Marc S. Weidner
db9dca9fa2
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m50s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
413 lines
26 KiB
Bash
413 lines
26 KiB
Bash
#!/bin/bash
|
|
# SPDX-Version: 3.0
|
|
# SPDX-CreationInfo: 2025-10-10; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
|
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-FileType: SOURCE
|
|
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
|
# SPDX-PackageName: CISS.debian.live.builder
|
|
# SPDX-Security-Contact: security@coresecret.eu
|
|
|
|
### https://github.com/linux-audit/audit-userspace/tree/master/rules
|
|
|
|
set -Ceuo pipefail
|
|
|
|
#######################################
|
|
# Simple error terminal logger.
|
|
# Arguments:
|
|
# None
|
|
#######################################
|
|
log() { printf '[auditd-build] %s\n' "${*}" >&2; }
|
|
|
|
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
|
|
|
cd /root
|
|
|
|
export DEBIAN_FRONTEND="noninteractive"
|
|
apt-get install -y auditd
|
|
|
|
cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
|
|
cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
|
|
cp -u /etc/audit/rules.d/audit.rules /root/.ciss/dlb/backup/rules_d_audit.rules.bak
|
|
rm -rf /etc/audit/rules.d/audit.rules
|
|
|
|
############################################################### /etc/audit/rules.d/10-base-config.rules
|
|
cat << EOF >| /etc/audit/rules.d/10-base-config.rules
|
|
## First rule - delete all
|
|
-D
|
|
|
|
## Increase the buffers to survive stress events.
|
|
## Make this bigger for busy systems
|
|
-b 8192
|
|
|
|
## This determine how long to wait in burst of events
|
|
--backlog_wait_time 60000
|
|
|
|
## Set failure mode to syslog
|
|
-f 1
|
|
EOF
|
|
|
|
############################################################### /etc/audit/rules.d/11-loginuid.rules
|
|
cat << EOF >| /etc/audit/rules.d/11-loginuid.rules
|
|
--loginuid-immutable
|
|
EOF
|
|
|
|
############################################################### /etc/audit/rules.d/20-dont-audit.rules
|
|
cat << EOF >| /etc/audit/rules.d/20-dont-audit.rules
|
|
## This is for don't audit rules. We put these early because audit
|
|
## is a first match wins system. Uncomment the rules you want.
|
|
|
|
## Cron jobs fill the logs with stuff we normally don't want
|
|
-a never,user
|
|
|
|
## This prevents chrony from overwhelming the logs
|
|
-a never,exit -F arch=b64 -S adjtimex -F exe=/usr/sbin/chronyd
|
|
-a never,exit -F arch=b32 -S adjtimex -F exe=/usr/sbin/chronyd
|
|
|
|
## Human-attributable time changes
|
|
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
|
|
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
|
|
|
|
### This is not very interesting and wastes a lot of space if
|
|
### the server is public facing
|
|
-a always,exclude -F msgtype=CRYPTO_KEY_USER
|
|
EOF
|
|
|
|
############################################################### /etc/audit/rules.d/21-no32bit.rules
|
|
cat << EOF >| /etc/audit/rules.d/21-no32bit.rules
|
|
## If you are on a 64 bit platform, everything _should_ be running
|
|
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
|
|
## because this might be a sign of someone exploiting a hole in the 32
|
|
## bit ABI.
|
|
-a always,exit -F arch=b32 -S all -F key=32bit-abi
|
|
EOF
|
|
|
|
############################################################### /etc/audit/rules.d/22-ignore-chrony.rules
