A Linux Auditd rule set mapped to MITRE's Attack Framework
A Linux Auditd rule set mapped to MITRE's Attack Framework
Please ensure you test these rules prior to pushing them into production. This rule set is NOT meant to have all of its rules enabled all at once (although that'd be ideal) it is setup to serve as guidance toward increasing detection/hunting coverage.
Hello,
When initially loading your auditd rules into Auditbeat, I got the following error messages:
Oct 01 12:55:55 myserver auditbeat[15223]: 2019-10-01T12:55:55.895+0200 ERROR instance/beat.go:878 Exiting: 1 error: 1 error: failed to unpack the auditd config: 1 error: failed loading rules: 2 errors: at (audit_rules at auditbeat.yml):56: failed to interpret rule '-a always,exit -F arch=b32 -S touch -k T1099_Timestomp': failed to add syscall 'touch': unknown syscall 'touch' for arch i386; at (audit_rules at auditbeat.yml):57: failed to interpret rule '-a always,exit -F arch=b64 -S touch -k T1099_Timestomp': failed to add syscall 'touch': unknown syscall 'touch' for arch x86_64 accessing 'auditbeat.modules.0' (source:'/etc/auditbeat/auditbeat.yml')
Oct 01 12:55:55 myserver auditbeat[15223]: Exiting: 1 error: 1 error: failed to unpack the auditd config: 1 error: failed loading rules: 2 errors: at (audit_rules at auditbeat.yml):56: failed to interpret rule '-a always,exit -F arch=b32 -S touch -k T1099_Timestomp': failed to add syscall 'touch': unknown syscall 'touch' for arch i386; at (audit_rules at auditbeat.yml):57: failed to interpret rule '-a always,exit -F arch=b64 -S touch -k T1099_Timestomp': failed to add syscall 'touch': unknown syscall 'touch' for arch x86_64 accessing 'auditbeat.modules.0' (source:'/etc/auditbeat/auditbeat.yml')
So I raised a post on Elastic forum (https://discuss.elastic.co/t/auditbeat-failed-loading-rules/201786) and the answer is:
Hm, I don't think there is a touch syscall?
Thoughts?
replacing "-w /etc/ssh/sshd_config -k T1021_Remote_Services" with "-w /etc/ssh/sshd_config -p w -k T1098.004_SSH_Authorized_Keys" may better align with the updated framework.
There will be another stage for covering the actual /.ssh/authorized_keys file but the sshd_config file is also covered under this technique.
Thanks for the consideration and Great Work!
Hello,
Thanks for this nice set of auditd rules and filters. I'm currently testing them with Auditbeat.
Vmware tools doesn't seem to exist on the configured location on CentOS 7:
sudo locate vmware-tools
/etc/vmware-tools
/etc/vmware-tools/GuestProxyData
/etc/vmware-tools/guestproxy-ssl.conf
/etc/vmware-tools/poweroff-vm-default
/etc/vmware-tools/poweron-vm-default
/etc/vmware-tools/quiesce_manifest.xml
/etc/vmware-tools/resume-vm-default
/etc/vmware-tools/scripts
/etc/vmware-tools/statechange.subr
/etc/vmware-tools/suspend-vm-default
/etc/vmware-tools/vgauth
/etc/vmware-tools/vgauth.conf
/etc/vmware-tools/GuestProxyData/server
/etc/vmware-tools/GuestProxyData/trusted
/etc/vmware-tools/GuestProxyData/server/cert.pem
/etc/vmware-tools/GuestProxyData/server/key.pem
/etc/vmware-tools/scripts/vmware
/etc/vmware-tools/scripts/vmware/network
/etc/vmware-tools/vgauth/schemas
/etc/vmware-tools/vgauth/schemas/XMLSchema-hasFacetAndProperty.xsd
/etc/vmware-tools/vgauth/schemas/XMLSchema-instance.xsd
/etc/vmware-tools/vgauth/schemas/XMLSchema.dtd
/etc/vmware-tools/vgauth/schemas/XMLSchema.xsd
/etc/vmware-tools/vgauth/schemas/catalog.xml
/etc/vmware-tools/vgauth/schemas/datatypes.dtd
/etc/vmware-tools/vgauth/schemas/saml-schema-assertion-2.0.xsd
/etc/vmware-tools/vgauth/schemas/xenc-schema.xsd
/etc/vmware-tools/vgauth/schemas/xml.xsd
/etc/vmware-tools/vgauth/schemas/xmldsig-core-schema.xsd
## VMWare tools
-a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2
-a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2
/usr/lib/vmware-tools should be updated to /etc/vmware-tools? Or /etc/vmware-tools could be added?
Some deprecated to new technique conversions and new sub-techniques have been built upon from your ruleset. Updates are located at: https://github.com/attackjunkee/auditd-attack/blob/master/auditd-attack/auditd-attack.rules
Hope this helps!
Cheers
Hey Iโm curious in your layer2.json file. But what is it exactly used for? Is it mapping in logstash? Look forward to your reply.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.