feat: sync with Neo23x0/auditd

teqneers · Jun 17, 2023 · 7e1135e · 7e1135e
1 parent 5329ec2
commit 7e1135e
Show file tree

Hide file tree

Showing 2 changed files with 322 additions and 6 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -63,6 +63,11 @@ auditd_exclusion_rules:
   # High Volume Event Filter (especially on Linux Workstations)
   - '-a never,exit -F arch=b32 -F dir=/dev/shm -k sharedmemaccess'
   - '-a never,exit -F arch=b64 -F dir=/dev/shm -k sharedmemaccess'
+  - '-a never,exit -F arch=b32 -F dir=/var/lock/lvm -k locklvm'
+  - '-a never,exit -F arch=b64 -F dir=/var/lock/lvm -k locklvm'
+  ## FileBeat
+  # - '-a never,exit -F arch=b32 -F path=/opt/filebeat -k filebeat'
+  # - '-a never,exit -F arch=b64 -F path=/opt/filebeat -k filebeat'
   # - '-a never,exit -F dir=/path/to/directory'
   # - '-a never,exit -F path=/path/to/file'
   # - '-a never,exit -F auid=<UID>'

diff --git a/templates/60-neo23x0.rules.j2 b/templates/60-neo23x0.rules.j2
@@ -1,5 +1,43 @@
 {{ ansible_managed | comment }}
 
+#      ___             ___ __      __
+#     /   | __  ______/ (_) /_____/ /
+#    / /| |/ / / / __  / / __/ __  /
+#   / ___ / /_/ / /_/ / / /_/ /_/ /
+#  /_/  |_\__,_/\__,_/_/\__/\__,_/
+#
+# Linux Audit Daemon - Best Practice Configuration
+# /etc/audit/audit.rules
+#
+# Compiled by Florian Roth
+#
+# Created  : 2017/12/05
+# Modified : 2023/01/25
+#
+# Based on rules published here:
+#   Gov.uk auditd rules
+#   	https://github.com/gds-operations/puppet-auditd/pull/1
+# 	CentOS 7 hardening
+# 		https://highon.coffee/blog/security-harden-centos-7/#auditd---audit-daemon
+# 	Linux audit repo
+# 		https://github.com/linux-audit/audit-userspace/tree/master/rules
+# 	Auditd high performance linux auditing
+# 		https://linux-audit.com/tuning-auditd-high-performance-linux-auditing/
+#
+# Further rules
+# 	For PCI DSS compliance see:
+# 		https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules
+# 	For NISPOM compliance see:
+# 		https://github.com/linux-audit/audit-userspace/blob/master/rules/30-nispom.rules
+
+## Access to all audit trails
+
+-a always,exit -F path=/usr/sbin/ausearch -F perm=x -k T1005_Data_From_Local_System_audit_log
+-a always,exit -F path=/usr/sbin/aureport -F perm=x -k T1005_Data_From_Local_System_audit_log
+-a always,exit -F path=/usr/sbin/aulast -F perm=x -k T1005_Data_From_Local_System_audit_log
+-a always,exit -F path=/usr/sbin/aulastlogin -F perm=x -k T1005_Data_From_Local_System_audit_log
+-a always,exit -F path=/usr/sbin/auvirt -F perm=x -k T1005_Data_From_Local_System_audit_log
+
 ## Kernel module loading and unloading
 -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules
 -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules
@@ -55,6 +93,8 @@
 -w /bin/nc -p x -k susp_activity
 -w /bin/netcat -p x -k susp_activity
 -w /usr/bin/ncat -p x -k susp_activity
+-w /usr/bin/ss -p x -k susp_activity
+-w /usr/bin/netstat -p x -k susp_activity
 -w /usr/bin/ssh -p x -k susp_activity
 -w /usr/bin/scp -p x -k susp_activity
 -w /usr/bin/sftp -p x -k susp_activity
@@ -63,9 +103,49 @@
 -w /usr/bin/wireshark -p x -k susp_activity
 -w /usr/bin/tshark -p x -k susp_activity
 -w /usr/bin/rawshark -p x -k susp_activity
--w /usr/bin/rdesktop -p x -k susp_activity
+-w /usr/bin/rdesktop -p x -k T1219_Remote_Access_Tools
+-w /usr/local/bin/rdesktop -p x -k T1219_Remote_Access_Tools
+-w /usr/bin/wlfreerdp -p x -k susp_activity
+-w /usr/bin/xfreerdp -p x -k T1219_Remote_Access_Tools
+-w /usr/local/bin/xfreerdp -p x -k T1219_Remote_Access_Tools
 -w /usr/bin/nmap -p x -k susp_activity
 
