search

Neo23x0 / auditd

Best Practice Auditd Configuration
Apache License 2.0
1.51k stars 261 forks source link

Whitespace escaping for Virtualbox rules #126

Closed juresaht2 closed 7 months ago

juresaht2 commented 10 months ago

The following lines are yielding a "parameter passed without an option given" error on my CentOS machine.

-w /Library/Application Support/VirtualBox/LaunchDaemons/ -p x -k virt_tool
-w /Library/Application Support/VirtualBox/VBoxDrv.kext/ -p x -k virt_tool
-w /Library/Application Support/VirtualBox/VBoxUSB.kext/ -p x -k virt_tool
-w /Library/Application Support/VirtualBox/VBoxNetFlt.kext/ -p x -k virt_tool
-w /Library/Application Support/VirtualBox/VBoxNetAdp.kext/ -p x -k virt_tool

https://github.com/Neo23x0/auditd/blob/master/audit.rules#L649

As these lines are intended to be for macOS anyway, I will just remove them, so I don't know if escaping the whitespace with \ is the solution or if this is even a bug that affects auditd on macOS.

Pierre-Gronau-ndaal commented 8 months ago

Please try for your situation

VirtualBox

https://github.com/Virtualbox-OSE/Virtualbox

-a always,exit -F arch=b32 -F path=/etc/default/virtualbox -F perm=wa -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/etc/default/virtualbox -F perm=wa -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/etc/init.d/vboxdrv -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/etc/init.d/vboxdrv -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/etc/init.d/virtualbox -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/etc/init.d/virtualbox -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/bin/virtualbox -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/bin/virtualbox -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/sbin/virtualbox -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/sbin/virtualbox -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/bin/virt-manager -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/bin/virt-manager -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/sbin/virt-manager -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/sbin/virt-manager -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/lib/udev/VBoxCreateUSBNode.sh -F perm=wax -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/lib/udev/VBoxCreateUSBNode.sh -F perm=wax -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/lib/udev/VBoxCreateUSBNode.sh -F perm=wax -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/lib/udev/VBoxCreateUSBNode.sh -F perm=wax -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/lib/udev/rules.d/60-virtualbox.rules -F perm=wa -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/lib/udev/rules.d/60-virtualbox.rules -F perm=wa -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/lib/udev/rules.d/60-virtualbox.rules -F perm=wa -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/lib/udev/rules.d/60-virtualbox.rules -F perm=wa -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/bin/VBoxBalloonCtrl -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/bin/VBoxBalloonCtrl -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/sbin/VBoxBalloonCtrl -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/sbin/VBoxBalloonCtrl -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/bin/VBoxHeadless -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/bin/VBoxHeadless -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/sbin/VBoxHeadless -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/sbin/VBoxHeadless -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/bin/VBoxManage -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/bin/VBoxManage -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/sbin/VBoxManage -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/sbin/VBoxManage -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/bin/VBoxSDL -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/bin/VBoxSDL -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/sbin/VBoxSDL -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/sbin/VBoxSDL -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/bin/vbox-img -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/bin/vbox-img -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/sbin/vbox-img -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/sbin/vbox-img -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/bin/vboxballoonctrl -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/bin/vboxballoonctrl -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/sbin/vboxballoonctrl -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/sbin/vboxballoonctrl -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/bin/vboxheadless -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/bin/vboxheadless -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/sbin/vboxheadless -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/sbin/vboxheadless -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/bin/vboximg-mount -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/bin/vboximg-mount -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/sbin/vboximg-mount -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/sbin/vboximg-mount -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/bin/vboxmanage -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/bin/vboxmanage -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/sbin/vboxmanage -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/sbin/vboxmanage -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/bin/vboxsdl -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/bin/vboxsdl -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/sbin/vboxsdl -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/sbin/vboxsdl -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/bin/vboxwebsrv -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/bin/vboxwebsrv -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/usr/sbin/vboxwebsrv -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/usr/sbin/vboxwebsrv -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

-a always,exit -F arch=b32 -F path=/etc/init.d/vboxadd-service -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks -a always,exit -F arch=b64 -F path=/etc/init.d/vboxadd-service -F perm=x -F key=T1497_Virtualization_Sandbox_Evasion_System_Checks

juresaht2 commented 8 months ago

Someone else will have to test this as I have solved my issue by removing the rules.

Neo23x0 commented 7 months ago

I removed everything related to macOS. I don't want to support it with my config.