Skip to content

Commit fbbb1af

Browse files
ylladayllada
committed
feat(agent): expand auditd rules with log tampering and identity files
1 parent 272d2fa commit fbbb1af

File tree

1 file changed

+15
-5
lines changed

1 file changed

+15
-5
lines changed

agent/dependency/auditd_linux.go

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -28,21 +28,30 @@ const auditRulesContent = `## UTMStack SIEM Audit Rules
2828
## Additive rules - does not delete existing configuration
2929
3030
# Monitor executed commands (critical for SIEM)
31-
# Filter: auid>=1000 (real users only), auid!=-1 (valid audit UID, excludes system processes)
32-
-a always,exit -F arch=b64 -S execve -F auid>=1000 -F auid!=-1 -k utmstack_exec
33-
-a always,exit -F arch=b32 -S execve -F auid>=1000 -F auid!=-1 -k utmstack_exec
31+
# Filter: auid>=1000 (real users only), auid!=4294967295 (valid audit UID, excludes system processes)
32+
-a always,exit -F arch=b64 -S execve -F auid>=1000 -F auid!=4294967295 -k utmstack_exec
33+
-a always,exit -F arch=b32 -S execve -F auid>=1000 -F auid!=4294967295 -k utmstack_exec
3434
3535
# Privilege escalation
3636
-a always,exit -F arch=b64 -S setuid,setgid,setreuid,setregid,setresuid,setresgid -F auid>=1000 -k utmstack_priv
3737
-a always,exit -F arch=b32 -S setuid,setgid,setreuid,setregid,setresuid,setresgid -F auid>=1000 -k utmstack_priv
3838
39-
# Sensitive file access
39+
# Sensitive file access (Identity)
4040
-w /etc/shadow -p wa -k utmstack_sensitive
4141
-w /etc/passwd -p wa -k utmstack_sensitive
42+
-w /etc/group -p wa -k utmstack_sensitive
43+
-w /etc/gshadow -p wa -k utmstack_sensitive
44+
45+
# Sensitive file access (SSH & Sudo)
4246
-w /etc/sudoers -p wa -k utmstack_sensitive
4347
-w /etc/sudoers.d -p wa -k utmstack_sensitive
4448
-w /etc/ssh/sshd_config -p wa -k utmstack_sensitive
45-
-w /root/.ssh -p wa -k utmstack_sensitive
49+
-w /root/.ssh -p rwa -k utmstack_sensitive
50+
51+
# Log Tampering
52+
-w /var/log/wtmp -p wa -k utmstack_log_tampering
53+
-w /var/log/btmp -p wa -k utmstack_log_tampering
54+
-w /var/log/lastlog -p wa -k utmstack_log_tampering
4655
4756
# Module loading
4857
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module -k utmstack_modules
@@ -54,6 +63,7 @@ const auditRulesContent = `## UTMStack SIEM Audit Rules
5463
# Time changes
5564
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k utmstack_time
5665
-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k utmstack_time
66+
-w /etc/localtime -p wa -k utmstack_time
5767
5868
# Audit configuration changes
5969
-w /etc/audit -p wa -k utmstack_audit_config

0 commit comments

Comments
 (0)