search

bfuzzy / auditd-attack

A Linux Auditd rule set mapped to MITRE's Attack Framework
MIT License
778 stars 127 forks source link

Error in audit.rules #2

Open lennartkoopmann opened 6 years ago

lennartkoopmann commented 6 years ago

I'm getting this, when trying to apply a copy of the rules files:

-F unknown field: uid There was an error in line 18 of /etc/audit/audit.rules Error sending add rule data request (No such file or directory) There was an error in line 83 of /etc/audit/audit.rules

The two offending lines are:

-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts

Not sure about the problem with the uid, but the "No such file or directory" makes sense, because I don't have /usr/libexec/openssh/ssh-keysign.

Commenting out those two lines worked for me. I suspect that this is related to my Linux distribution and version? If so, we should probably add a note about supported distros (or which distros the rules file has been tested on) to the README.

I'm on auditd v2.8.2 and here are my OS details:

NAME="Ubuntu"
VERSION="18.04.1 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.1 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
bfuzzy commented 6 years ago

@lennartkoopmann Thank you for noting this issue! I went ahead and commented out those affected rules in the ruleset until I get a chance to tinker with things.

And, you are most correct about establishing what flavors this has been tested on. I've been testing individual rules on Ubuntu 16, and an older version of Fedora. I need to put together a process and get updated / latest "greatest" and test the ruleset from there. It might just be a matter of creating separate rulesets across multiple different flavors of Linux and putting out rulesets based off those findings.

Time is pretty tight for me at the moment, but I am going to leave this issue open and will put updates in here related to my progress.

Thank you again! 👍

lennartkoopmann commented 6 years ago

Thanks! I'm running this against Ubuntu Server 18.04 and Ubuntu (Workstation) 18.04 and hade to make a few adjustments. Adjusting exclusions for Firefox cache etc, too.

Happy to help with this going forward!

bfuzzy commented 6 years ago

Submit a pull! I'm always open to other people's ideas and thoughts!