333 lines
23 KiB
Bash
333 lines
23 KiB
Bash
#!/bin/bash
|
||
# SPDX-Version: 3.0
|
||
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||
# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||
# SPDX-FileType: SOURCE
|
||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
|
||
# SPDX-PackageName: CISS.debian.live.builder
|
||
# SPDX-Security-Contact: security@coresecret.eu
|
||
|
||
### https://github.com/linux-audit/audit-userspace/tree/master/rules
|
||
|
||
set -C -e -u -o pipefail
|
||
|
||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
||
# sleep 1
|
||
|
||
cd /root
|
||
|
||
apt-get install auditd -y
|
||
|
||
cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
|
||
cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
|
||
cp -u /etc/audit/rules.d/audit.rules /root/.ciss/dlb/backup/rules_d_audit.rules.bak
|
||
rm -rf /etc/audit/rules.d/audit.rules
|
||
|
||
############################################################### /etc/audit/rules.d/10-base-config.rules
|
||
cat << EOF >| /etc/audit/rules.d/10-base-config.rules
|
||
## First rule - delete all
|
||
-D
|
||
|
||
## Increase the buffers to survive stress events.
|
||
## Make this bigger for busy systems
|
||
-b 8192
|
||
|
||
## This determine how long to wait in burst of events
|
||
--backlog_wait_time 60000
|
||
|
||
## Set failure mode to syslog
|
||
-f 1
|
||
EOF
|
||
|
||
############################################################### /etc/audit/rules.d/11-loginuid.rules
|
||
cat << EOF >| /etc/audit/rules.d/11-loginuid.rules
|
||
--loginuid-immutable
|
||
EOF
|
||
|
||
############################################################### /etc/audit/rules.d/20-dont-audit.rules
|
||
cat << EOF >| /etc/audit/rules.d/20-dont-audit.rules
|
||
## This is for don't audit rules. We put these early because audit
|
||
### is a first match wins system. Uncomment the rules you want.
|
||
|
||
## Cron jobs fill the logs with stuff we normally don't want
|
||
-a never,user -F subj_type=crond_t
|
||
|
||
## This prevents chrony from overwhelming the logs
|
||
-a never,exit -F arch=x86_64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
|
||
|
||
### This is not very interesting and wastes a lot of space if
|
||
### the server is public facing
|
||
-a always,exclude -F msgtype=CRYPTO_KEY_USER
|
||
EOF
|
||
|
||
############################################################### /etc/audit/rules.d/21-no32bit.rules
|
||
cat << EOF >| /etc/audit/rules.d/21-no32bit.rules
|
||
## If you are on a 64 bit platform, everything _should_ be running
|
||
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
|
||
## because this might be a sign of someone exploiting a hole in the 32
|
||
## bit ABI.
|
||
-a always,exit -F arch=b32 -S all -F key=32bit-abi
|
||
EOF
|
||
|
||
############################################################### /etc/audit/rules.d/22-ignore-chrony.rules