|
|
cat << EOF >| /etc/audit/rules.d/22-ignore-chrony.rules
|
|
## This rule suppresses the time-change event when chrony does time updates
|
|
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=_chrony
|
|
-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
|
|
EOF
|
|
|
|
############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
|
|
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
|
|
## Unsuccessful file creation (open with O_CREAT)
|
|
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
|
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
|
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
|
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
|
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
|
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
|
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
|
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
|
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
|
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
|
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
|
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
|
EOF
|
|
|
|
############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
|
|
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
|
|
## Successful file creation (open with O_CREAT)
|
|
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
|
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
|
-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
|
-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
|
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
|
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
|
EOF
|
|
|
|
############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
|
|
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
|
|
## Unsuccessful file modifications (open for write or truncate)
|
|
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
|
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
|
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
|
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
|
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
|
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
|
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
|
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
|
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
|
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
|
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
|
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
|
EOF
|
|
|
|
############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
|
|
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
|
|
## Successful file modifications (open for write or truncate)
|
|
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
|
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
|
-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
|
-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
|
-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
|
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
|
EOF
|
|
|
|
############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
|
|
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
|
|
## Unsuccessful file access (any other opens) This has to go last.
|
|
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
|
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
|
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
|
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
|
EOF
|
|
|
|
############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
|
|
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
|
|
## Successful file access (any other opens) This has to go last.
|
|
## These next two are likely to result in a whole lot of events
|
|
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
|
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
|
EOF
|
|
|
|
############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
|
|
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
|
|
## Unsuccessful file delete
|
|
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
EOF
|
|
|
|
############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
|
|
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
|
|
## Successful file delete
|
|
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
|
|
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
|
|
EOF
|
|
|
|
############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
|
|
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
|
|
## Unsuccessful permission change
|
|
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
|
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
|
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
|
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
|
EOF
|
|
|
|
############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
|
|
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
|
|
## Successful permission change
|
|
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
|
|
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
|
|
EOF
|
|
|
|
############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
|
|
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
|
|
## Unsuccessful ownership change
|
|
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
|
|
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
|
|
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
|
|
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
|
|
EOF
|
|
|
|
############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
|
|
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
|
|
## Successful ownership change
|
|
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
|
|
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
|
|
EOF
|
|
|
|
############################################################### /etc/audit/rules.d/30-ospp-v42.rules
|
|
cat << EOF >| /etc/audit/rules.d/30-ospp-v42.rules
|
|
## The purpose of these rules is to meet the requirements for Operating
|
|
## System Protection Profile (OSPP)v4.2. These rules depends on having
|
|
## the following rule files copied to /etc/audit/rules.d:
|
|
##
|
|
## 10-base-config.rules, 11-loginuid.rules,
|
|
## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
|
|
## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
|
|
## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
|
|
## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
|
|
## 30-ospp-v42-5-perm-change-failed.rules,
|
|
## 30-ospp-v42-5-perm-change-success.rules,
|
|
## 30-ospp-v42-6-owner-change-failed.rules,
|
|
## 30-ospp-v42-6-owner-change-success.rules
|
|
##
|
|
## original copies may be found in /usr/share/audit-rules
|
|
|
|
|
|
## User add delete modify. This is covered by pam. However, someone could
|
|
## open a file and directly create or modify a user, so we'll watch passwd and
|
|
## shadow for writes
|
|
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
|
## User enable and disable. This is entirely handled by pam.
|
|
|
|
## Group add delete modify. This is covered by pam. However, someone could
|
|
## open a file and directly create or modify a user, so we'll watch group and
|
|
## gshadow for writes
|
|
-a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
-a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
-a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
|
-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
|
-a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
|
-a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
|
|
|
|
|
## Use of special rights for config changes. This would be use of setuid
|
|
## programs that relate to user accts. This is not all setuid apps because
|
|
## requirements are only for ones that affect system configuration.
|
|
-a always,exit -F arch=b32 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b64 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b32 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b64 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b32 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b64 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b32 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b64 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b32 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b32 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b32 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b32 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b32 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b32 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b32 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b32 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b32 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b32 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
