From 58910767487923e0e70d1410e239c72765af2997 Mon Sep 17 00:00:00 2001 From: Pierre-Gronau-ndaal <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Fri, 28 Jul 2023 15:11:28 +0200 Subject: [PATCH 01/10] Update audit.rules --- audit.rules | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/audit.rules b/audit.rules index 03ed184..bfb1608 100644 --- a/audit.rules +++ b/audit.rules @@ -341,6 +341,10 @@ -a always,exit -F path=/usr/libexec/sssd/selinux_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts -a always,exit -F path=/usr/libexec/sssd/proxy_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts +## vte-2.91 +-a always,exit -F path=/lib64/vte-2.91/gnome-pty-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts +-a always,exit -F path=/usr/lib64/vte-2.91/gnome-pty-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts + ## T1002 Data Compressed -w /usr/bin/zip -p x -k Data_Compressed From 1b0426a812b43e425f4a5262de09eee923fc37e8 Mon Sep 17 00:00:00 2001 From: Pierre-Gronau-ndaal <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Fri, 28 Jul 2023 15:20:42 +0200 Subject: [PATCH 02/10] Update audit.rules --- audit.rules | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/audit.rules b/audit.rules index 03ed184..dda5ca7 100644 --- a/audit.rules +++ b/audit.rules @@ -402,6 +402,10 @@ -w /usr/bin/dbus-send -p x -k dbus_send -w /usr/bin/gdbus -p x -k gdubs_call +### dbus +-a always,exit -F path=/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts +-a always,exit -F path=/usr/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts + ## pkexec invocation ### may indicate privilege escalation CVE-2021-4034 -w /usr/bin/pkexec -p x -k pkexec From 9ff2eb90d57040daa7b42483942976dcaec71bec Mon Sep 17 00:00:00 2001 From: Pierre-Gronau-ndaal <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Sat, 29 Jul 2023 12:40:27 +0200 Subject: [PATCH 03/10] Update audit.rules --- audit.rules | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/audit.rules b/audit.rules index dda5ca7..b1637ed 100644 --- a/audit.rules +++ b/audit.rules @@ -403,8 +403,8 @@ -w /usr/bin/gdbus -p x -k gdubs_call ### dbus --a always,exit -F path=/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts --a always,exit -F path=/usr/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts +-a always,exit -F path=/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts +-a always,exit -F path=/usr/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts ## pkexec invocation ### may indicate privilege escalation CVE-2021-4034 From de77ce90e4dbb34fc873d67c0ead07ed321aefd8 Mon Sep 17 00:00:00 2001 From: Pierre-Gronau-ndaal <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Sat, 29 Jul 2023 12:42:23 +0200 Subject: [PATCH 04/10] Update audit.rules vte-2.91 --- audit.rules | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/audit.rules b/audit.rules index bfb1608..68fdcaf 100644 --- a/audit.rules +++ b/audit.rules @@ -342,8 +342,8 @@ -a always,exit -F path=/usr/libexec/sssd/proxy_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts ## vte-2.91 --a always,exit -F path=/lib64/vte-2.91/gnome-pty-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts --a always,exit -F path=/usr/lib64/vte-2.91/gnome-pty-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts +-a always,exit -F path=/lib64/vte-2.91/gnome-pty-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts +-a always,exit -F path=/usr/lib64/vte-2.91/gnome-pty-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts ## T1002 Data Compressed From ad129fa95735fe4ce40ae5c1e0f4330f198b0bc4 Mon Sep 17 00:00:00 2001 From: Pierre-Gronau-ndaal <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Sat, 29 Jul 2023 12:44:44 +0200 Subject: [PATCH 05/10] Update audit.rules setfiles --- audit.rules | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/audit.rules b/audit.rules index 03ed184..bfc0cf3 100644 --- a/audit.rules +++ b/audit.rules @@ -402,6 +402,10 @@ -w /usr/bin/dbus-send -p x -k dbus_send -w /usr/bin/gdbus -p x -k gdubs_call +## setfiles +-a always,exit -F path=/usr/bin/setfiles -F perm=x -F auid>=500 -F auid!=4294967295 -k -F T1078_Valid_Accounts +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=500 -F auid!