From 741ba79705edf79a94e810ba9609221118cf0e0b Mon Sep 17 00:00:00 2001
From: Pierre-Gronau-ndaal
 <72132223+Pierre-Gronau-ndaal@users.noreply.github.com>
Date: Wed, 21 Feb 2024 06:17:49 +0100
Subject: [PATCH] Update audit.rules dropbear

---
 audit.rules | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/audit.rules b/audit.rules
index 41b7e22..b13d724 100644
--- a/audit.rules
+++ b/audit.rules
@@ -243,6 +243,19 @@
 ## root ssh key tampering
 -w /root/.ssh -p wa -k rootkey
 
+### dropbear
+-a always,exit -F arch=b32 -F dir=/etc/dropbear/ -F perm=wa -F key=dropbear
+-a always,exit -F arch=b64 -F dir=/etc/dropbear/ -F perm=wa -F key=dropbear
+
+-a always,exit -F arch=b32 -F path=/etc/config/dropbear -F perm=wa -F key=dropbear
+-a always,exit -F arch=b64 -F path=/etc/config/dropbear -F perm=wa -F key=dropbear
+
+-a always,exit -F arch=b32 -F path=/etc/default/dropbear -F perm=wa -F key=dropbear
+-a always,exit -F arch=b64 -F path=/etc/default/dropbear -F perm=wa -F key=dropbear
+
+-a always,exit -F arch=b32 -F path=/lib/systemd/system/dropbear.service -F perm=wa -F key=dropbear
+-a always,exit -F arch=b64 -F path=/lib/systemd/system/dropbear.service -F perm=wa -F key=dropbear
+
 # Systemd
 -w /bin/systemctl -p x -k systemd
 -w /etc/systemd/ -p wa -k systemd