|
||
cat << EOF >| /etc/audit/rules.d/22-ignore-chrony.rules
|
||
## This rule suppresses the time-change event when chrony does time updates
|
||
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
|
||
-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
|
||
EOF
|
||
|
||
############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
|
||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
|
||
## Unsuccessful file creation (open with O_CREAT)
|
||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||
EOF
|
||
|
||
############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
|
||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
|
||
## Successful file creation (open with O_CREAT)
|
||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||
-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||
-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||
EOF
|
||
|
||
############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
|
||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
|
||
## Unsuccessful file modifications (open for write or truncate)
|
||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||
EOF
|
||
|
||
############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
|
||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
|
||
## Successful file modifications (open for write or truncate)
|
||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||
-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||
-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||
-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||
EOF
|
||
|
||
############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
|
||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
|
||
## Unsuccessful file access (any other opens) This has to go last.
|
||
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||
EOF
|
||
|
||
############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
|
||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
|
||
## Successful file access (any other opens) This has to go last.
|
||
## These next two are likely to result in a whole lot of events
|
||
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
||
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
||
EOF
|
||
|
||
############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
|
||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
|
||
## Unsuccessful file delete
|
||
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
||
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
||
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
||
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
||
EOF
|
||
|
||
############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
|
||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
|
||
## Successful file delete
|
||
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
|
||
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
|
||
EOF
|
||
|
||
############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
|
||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
|
||
## Unsuccessful permission change
|
||
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
||
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
||
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
||
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
||
EOF
|
||
|
||
############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
|
||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
|
||
## Successful permission change
|
||
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
|
||
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
|
||
EOF
|
||
|
||
############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
|
||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
|
||
## Unsuccessful ownership change
|
||
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
|
||
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
|
||
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
|
||
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
|
||
EOF
|
||
|
||
############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
|
||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
|
||
## Successful ownership change
|
||
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
|
||
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
|
||
EOF
|
||
|
||
############################################################### /etc/audit/rules.d/30-ospp-v42.rules
|
||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42.rules
|
||
## The purpose of these rules is to meet the requirements for Operating
|
||
## System Protection Profile (OSPP)v4.2. These rules depends on having
|
||
## the following rule files copied to /etc/audit/rules.d:
|
||
##
|
||
## 10-base-config.rules, 11-loginuid.rules,
|
||
## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
|
||
## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
|
||
## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
|
||
## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
|
||
## 30-ospp-v42-5-perm-change-failed.rules,
|
||
## 30-ospp-v42-5-perm-change-success.rules,
|
||
## 30-ospp-v42-6-owner-change-failed.rules,
|
||
## 30-ospp-v42-6-owner-change-success.rules
|
||
##
|
||
## original copies may be found in /usr/share/audit-rules
|
||
|
||
|
||
## User add delete modify. This is covered by pam. However, someone could
|
||
## open a file and directly create or modify a user, so we'll watch passwd and
|
||
## shadow for writes
|
||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
||
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
||
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
||
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
||
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
||
|
||
## User enable and disable. This is entirely handled by pam.
|
||
|
||
## Group add delete modify. This is covered by pam. However, someone could
|
||
## open a file and directly create or modify a user, so we'll watch group and
|
||
## gshadow for writes
|
||
-a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
||
-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
||
-a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
||
-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
||
-a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
||
-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
||
-a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
||
-a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
||
|
||
|
||
## Use of special rights for config changes. This would be use of setuid
|
||
## programs that relate to user accts. This is not all setuid apps because
|
||
## requirements are only for ones that affect system configuration.
|
||
-a always,exit -F arch=b32 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b64 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b32 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b64 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b32 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b64 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b32 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b64 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b32 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b64 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b32 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b64 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b32 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b64 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b32 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b64 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b32 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b64 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b32 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b64 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b32 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b64 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b32 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b64 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b32 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b64 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b32 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
-a always,exit -F arch=b64 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||
|
||
## Privilege escalation via su or sudo. This is entirely handled by pam.
|
||
## Special case for systemd-run. It is not audit aware, specifically watch it
|
||
-a always,exit -F arch=b32 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
|
||
-a always,exit -F arch=b64 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
|
||
## Special case for pkexec. It is not audit aware, specifically watch it
|
||
-a always,exit -F arch=b32 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
|
||
-a always,exit -F arch=b64 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
|
||
|
||
|
||
## Watch for configuration changes to privilege escalation.
|
||
-a always,exit -F arch=b32 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
|
||
-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
|
||
-a always,exit -F arch=b32 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
|
||
-a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
|
||
|
||
## Audit log access
|
||
-a always,exit -F arch=b32 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
|
||
-a always,exit -F arch=b64 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
|
||
## Attempts to Alter Process and Session Initiation Information
|
||
-a always,exit -F arch=b32 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
||
-a always,exit -F arch=b64 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
||
-a always,exit -F arch=b32 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
||
-a always,exit -F arch=b64 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
||
-a always,exit -F arch=b32 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
||
-a always,exit -F arch=b64 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
||
|
||
## Attempts to modify MAC controls
|
||
-a always,exit -F arch=b32 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
|
||
-a always,exit -F arch=b64 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
|
||
|
||
## Software updates. This is entirely handled by rpm.
|
||
|
||
## System start and shutdown. This is entirely handled by systemd
|
||
|
||
## Kernel Module loading. This is handled in 43-module-load.rules
|
||
|
||
## Application invocation. The requirements list an optional requirement
|
||
## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
|
||
## state results from that policy. This would be handled entirely by
|
||
## that daemon.
|
||
EOF
|
||
|
||
############################################################### /etc/audit/rules.d/99-finalize.rules
|
||
cat << EOF >| /etc/audit/rules.d/99-finalize.rules
|
||
-e 2
|
||
EOF
|
||
|
||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
|
||
# sleep 1
|
||
|
||
exit 0
|
||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|