=4294967295 -k -F T1078_Valid_Accounts + ## pkexec invocation ### may indicate privilege escalation CVE-2021-4034 -w /usr/bin/pkexec -p x -k pkexec From 5a3275ca355107ec9e00c0b24befa023a9e58526 Mon Sep 17 00:00:00 2001 From: Pierre-Gronau-ndaal <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Sun, 30 Jul 2023 10:11:45 +0200 Subject: [PATCH 06/10] Update audit.rules atftpd --- audit.rules | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/audit.rules b/audit.rules index 03ed184..7ba84c1 100644 --- a/audit.rules +++ b/audit.rules @@ -334,6 +334,24 @@ -w /usr/local/bin/xfreerdp -p x -k susp_activity -w /usr/bin/nmap -p x -k susp_activity +### atftpd +### https://sourceforge.net/projects/atftp/ +### https://github.com/madmartin/atftp +### atftp is a client/server implementation of the TFTP protocol that implements RFCs 1350, 2090, 2347, 2348, 2349 and 7440. +### The server is multi-threaded and the client presents a friendly interface using libreadline. +### T1133_External_Remote_Services +-w /usr/bin/atftpd -p x -k susp_activity +-w /usr/sbin/atftpd -p x -k susp_activity + +-w /usr/bin/in.tftpd -p x -k susp_activity +-w /usr/sbin/in.tftpd -p x -k susp_activity + +-w /lib/systemd/system/atftpd.service -k susp_activity +-w /lib/systemd/system/atftpd.service -k susp_activity + +-w /usr/lib/systemd/system/atftpd.socket -k susp_activity +-w /usr/lib/systemd/system/atftpd.socket -k susp_activity + ## sssd -a always,exit -F path=/usr/libexec/sssd/p11_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts -a always,exit -F path=/usr/libexec/sssd/krb5_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts From 9fbd4410077a0871703ec8823b5d23c0522163b5 Mon Sep 17 00:00:00 2001 From: Pierre-Gronau-ndaal <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Sun, 30 Jul 2023 10:18:24 +0200 Subject: [PATCH 07/10] Update audit.rules --- audit.rules | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/audit.rules b/audit.rules index 7ba84c1..a2494d2 100644 --- a/audit.rules +++ b/audit.rules @@ -347,9 +347,9 @@ -w /usr/sbin/in.tftpd -p x -k susp_activity -w /lib/systemd/system/atftpd.service -k susp_activity --w /lib/systemd/system/atftpd.service -k susp_activity +-w /usr/lib/systemd/system/atftpd.service -k susp_activity --w /usr/lib/systemd/system/atftpd.socket -k susp_activity +-w /lib/systemd/system/atftpd.socket -k susp_activity -w /usr/lib/systemd/system/atftpd.socket -k susp_activity ## sssd From 47ebceac1f26c2763662cfee8efb98638aca88b0 Mon Sep 17 00:00:00 2001 From: Pierre-Gronau-ndaal <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Sun, 30 Jul 2023 10:35:16 +0200 Subject: [PATCH 08/10] Update audit.rules uftp --- audit.rules | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/audit.rules b/audit.rules index 03ed184..1833657 100644 --- a/audit.rules +++ b/audit.rules @@ -334,6 +334,20 @@ -w /usr/local/bin/xfreerdp -p x -k susp_activity -w /usr/bin/nmap -p x -k susp_activity +### uftp +### https://sourceforge.net/projects/uftp-multicast/ +### UFTP is an encrypted multicast file transfer program, designed to securely, reliably, +### and efficiently transfer files to multiple receivers simultaneously. +### FTP also has the capability to communicate over disjoint networks separated by one or +### more firewalls (NAT traversal) and without full end-to-end multicast capability +### (multicast tunneling) through the use of a UFTP proxy server. +### T1133_External_Remote_Services +-w /usr/bin/uftp -p x -k susp_activity +-w /usr/sbin/uftp -p x -k susp_activity + +-w /lib/systemd/system/uftp.service -k susp_activity +-w /usr/lib/systemd/system/uftp.service -k susp_activity + ## sssd -a always,exit -F path=/usr/libexec/sssd/p11_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts -a always,exit -F path=/usr/libexec/sssd/krb5_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts From 19b8601edd75ec3946db85c6a13ddb81e7b967bd Mon Sep 17 00:00:00 2001 From: Pierre-Gronau-ndaal <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Tue, 15 Aug 2023 17:04:41 +0200 Subject: [PATCH 09/10] Update audit.rules yash --- audit.rules | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/audit.rules b/audit.rules index 03ed184..2c5ca7f 100644 --- a/audit.rules +++ b/audit.rules @@ -417,6 +417,10 @@ -w /bin/open -p x -k susp_shell -w /bin/rbash -p x -k susp_shell +### https://gtfobins.github.io/gtfobins/yash/ +-w /bin/yash -p x -k susp_shell +-w /usr/bin/yash -p x -k susp_shell + # Web Server Actvity ## Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33 -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www From dfb7898b1e8bbfe6c57920121a0ddf5a4676a57e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 9 Jan 2024 21:53:06 +0100 Subject: [PATCH 10/10] Update audit.rules fix: https://github.com/Neo23x0/auditd/issues/125 --- audit.rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/audit.rules b/audit.rules index 03ed184..5160ddf 100644 --- a/audit.rules +++ b/audit.rules @@ -461,7 +461,7 @@ ## Privilege Abuse ### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir. --a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -k power_abuse +-a always,exit -F dir=/home -F auid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -k power_abuse # Socket Creations # will catch both IPv4 and IPv6