From 58910767487923e0e70d1410e239c72765af2997 Mon Sep 17 00:00:00 2001 From: Pierre-Gronau-ndaal <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Fri, 28 Jul 2023 15:11:28 +0200 Subject: [PATCH 1/5] Update audit.rules --- audit.rules | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/audit.rules b/audit.rules index 03ed184..bfb1608 100644 --- a/audit.rules +++ b/audit.rules @@ -341,6 +341,10 @@ -a always,exit -F path=/usr/libexec/sssd/selinux_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts -a always,exit -F path=/usr/libexec/sssd/proxy_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts +## vte-2.91 +-a always,exit -F path=/lib64/vte-2.91/gnome-pty-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts +-a always,exit -F path=/usr/lib64/vte-2.91/gnome-pty-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts + ## T1002 Data Compressed -w /usr/bin/zip -p x -k Data_Compressed From 1b0426a812b43e425f4a5262de09eee923fc37e8 Mon Sep 17 00:00:00 2001 From: Pierre-Gronau-ndaal <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Fri, 28 Jul 2023 15:20:42 +0200 Subject: [PATCH 2/5] Update audit.rules --- audit.rules | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/audit.rules b/audit.rules index 03ed184..dda5ca7 100644 --- a/audit.rules +++ b/audit.rules @@ -402,6 +402,10 @@ -w /usr/bin/dbus-send -p x -k dbus_send -w /usr/bin/gdbus -p x -k gdubs_call +### dbus +-a always,exit -F path=/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts +-a always,exit -F path=/usr/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts + ## pkexec invocation ### may indicate privilege escalation CVE-2021-4034 -w /usr/bin/pkexec -p x -k pkexec From 9ff2eb90d57040daa7b42483942976dcaec71bec Mon Sep 17 00:00:00 2001 From: Pierre-Gronau-ndaal <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Sat, 29 Jul 2023 12:40:27 +0200 Subject: [PATCH 3/5] Update audit.rules --- audit.rules | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/audit.rules b/audit.rules index dda5ca7..b1637ed 100644 --- a/audit.rules +++ b/audit.rules @@ -403,8 +403,8 @@ -w /usr/bin/gdbus -p x -k gdubs_call ### dbus --a always,exit -F path=/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts --a always,exit -F path=/usr/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts +-a always,exit -F path=/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts +-a always,exit -F path=/usr/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts ## pkexec invocation ### may indicate privilege escalation CVE-2021-4034 From de77ce90e4dbb34fc873d67c0ead07ed321aefd8 Mon Sep 17 00:00:00 2001 From: Pierre-Gronau-ndaal <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Sat, 29 Jul 2023 12:42:23 +0200 Subject: [PATCH 4/5] Update audit.rules vte-2.91 --- audit.rules | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/audit.rules b/audit.rules index bfb1608..68fdcaf 100644 --- a/audit.rules +++ b/audit.rules @@ -342,8 +342,8 @@ -a always,exit -F path=/usr/libexec/sssd/proxy_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts ## vte-2.91 --a always,exit -F path=/lib64/vte-2.91/gnome-pty-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts --a always,exit -F path=/usr/lib64/vte-2.91/gnome-pty-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts +-a always,exit -F path=/lib64/vte-2.91/gnome-pty-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts +-a always,exit -F path=/usr/lib64/vte-2.91/gnome-pty-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts ## T1002 Data Compressed From dfb7898b1e8bbfe6c57920121a0ddf5a4676a57e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 9 Jan 2024 21:53:06 +0100 Subject: [PATCH 5/5] Update audit.rules fix: https://github.com/Neo23x0/auditd/issues/125 --- audit.rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/audit.rules b/audit.rules index 03ed184..5160ddf 100644 --- a/audit.rules +++ b/audit.rules @@ -461,7 +461,7 @@ ## Privilege Abuse ### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir. --a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -k power_abuse +-a always,exit -F dir=/home -F auid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -k power_abuse # Socket Creations # will catch both IPv4 and IPv6