search

trimstray / the-practical-linux-hardening-guide

This guide details creating a secure Linux production system. OpenSCAP (C2S/CIS, STIG).
MIT License
9.95k stars 615 forks source link

Auditd - Some invalid rules due to duplicates, some due to syntax #18

Open CircuitCipher opened 1 year ago

CircuitCipher commented 1 year ago

Auditd lremovexattr has duplicate rules because there are two 32 bit rules instead of one 32 and one 64

Record events that modify the system's discretionary access controls

lremovexattr

Here there are two b32 arch rules instead of one for 32 and one for 64

-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

Typo in ftruncate rule

Record unauthorized access attempts to files

ftruncate

Third rule down says 'exiu' instead of 'exit'

-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access