-a always,exit -F arch=b64 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
|
## Privilege escalation via su or sudo. This is entirely handled by pam.
|
|
## Special case for systemd-run. It is not audit aware, specifically watch it
|
|
-a always,exit -F arch=b32 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
|
|
## Special case for pkexec. It is not audit aware, specifically watch it
|
|
-a always,exit -F arch=b32 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
|
|
-a always,exit -F arch=b64 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
|
|
|
|
|
|
## Watch for configuration changes to privilege escalation.
|
|
-a always,exit -F arch=b32 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
|
|
-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
|
|
-a always,exit -F arch=b32 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
|
|
-a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
|
|
|
|
## Audit log access
|
|
-a always,exit -F arch=b32 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
|
|
-a always,exit -F arch=b64 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
|
|
## Attempts to Alter Process and Session Initiation Information
|
|
-a always,exit -F arch=b32 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
|
-a always,exit -F arch=b64 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
|
-a always,exit -F arch=b32 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
|
-a always,exit -F arch=b64 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
|
-a always,exit -F arch=b32 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
|
-a always,exit -F arch=b64 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
|
|
|
## Attempts to modify MAC controls
|
|
-a always,exit -F arch=b32 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
|
|
-a always,exit -F arch=b64 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
|
|
|
|
## Software updates. This is entirely handled by rpm.
|
|
|
|
## System start and shutdown. This is entirely handled by systemd
|
|
|
|
## Kernel Module loading. This is handled in 43-module-load.rules
|
|
|
|
## Application invocation. The requirements list an optional requirement
|
|
## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
|
|
## state results from that policy. This would be handled entirely by
|
|
## that daemon.
|
|
EOF
|
|
|
|
############################################################### /etc/audit/rules.d/99-finalize.rules
|
|
cat << EOF >| /etc/audit/rules.d/99-finalize.rules
|
|
-e 2
|
|
EOF
|
|
|
|
shopt -s nullglob
|
|
rules=(/etc/audit/rules.d/*.rules)
|
|
if (( ${#rules[@]} == 0 )); then
|
|
log "ERROR: /etc/audit/rules.d is empty. Seed rules before this hook."
|
|
exit 127
|
|
fi
|
|
|
|
if ! /sbin/augenrules --check >/dev/null 2>&1; then
|
|
log "ERROR: augenrules --check failed. Fix the /etc/audit/rules.d/*.rules first."
|
|
exit 128
|
|
fi
|
|
|
|
# shellcheck disable=2155
|
|
declare tmp="$(mktemp)"
|
|
printf '%s\0' "${rules[@]}" \
|
|
| xargs -0 -I{} basename "{}" \
|
|
| sort -V \
|
|
| while read -r fname; do
|
|
f="/etc/audit/rules.d/${fname}"
|
|
### Normalize CRLF and strip UTF-8 BOM.
|
|
sed -e 's/\r$//' -e '1s/^\xEF\xBB\xBF//' "${f}" >> "${tmp}"
|
|
printf '\n' >> "${tmp}"
|
|
done
|
|
|
|
# shellcheck disable=2155
|
|
declare tmp_stripped="$(mktemp)"
|
|
sed -e '/^[[:space:]]*#/d' -e '/^[[:space:]]*$/d' "${tmp}" >| "${tmp_stripped}"
|
|
sed -E 's/[[:space:]]+#.*$//' -i "${tmp_stripped}"
|
|
|
|
install -m 0600 -o root -g root "${tmp_stripped}" /etc/audit/audit.rules
|
|
rm -f "${tmp}" "${tmp_stripped}"
|
|
|
|
if ! grep -Eq '(^-a|^-w|^-e[[:space:]]+1|^-e[[:space:]]+2)' /etc/audit/audit.rules; then
|
|
log "WARN: /etc/audit/audit.rules contains no -a/-w rules or '-e 1/2'; is this intended?"
|
|
fi
|
|
|
|
log "Done. /etc/audit/audit.rules generated at build-time (no kernel load)."
|
|
|
|
mkdir -p /etc/systemd/system/audit-rules.service.d
|
|
|
|
cat << EOF >| /etc/systemd/system/audit-rules.service.d/10-ciss.conf
|
|
# SPDX-Version: 3.0
|
|
# SPDX-CreationInfo: 2025-10-10; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
|
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-FileType: SOURCE
|
|
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
|
# SPDX-PackageName: CISS.debian.live.builder
|
|
# SPDX-Security-Contact: security@coresecret.eu
|
|
|
|
#[Service]
|
|
#ExecStart=
|
|
#ExecStart=/sbin/auditctl -R /etc/audit/audit.rules >/dev/null 2>&1
|
|
|
|
[Unit]
|
|
After=auditd.service
|
|
ConditionSecurity=audit
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=
|
|
ExecStartPre=/bin/sh -c '/sbin/auditctl -D >/dev/null 2>&1 || true'
|
|
ExecStart=/sbin/auditctl -R /etc/audit/audit.rules
|
|
RemainAfterExit=yes
|
|
|
|
EOF
|
|
|
|
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
|
|
|
|
exit 0
|
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|