+## T1002 Data Compressed
+
+-w /usr/bin/zip -p x -k T1002_Data_Compressed
+-w /usr/bin/gzip -p x -k T1002_Data_Compressed
+-w /usr/bin/tar -p x -k T1002_Data_Compressed
+-w /usr/bin/bzip2 -p x -k T1002_Data_Compressed
+
+-w /usr/bin/lzip -p x -k T1002_Data_Compressed
+-w /usr/local/bin/lzip -p x -k T1002_Data_Compressed
+
+-w /usr/bin/lz4 -p x -k T1002_Data_Compressed
+-w /usr/local/bin/lz4 -p x -k T1002_Data_Compressed
+
+-w /usr/bin/lzop -p x -k T1002_Data_Compressed
+-w /usr/local/bin/lzop -p x -k T1002_Data_Compressed
+
+-w /usr/bin/plzip -p x -k T1002_Data_Compressed
+-w /usr/local/bin/plzip -p x -k T1002_Data_Compressed
+
+-w /usr/bin/pbzip2 -p x -k T1002_Data_Compressed
+-w /usr/local/bin/pbzip2 -p x -k T1002_Data_Compressed
+
+-w /usr/bin/lbzip2 -p x -k T1002_Data_Compressed
+-w /usr/local/bin/lbzip2 -p x -k T1002_Data_Compressed
+
+-w /usr/bin/pixz -p x -k T1002_Data_Compressed
+-w /usr/local/bin/pixz -p x -k T1002_Data_Compressed
+
+-w /usr/bin/pigz -p x -k T1002_Data_Compressed
+-w /usr/local/bin/pigz -p x -k T1002_Data_Compressed
+-w /usr/bin/unpigz -p x -k T1002_Data_Compressed
+-w /usr/local/bin/unpigz -p x -k T1002_Data_Compressed
+
+-w /usr/bin/zstd -p x -k T1002_Data_Compressed
+-w /usr/local/bin/zstd -p x -k T1002_Data_Compressed
+
 ## Added to catch netcat on Ubuntu
 -w /bin/nc.openbsd -p x -k susp_activity
 -w /bin/nc.traditional -p x -k susp_activity
@@ -85,6 +165,51 @@
 ## dbus-send invocation
 ### may indicate privilege escalation CVE-2021-3560
 -w /usr/bin/dbus-send -p x -k dbus_send
+-w /usr/bin/gdbus -p x -k gdubs_call
+
+## pkexec invocation
+### may indicate privilege escalation CVE-2021-4034
+-w /usr/bin/pkexec -p x -k pkexec
+
+## Suspicious shells
+-w /bin/ash -p x -k susp_shell
+-w /bin/csh -p x -k susp_shell
+-w /bin/fish -p x -k susp_shell
+-w /bin/tcsh -p x -k susp_shell
+-w /bin/tclsh -p x -k susp_shell
+-w /bin/xonsh -p x -k susp_shell
+-w /usr/local/bin/xonsh -p x -k susp_shell
+-w /bin/open -p x -k susp_shell
+-w /bin/rbash -p x -k susp_shell
+
+# Web Server Actvity
+## Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33
+-a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www
+-a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www
+
+### https://clustershell.readthedocs.io/
+-w /bin/clush -p x -k susp_shell
+-w /usr/local/bin/clush -p x -k susp_shell
+-w /etc/clustershell/clush.conf -p x -k susp_shell
+
+### https://github.com/tmux/tmux
+-w /bin/tmux -p x -k susp_shell
+-w /usr/local/bin/tmux -p x -k susp_shell
+
+## Shell/profile configurations
+-w /etc/profile.d/ -p wa -k shell_profiles
+-w /etc/profile -p wa -k shell_profiles
+-w /etc/shells -p wa -k shell_profiles
+-w /etc/bashrc -p wa -k shell_profiles
+-w /etc/csh.cshrc -p wa -k shell_profiles
+-w /etc/csh.login -p wa -k shell_profiles
+-w /etc/fish/ -p wa -k shell_profiles
+-w /etc/zsh/ -p wa -k shell_profiles
+
+### https://github.com/xxh/xxh
+-w /usr/local/bin/xxh.bash -p x -k susp_shell
+-w /usr/local/bin/xxh.xsh -p x -k susp_shell
+-w /usr/local/bin/xxh.zsh -p x -k susp_shell
 
 ## Injection
 ### These rules watch for code injection by the ptrace facility.
@@ -106,6 +231,12 @@
 -a always,exit -F arch=b64 -S ptrace -k tracing
 {% endif %}
 
+## Anonymous File Creation
+### These rules watch the use of memfd_create
+### "memfd_create" creates anonymous file and returns a file descriptor to access it
+### When combined with "fexecve" can be used to stealthily run binaries in memory without touching disk
+-a always,exit -F arch=b64 -S memfd_create -F key=anon_file_create
+-a always,exit -F arch=b32 -S memfd_create -F key=anon_file_create
 
