From cd35bee3892a5f1629b39dcdb48d616fec54046b Mon Sep 17 00:00:00 2001 From: vahidmalekk <46035912+vahidmalekk@users.noreply.github.com> Date: Mon, 3 Feb 2025 01:07:05 +0330 Subject: [PATCH 1/4] monitor execveat check this https://github.com/vahidmalekk/bypass-Neo23x0-auditd-config/ --- audit.rules | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/audit.rules b/audit.rules index dd38f51..4301b34 100644 --- a/audit.rules +++ b/audit.rules @@ -790,6 +790,10 @@ ## Root command executions -a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -k rootcmd +## in memory file execution +-a always,exit -F arch=b64 -F auid>=1000 -F auid!=-1 -S execveat -k Memory-Process-creation +-a always,exit -F arch=b64 -F auid>=1000 -F auid!=-1 -S execveat -k Memory-Process-creation + ## File Deletion Events by User -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -k delete From 01832c67809291c98898a21f878ec76ec41362a3 Mon Sep 17 00:00:00 2001 From: vahidmalekk <46035912+vahidmalekk@users.noreply.github.com> Date: Sun, 9 Mar 2025 23:20:16 +0330 Subject: [PATCH 2/4] fixed the mistakes --- audit.rules | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/audit.rules b/audit.rules index 4301b34..f99c13a 100644 --- a/audit.rules +++ b/audit.rules @@ -790,9 +790,9 @@ ## Root command executions -a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -k rootcmd -## in memory file execution --a always,exit -F arch=b64 -F auid>=1000 -F auid!=-1 -S execveat -k Memory-Process-creation --a always,exit -F arch=b64 -F auid>=1000 -F auid!=-1 -S execveat -k Memory-Process-creation +## in memory file execution(https://github.com/vahidmalekk/bypass-Neo23x0-auditd-config) +-a always,exit -F arch=b64 -F auid!=-1 -S execveat -k Memory-Process-creation +-a always,exit -F arch=b32 -F auid!=-1 -S execveat -k Memory-Process-creation ## File Deletion Events by User -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -k delete From 8a166245636fcfc8ec92640abb876df7d632fc6d Mon Sep 17 00:00:00 2001 From: vahidmalekk <46035912+vahidmalekk@users.noreply.github.com> Date: Tue, 15 Apr 2025 10:30:01 +0330 Subject: [PATCH 3/4] monitor apt config files --- audit.rules | 3 +++ 1 file changed, 3 insertions(+) diff --git a/audit.rules b/audit.rules index f99c13a..3c41281 100644 --- a/audit.rules +++ b/audit.rules @@ -593,6 +593,9 @@ -w /usr/bin/wajig -p x -k software_mgmt -w /usr/bin/snap -p x -k software_mgmt +#monitor apt config file which attackers can used it for persistence +-w /etc/apt/apt.conf.d/ -p wa -k apt_config + # PIP(3) (Python installs) -w /usr/bin/pip -p x -k third_party_software_mgmt -w /usr/local/bin/pip -p x -k third_party_software_mgmt From a3075ca4ba10650fa53a73ee9f427daf77351b25 Mon Sep 17 00:00:00 2001 From: vahidmalekk <46035912+vahidmalekk@users.noreply.github.com> Date: Tue, 15 Apr 2025 11:44:37 +0330 Subject: [PATCH 4/4] monitor at jobs --- audit.rules | 1 + 1 file changed, 1 insertion(+) diff --git a/audit.rules b/audit.rules index 3c41281..5ddc87b 100644 --- a/audit.rules +++ b/audit.rules @@ -177,6 +177,7 @@ -w /etc/cron.weekly/ -p wa -k cron -w /etc/crontab -p wa -k cron -w /var/spool/cron/ -p wa -k cron +-w /var/spool/cron/atjobs/ -p wa -k atjob ## User, group, password databases -w /etc/group -p wa -k etcgroup