V8.13.280.2025.10.23

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-23 07:41:43 +01:00
parent ce19ab9311
commit ca212c9a27
43 changed files with 77 additions and 53 deletions
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -34,8 +34,8 @@ cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
 cp -u /etc/audit/rules.d/audit.rules /root/.ciss/dlb/backup/rules_d_audit.rules.bak
 rm -rf /etc/audit/rules.d/audit.rules

-############################################################### /etc/audit/rules.d/10-base-config.rules
-cat << EOF >| /etc/audit/rules.d/10-base-config.rules
+############################################################### /etc/audit/rules.d/00-base-config.rules
+cat << EOF >| /etc/audit/rules.d/00-base-config.rules
 ## First rule - delete all
 -D

@@ -53,6 +53,20 @@ cat << EOF >| /etc/audit/rules.d/10-base-config.rules
 -f 1
 EOF

+############################################################### /etc/audit/rules.d/10-ciss-noise-floor.rules
+cat << EOF >| /etc/audit/rules.d/10-ciss-noise-floor.rules
+## Ignore kernel/daemon noise without a loginuid (unset = 4294967295).
+-a never,exit -F auid=4294967295
+
+## Make privileged exec tracing user-initiated only (no boot-time daemons).
+-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
+-a always,exit -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
+
+## (Optional, same principle for suid/sgid transitions).
+-a always,exit -F arch=b64 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
+-a always,exit -F arch=b32 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
+EOF
+
 ############################################################### /etc/audit/rules.d/11-loginuid.rules
 cat << EOF >| /etc/audit/rules.d/11-loginuid.rules
 --loginuid-immutable