 # Software Management ---------------------------------------------------------
 
@@ -131,9 +262,38 @@
 -w /usr/bin/wajig -p x -k software_mgmt
 -w /usr/bin/snap -p x -k software_mgmt
 
-# PIP (Python installs)
--w /usr/bin/pip -p x -k software_mgmt
--w /usr/bin/pip3 -p x -k software_mgmt
+# PIP(3) (Python installs)
+-w /usr/bin/pip -p x -k T1072_third_party_software
+-w /usr/local/bin/pip -p x -k T1072_third_party_software
+-w /usr/bin/pip3 -p x -k T1072_third_party_software
+-w /usr/local/bin/pip3 -p x -k T1072_third_party_software
+
+# npm
+## T1072 third party software
+## https://www.npmjs.com
+## https://docs.npmjs.com/cli/v6/commands/npm-audit
+-w /usr/bin/npm -p x -k T1072_third_party_software
+
+# Comprehensive Perl Archive Network (CPAN) (CPAN installs)
+## T1072 third party software
+## https://www.cpan.org
+-w /usr/bin/cpan -p x -k T1072_third_party_software
+
+# Ruby (RubyGems installs)
+## T1072 third party software
+## https://rubygems.org
+-w /usr/bin/gem -p x -k T1072_third_party_software
+
+# LuaRocks (Lua installs)
+## T1072 third party software
+## https://luarocks.org
+-w /usr/bin/luarocks -p x -k T1072_third_party_software
+
+# Pacman (Arch Linux)
+## https://wiki.archlinux.org/title/Pacman
+## T1072 third party software
+-w /etc/pacman.conf -p x -k T1072_third_party_software
+-w /etc/pacman.d -p x -k T1072_third_party_software
 
 # Special Software ------------------------------------------------------------
 
@@ -152,6 +312,58 @@
 ## CHEF https://www.chef.io/chef/
 -w /etc/chef -p wa -k soft_chef
 
+## Salt
+## https://saltproject.io/
+## https://docs.saltproject.io/en/latest/ref/configuration/master.html
+-w /etc/salt -p wa -k soft_salt
+-w /usr/local/etc/salt -p wa -k soft_salt
+
+## Otter
+## https://inedo.com/otter
+-w /etc/otter -p wa -k soft_otter
+
+## T1081 Credentials In Files
+-w /usr/bin/grep -p x -k T1081_Credentials_In_Files
+-w /usr/bin/egrep -p x -k T1081_Credentials_In_Files
+-w /usr/bin/ugrep -p x -k T1081_Credentials_In_Files
+### macOS
+-w /usr/local/bin/grep -p x -k T1081_Credentials_In_Files
+-w /usr/local/bin/egrep -p x -k T1081_Credentials_In_Files
+-w /usr/local/bin/ugrep -p x -k T1081_Credentials_In_Files
+
+### https://github.com/tmbinc/bgrep
+-w /usr/bin/bgrep -p x -k T1081_Credentials_In_Files
+### macOS
+-w /usr/local/bin/bgrep -p x -k T1081_Credentials_In_Files
+
+### https://github.com/BurntSushi/ripgrep
+-w /usr/bin/rg -p x -k T1081_Credentials_In_Files
+### macOS
+-w /usr/local/bin/rg -p x -k T1081_Credentials_In_Files
+
+### https://github.com/monochromegane/the_platinum_searcher
+-w /usr/bin/pt -p x -k T1081_Credentials_In_Files
+### macOS
+-w /usr/local/bin/pt -p x -k T1081_Credentials_In_Files
+
+### https://github.com/gvansickle/ucg
+-w /usr/bin/ucg -p x -k T1081_Credentials_In_Files
+### macOS
+-w /usr/local/bin/ucg -p x -k T1081_Credentials_In_Files
+
+### https://github.com/ggreer/the_silver_searcher
+-w /usr/bin/ag -p x -k T1081_Credentials_In_Files
+### macOS
+-w /usr/local/bin/ag -p x -k T1081_Credentials_In_Files
+
+### https://github.com/beyondgrep/ack3
+### https://beyondgrep.com
+-w /usr/bin/ack -p x -k T1081_Credentials_In_Files
+-w /usr/local/bin/ack -p x -k T1081_Credentials_In_Files
+-w /usr/bin/semgrep -p x -k T1081_Credentials_In_Files
+### macOS
+-w /usr/local/bin/semgrep -p x -k T1081_Credentials_In_Files
+
 {% endif %}
 ### Docker
 -w /usr/bin/dockerd -k docker
@@ -165,11 +377,110 @@
 -w /etc/sysconfig/docker-storage -k docker
 {% endif %}
 -w /usr/lib/systemd/system/docker.service -k docker
+-w /usr/lib/systemd/system/docker.socket -k docker
+
+## Virtualization stuff
+-w /usr/bin/qemu-system-x86_64 -p x -k qemu-system-x86_64
+-w /usr/bin/qemu-img -p x -k qemu-img
+-w /usr/bin/qemu-kvm -p x -k qemu-kvm
+-w /usr/bin/qemu -p x -k qemu
+-w /usr/bin/virtualbox -p x -k virtualbox
+-w /usr/bin/virt-manager -p x -k virt-manager
+-w /usr/bin/VBoxManage -p x -k VBoxManage
+
+#### VirtualBox on macOS
 
