V8.00.000.2025.06.17
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -59,13 +59,16 @@ install_verification() {
|
||||
-D
|
||||
|
||||
## Increase the buffers to survive stress events.
|
||||
## Make this bigger for busy systems
|
||||
## Make this bigger for busy systems.
|
||||
-b 16384
|
||||
|
||||
## This determine how long to wait in burst of events
|
||||
## Rate Limit. Cap kernel->userspace message rate (0 = unlimited).
|
||||
-r 200
|
||||
|
||||
## This determine how long to wait in burst of events. How long to wait in bursts (µs).
|
||||
--backlog_wait_time 1024
|
||||
|
||||
## Set failure mode to syslog
|
||||
## Set failure mode to syslog.
|
||||
-f 1
|
||||
EOF
|
||||
|
||||
@@ -109,6 +112,17 @@ EOF
|
||||
## This rule suppresses the time-change event when chrony does time updates
|
||||
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=_chrony
|
||||
-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/25-ciss-exec.rules
|
||||
cat << EOF >| "${TARGET}/etc/audit/rules.d/25-ciss-exec.rules"
|
||||
## Focus on privileged exec, not every user command
|
||||
-a always,exit -F arch=b64 -S execve -F euid=0 -k exec_root
|
||||
-a always,exit -F arch=b32 -S execve -F euid=0 -k exec_root
|
||||
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -k exec_sudo
|
||||
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/sudo -k exec_sudo
|
||||
-a always,exit -F arch=b64 -S execve -C uid!=euid -k exec_suid_sgid
|
||||
-a always,exit -F arch=b32 -S execve -C uid!=euid -k exec_suid_sgid
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
|
||||
@@ -126,17 +140,6 @@ EOF
|
||||
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||||
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||||
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
|
||||
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-1-create-success.rules"
|
||||
## Successful file creation (open with O_CREAT)
|
||||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||||
-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||||
-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||||
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||||
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
|
||||
@@ -154,17 +157,6 @@ EOF
|
||||
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||||
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||||
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
|
||||
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-2-modify-success.rules"
|
||||
## Successful file modifications (open for write or truncate)
|
||||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||||
-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||||
-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||||
-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||||
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
|
||||
@@ -174,14 +166,6 @@ EOF
|
||||
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
|
||||
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-3-access-success.rules"
|
||||
## Successful file access (any other opens) This has to go last.
|
||||
## These next two are likely to result in a whole lot of events
|
||||
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
||||
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
|
||||
@@ -191,13 +175,6 @@ EOF
|
||||
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
||||
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
||||
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
|
||||
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-4-delete-success.rules"
|
||||
## Successful file delete
|
||||
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
|
||||
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
|
||||
@@ -207,13 +184,6 @@ EOF
|
||||
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
||||
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
||||
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
|
||||
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules"
|
||||
## Successful permission change
|
||||
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
|
||||
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
|
||||
@@ -223,13 +193,6 @@ EOF
|
||||
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
|
||||
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
|
||||
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
|
||||
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules"
|
||||
## Successful ownership change
|
||||
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
|
||||
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42.rules
|
||||
|
||||
Reference in New Issue
Block a user