bfuzzy / auditd-attack Goto Github PK
View Code? Open in Web Editor NEWA Linux Auditd rule set mapped to MITRE's Attack Framework
License: MIT License
A Linux Auditd rule set mapped to MITRE's Attack Framework
License: MIT License
What is a performance impact of having so many audit.rules?
I'm getting this, when trying to apply a copy of the rules files:
-F unknown field: uid
There was an error in line 18 of /etc/audit/audit.rules
Error sending add rule data request (No such file or directory)
There was an error in line 83 of /etc/audit/audit.rules
The two offending lines are:
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
Not sure about the problem with the uid
, but the "No such file or directory" makes sense, because I don't have /usr/libexec/openssh/ssh-keysign
.
Commenting out those two lines worked for me. I suspect that this is related to my Linux distribution and version? If so, we should probably add a note about supported distros (or which distros the rules file has been tested on) to the README.
I'm on auditd
v2.8.2 and here are my OS details:
NAME="Ubuntu"
VERSION="18.04.1 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.1 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
Hi,
I'm trying to run the auditd service with rules based on this Best Practice on Ubuntu 16.04 and i'm having some troubles-
I started with installing the auditd package with the command: "apt-get install auditd audispd-plugins".
Next, I switched the /etc/audit/audit.rules with my audit.rules file
And finally, I restarted the auditd service: "services auditd restart"
The problem:
When I'm running the "service auditd status" command I have this message-
Active: active (running) since ......
Process: 3728 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=1/FALIURE)
Please help me find the right solution.
Thank you,
AgentsOfShield
I have lost access to the original account but have migrated this repo to: https://github.com/bfuzzy1/auditd-attack
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.