:
-  - '-a exit,never -F arch=b64 -F uid=0 -F auid=4294967295 -S execve -F exe=/usr/lib/sysstat/sadc'
+  - '-a never,exit -F arch=b64 -F uid=0 -F auid=4294967295 -S execve -F exe=/usr/lib/sysstat/sadc'
 # time-change
-  - '-a exit,never -F arch=b64 -F uid=111 -F auid=4294967295 -S adjtimex -F exe=/usr/sbin/ntpd -F success=0'
+  - '-a never,exit -F arch=b64 -F uid=111 -F auid=4294967295 -S adjtimex -F exe=/usr/sbin/ntpd -F success=0'
 # tmp_write
-  - '-a exit,never -F arch=b64 -F uid=0 -F auid=4294967295 -S openat -S unlink -F exe=/usr/bin/apt-mark -F success=0'
+  - '-a never,exit -F arch=b64 -F uid=0 -F auid=4294967295 -S openat -S unlink -F exe=/usr/bin/apt-mark -F success=0'
 auditd_exclusion_rules_redhat:
-  - '-a exit,never -F arch=b64 -F uid=0 -F auid=4294967295 -S execve -F exe=/usr/lib64/sa/sadc'
+  - '-a never,exit -F arch=b64 -F uid=0 -F auid=4294967295 -S execve -F exe=/usr/lib64/sa/sadc'
+  - '-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=_chrony -F subj_type=chronyd_t'
 
 # load at the end
 auditd_extra_rules: []
diff --git a/templates/01-start.rules.j2 b/templates/01-start.rules.j2
index 5123b76..1d9cc7c 100644
--- a/templates/01-start.rules.j2
+++ b/templates/01-start.rules.j2
@@ -30,3 +30,7 @@
 # 2=panic, halt system
 -f {{ auditd_failure_mode | default(1) }}
 
+###################
+# Ignore errors
+###################
+-i
diff --git a/templates/60-neo23x0.rules.j2 b/templates/60-neo23x0.rules.j2
index e216583..157d05b 100644
--- a/templates/60-neo23x0.rules.j2
+++ b/templates/60-neo23x0.rules.j2
@@ -54,3 +54,30 @@
 -a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification
 -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification
 
+# Software Management ---------------------------------------------------------
+
+# RPM (Redhat/CentOS)
+-w /usr/bin/rpm -p x -k software_mgmt
+-w /usr/bin/yum -p x -k software_mgmt
+
+# DNF (Fedora/RedHat 8/CentOS 8)
+-w /usr/bin/dnf -p x -k software_mgmt
+
+# YAST/Zypper/RPM (SuSE)
+-w /sbin/yast -p x -k yast
+-w /sbin/yast2 -p x -k yast
+-w /bin/rpm -p x -k software_mgmt
+-w /usr/bin/zypper -k software_mgmt
+
+# DPKG / APT-GET (Debian/Ubuntu)
+-w /usr/bin/dpkg -p x -k software_mgmt
+-w /usr/bin/apt -p x -k software_mgmt
+-w /usr/bin/apt-add-repository -p x -k software_mgmt
+-w /usr/bin/apt-get -p x -k software_mgmt
+-w /usr/bin/aptitude -p x -k software_mgmt
+-w /usr/bin/wajig -p x -k software_mgmt
+-w /usr/bin/snap -p x -k software_mgmt
+
+# PIP (Python installs)
+-w /usr/bin/pip -p x -k software_mgmt
+-w /usr/bin/pip3 -p x -k software_mgmt