-### Kubelet
+-w /usr/local/bin/VirtualBox -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/VirtualBoxVM -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/VBoxManage -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/VBoxVRDP -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/VBoxHeadless -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/vboxwebsrv -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/VBoxBugReport -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/VBoxBalloonCtrl -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/VBoxAutostart -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/VBoxDTrace -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/vbox-img -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /Library/LaunchDaemons/org.virtualbox.startup.plist -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /Library/Application Support/VirtualBox/LaunchDaemons/ -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /Library/Application Support/VirtualBox/VBoxDrv.kext/ -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /Library/Application Support/VirtualBox/VBoxUSB.kext/ -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /Library/Application Support/VirtualBox/VBoxNetFlt.kext/ -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /Library/Application Support/VirtualBox/VBoxNetAdp.kext/ -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+
+### Parallels Desktop on macOS
+
+-w /usr/local/bin/prl_convert -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/prl_disk_tool -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/prl_perf_ctl -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/prlcore2dmp -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/prlctl -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/prlexec -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/prlsrvctl -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /Library/Preferences/Parallels -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+
+### qemu on macOS
+
+-w /usr/local/bin/qemu-edid -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/qemu-img -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/qemu-io -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/qemu-nbd -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/qemu-system-x86_64 -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+
+## Kubelet
 -w /usr/bin/kubelet -k kubelet
 
-# High volume events ----------------------------------------------------------
+# ipc system call
+# /usr/include/linux/ipc.h
+
+## msgctl
+#-a always,exit -S ipc -F a0=14 -k T1559_Inter-Process_Communication
+## msgget
+#-a always,exit -S ipc -F a0=13 -k T1559_Inter-Process_Communication
+## Use these lines on x86_64, ia64 instead
+-a always,exit -F arch=b64 -S msgctl -k T1559_Inter-Process_Communication
+-a always,exit -F arch=b64 -S msgget -k T1559_Inter-Process_Communication
+
+## semctl
+#-a always,exit -S ipc -F a0=3 -k T1559_Inter-Process_Communication
+## semget
+#-a always,exit -S ipc -F a0=2 -k T1559_Inter-Process_Communication
+## semop
+#-a always,exit -S ipc -F a0=1 -k T1559_Inter-Process_Communication
+## semtimedop
+#-a always,exit -S ipc -F a0=4 -k T1559_Inter-Process_Communication
+## Use these lines on x86_64, ia64 instead
+-a always,exit -F arch=b64 -S semctl -k T1559_Inter-Process_Communication
+-a always,exit -F arch=b64 -S semget -k T1559_Inter-Process_Communication
+-a always,exit -F arch=b64 -S semop -k T1559_Inter-Process_Communication
+-a always,exit -F arch=b64 -S semtimedop -k T1559_Inter-Process_Communication
+
+## shmctl
+#-a always,exit -S ipc -F a0=24 -k T1559_Inter-Process_Communication
+## shmget
+#-a always,exit -S ipc -F a0=23 -k T1559_Inter-Process_Communication
+## Use these lines on x86_64, ia64 instead
+-a always,exit -F arch=b64 -S shmctl -k T1559_Inter-Process_Communication
+-a always,exit -F arch=b64 -S shmget -k T1559_Inter-Process_Communication
+
+# High Volume Events ----------------------------------------------------------
+
+## Disable these rules if they create too many events in your environment
+
+## Common Shells
+-w /bin/bash -p x -k susp_shell
+-w /bin/dash -p x -k susp_shell
+-w /bin/busybox -p x -k susp_shell
+-w /bin/zsh -p x -k susp_shell
+-w /bin/sh -p x -k susp_shell
+-w /bin/ksh -p x -k susp_shell
+
+## File Access
+### Unauthorized Access (unsuccessful)
+-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k file_access
+-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k file_access
+-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k file_access
+-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k file_access
 
 ### Unsuccessful Creation
 -a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation