Merge pull request #17 from mpurzynski/config_persistence_detection

Update the ruleset to detect attempts to achieve persistence

example_audit.rules

@@ -1,74 +1,84 @@
-# Delete all rules
+# [email protected]
+# [email protected]
+#
+# This file contains the auditctl rules that are loaded
+# whenever the audit daemon is started via the initscripts.
+# The rules are simply the parameters that would be passed
+# to auditctl.
+
+# First rule - delete all previous rules.
 -D
-# Maximum amount of kernel buffers
--b 16384
-# Ignore loading errors, in case file path do not exist
+
+# Increase buffers to survive event spikes, without dropping events.
+# You can make this bigger for busy systems.
+# Value is x times an audit record size in kernel memory.
+# Large value may use quite a few megs of kernel memory.
+-b 32768
+
+# Ignore errors (if file path doesn't exists, for example, don't stop processing rules).
 -i
-# Rate limit to 1000 msg/sec
+
+## Enable the kernel audit subsystem.
+# 1 means the configuration can be modified.
+# 2 means immutable until reboot (only set 2 at the *end* of the rule file - else you'll shoot yourself in the foot)
+-e 1
+
+# Rate limit audit at the kernel level (msg/s)
 -r 1000
-
-# Syscall bypass
+
+## Generic logging
+# Log calls that may bypass normal syscalls calls
 -a always,exit -F arch=b64 -S personality -k bypass
 -a always,exit -F arch=b32 -S personality -k bypass
 
-# Whitelist command spam out of execve (optional)
-#-A exit,never -F dir=/usr/lib/nagios/plugins -F perm=x
-#-A exit,never -F dir=/usr/lib64/nagios/plugins -F perm=x
-#-A exit,never -F path=/opt/compaq/utils/usb-device.sh -F perm=x
-#-A exit,never -F path=/opt/hp/hp-snmp-agents/utils/usb-device.sh -F perm=x
-#-A exit,never -F path=/bin/ls -F perm=x
-#-A exit,never -F path=/bin/sh -F perm=x
-#-A exit,never -F path=/bin/grep -F perm=x
-#-A exit,never -F path=/bin/egrep -F perm=x
-#-A exit,never -F path=/bin/less -F perm=x
-#-A exit,never -F path=/usr/bin/lesspipe.sh -F perm=x
-#-A exit,never -F path=/usr/bin/tail -F perm=x
-#-A exit,never -F path=/sbin/consoletype -F perm=x
-#-A exit,never -F path=/bin/stty -F perm=x
-#-A exit,never -F path=/usr/bin/tty -F perm=x
-#-A exit,never -F path=/bin/tput -F perm=x
-#-A exit,never -F path=/usr/bin/file -F perm=x
-#-A exit,never -F path=/usr/bin/w -F perm=x
-#-A exit,never -F path=/bin/netstat -F perm=x
-#-A exit,never -F path=/bin/uname -F perm=x
-#-A exit,never -F path=/bin/basename -F perm=x
-#-A exit,never -F path=/usr/bin/which -F perm=x
-#-A exit,never -F path=/bin/netstat -F perm=x
-#-A exit,never -F path=/usr/bin/netstat -F perm=x
-#-A exit,never -F path=/bin/hostname -F perm=x
-#-A exit,never -F path=/usr/bin/wc -F perm=x
-#-A exit,never -F path=/usr/bin/gmetric -F perm=x
-#-A exit,never -F path=/sbin/ethtool -F perm=x
-#-A exit,never -F path=/usr/bin/sed -F perm=x
-#-A exit,never -F path=/bin/sed -F perm=x
-#-A exit,never -F path=/bin/ping -F perm=x
-#-A exit,never -F path=/sbin/lsmod -F perm=x
-#-A exit,never -F path=/bin/sleep -F perm=x
-#-A exit,never -F path=/bin/cut -F perm=x
-#-A exit,never -F path=/bin/touch -F perm=x
-#-A exit,never -F path=/bin/env -F perm=x
-
-# execve/processes audit
+## Exec logging
+# We're first excluding quite a few binaries from exec logging.
+# These are called often and do not provide significant value.
+-A exit,never -F dir=/usr/lib/nagios/plugins -F perm=x
+-A exit,never -F dir=/usr/lib64/nagios/plugins -F perm=x
+-A exit,never -F path=/opt/compaq/utils/usb-device.sh -F perm=x
+-A exit,never -F path=/opt/hp/hp-snmp-agents/utils/usb-device.sh -F perm=x
+-A exit,never -F path=/bin/grep -F perm=x
+-A exit,never -F path=/bin/egrep -F perm=x
+-A exit,never -F path=/bin/less -F perm=x
+-A exit,never -F path=/usr/bin/lesspipe.sh -F perm=x
+-A exit,never -F path=/usr/bin/tail -F perm=x
+-A exit,never -F path=/sbin/consoletype -F perm=x
+-A exit,never -F path=/bin/stty -F perm=x
+-A exit,never -F path=/usr/bin/tty -F perm=x
+-A exit,never -F path=/bin/tput -F perm=x
+-A exit,never -F path=/usr/bin/file -F perm=x
+-A exit,never -F path=/bin/basename -F perm=x
+-A exit,never -F path=/usr/bin/which -F perm=x
+-A exit,never -F path=/usr/bin/wc -F perm=x
+-A exit,never -F path=/usr/bin/gmetric -F perm=x
+-A exit,never -F path=/usr/bin/sed -F perm=x
+-A exit,never -F path=/bin/sed -F perm=x
+-A exit,never -F path=/bin/sleep -F perm=x
+-A exit,never -F path=/bin/cut -F perm=x
+# as we're getting the fork'd exec logged, so such programs as env are ok to exclude
+-A exit,never -F path=/bin/env -F perm=x
+
+# Setup the exec monitoring for all other cases
 -a exit,always -F arch=b64 -S execve -k exec
 -a exit,always -F arch=b32 -S execve -k exec
-
-# Record changes to audit config
+
+## Log changes to system configuration files.
+# Modify audit configuration
 -w /etc/audit/ -p wa -k audit
 -w /etc/audisp/ -p wa -k audit
 -w /etc/sysconfig/auditd -p wa -k audit
 -w /etc/libaudit.conf -p wa -k audit
-
-# Record changes to logger config
+ 
+# Modify logging configuration
 -w /etc/rsyslog.conf -p wa -k syslog
 -w /etc/rsyslog-ng/ -p wa -k syslog
 -w /etc/syslog.conf -p wa -k syslog
 -w /etc/syslog-ng.conf -p wa -k syslog
 -w /etc/syslog-ng/ -p wa -k syslog
--w /data/hekad/hekad.toml -p wa -k heka
--w /etc/hekad/hekad.toml -p wa -k heka
--w /etc/fluent/ -p wa -k fluentd
+w /etc/fluent/ -p wa -k syslog
 
-# Record changes to cron config
+# Modify cron
 -w /etc/cron.allow -p wa -k cron
 -w /etc/cron.deny -p wa -k cron
 -w /etc/cron.d/ -p wa -k cron
@@ -78,49 +88,107 @@
 -w /etc/cron.weekly/ -p wa -k cron
 -w /etc/crontab -p wa -k cron
 -w /var/spool/cron/root -p wa -k cron
-
-# Record changes to init systems config
+-w /var/spool/atspool
+-w /etc/at.allow
+-w /etc/at.deny
+
+# Modify startup
 -w /etc/rc.d/init.d/ -p wa -k init
 -w /sbin/init -p wa -k init
 -w /etc/inittab -p wa -k init
--w /etc/systemd -p wa -k init
+-w /etc/systemd/ -p wa -k init
+-w /etc/init.d/ -p wa -k init
 
-# Record changes to access control config
+# Modify PAM
 -w /etc/pam.d -p wa -k pam
--w /etc/security -p wa -k pam
--w /lib/security -p wa -k pam
--w /etc/sudoers -p wa -k user
-
-# Record changes to OpenSSH daemon config
--w /etc/sshd -p wa -k sshd
+-w /etc/security/ -p wa -k pam
+-w /lib/security/ -p wa -k pam
 
-# Record changes to user/passwords
+# Modify sudoers
+-w /etc/sudoers -p wa -k user
+
+# Modify SSHD
+-w /etc/sshd/ -p wa -k sshd
+
+# Users
 -w /etc/group -p wa -k user
 -w /etc/passwd -p wa -k user
 -w /etc/gshadow -p wa -k user
 -w /etc/shadow -p wa -k user
 -w /etc/security/opasswd -p wa -k user
-
-# Change clock
+-w /etc/sudoers -p wa -k user
+
+# Time changes
 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -k time-change
 -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
 -w /etc/localtime -p wa -k time-change
-
-# Linux kernel module loading
+ 
+# Module loading
 -a exit,always -F arch=b64 -S init_module -k module
 -a exit,always -F arch=b32 -S init_module -k module
-
-# kexec syscall (re-exec kernel)
+ 
+# Swapping kernel via kexec
 -a exit,always -F arch=b64 -S kexec_load -k kexec
 -a exit,always -F arch=b32 -S kexec_load -k kexec
 
-# Record changes to system binaries
--w /usr/bin -p wa -k binaries
--w /bin -p wa -k binaries
--w /usr/sbin -p wa -k binaries
--w /sbin -p wa -k binaries
--w /usr/local/bin -p wa -k binaries
--w /usr/local/sbin -p wa -k binaries
+# Attaching to processes
+-a exit,always -F arch=b64 -S ptrace -k trace
+-a exit,always -F arch=b32 -S ptrace -k trace
+
+# Changes to binaries (common locations)
+-w /usr/bin/ -p wa -k binaries
+-w /bin/ -p wa -k binaries
+-w /usr/sbin/ -p wa -k binaries
+-w /sbin/ -p wa -k binaries
+-w /usr/local/bin/ -p wa -k binaries
+-w /usr/local/sbin/ -p wa -k binaries
+
+# Changes to libraries (common locations)
+-w /lib/ -p wa -k binaries
+-w /lib32/ -p wa -k binaries
+-w /lib64/ -p wa -k binaries
+-w /usr/lib/ -p wa -k binaries
+-w /usr/lib32/ -p wa -k binaries
+-w /usr/lib64/ -p wa -k binaries
+-w /usr/local/lib/ -p wa -k binaries
+-w /usr/local/lib32/ -p wa -k binaries
+-w /usr/local/lib64/ -p wa -k binaries
+-w /usr/libexec/ -p wa -k binaries 
+-w /usr/local/libexec/ -p wa -k binaries
+
+# Important system files
+-w /etc/sysctl.conf -p wa -k binaries
+-w /etc/modprobe.conf
+-w /etc/modprobe.conf.local
+-w /etc/modprobe.d/ -p wa -k binaries
+-w /etc/modules-load.d/ -p wa -k binaries
+
+# Kernel modules
+-w /lib/modules/ -p wa -k binaries
+
+# Libc preload and linking configuration
+-w /etc/ld.so.conf -p wa -k binaries
+-w /etc/ld.so.conf.d -p wa -k binaries
+-w /etc/ld.so.preload -p wa -k binaries
+
+# System-wide shell profiles
+
+# AF_SECURITY
+-a exit,always -F arch=b64 -S socket -F a0=14 -k net
+# AF_KEY
+-a exit,always -F arch=b64 -S socket -F a0=15 -k net
+# AF_NETLINK
+-a exit,always -F arch=b64 -S socket -F a0=16 -k net
+# AF_PACKET
+-a exit,always -F arch=b64 -S socket -F a0=17 -k net
+# AF_LLC
+-a exit,always -F arch=b64 -S socket -F a0=26 -k net
+# AF_XDP
+-a exit,always -F arch=b64 -S socket -F a0=44 -k net
+# AF_INET + SOCK_RAW
+-a exit,always -F arch=b64 -S socket -F a1=3 -k net
+-a exit,always -F arch=b64 -S listen -k net
+
+# uncomment to temporarily disable auditd
+#-D
 
-# Enable auditd auditing
--e 1