Created
November 13, 2018 10:46
-
-
Save fnzv/b23b174ba6dbab2692f8cbc4f2423017 to your computer and use it in GitHub Desktop.
/etc/auditbeat/audit.rules.d/sample-rules-linux-64bit.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## If you are on a 64 bit platform, everything should be running | |
| ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls | |
| ## because this might be a sign of someone exploiting a hole in the 32 | |
| ## bit API. | |
| -a always,exit -F arch=b32 -S all -F key=32bit-abi | |
| ## Executions. | |
| -a always,exit -F arch=b64 -S execve,execveat -k exec | |
| ## External access (warning: these can be expensive to audit). | |
| -a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access | |
| ## Identity changes. | |
| -w /etc/group -p wa -k identity | |
| -w /etc/passwd -p wa -k identity | |
| -w /etc/gshadow -p wa -k identity | |
| ## Unauthorized access attempts. | |
| -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access | |
| -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment