Neo23x0 · vahidmalekk · Feb 2, 2025 · Mar 9, 2025 · Apr 15, 2025 · Apr 15, 2025
diff --git a/audit.rules b/audit.rules
@@ -177,6 +177,7 @@
 -w /etc/cron.weekly/ -p wa -k cron
 -w /etc/crontab -p wa -k cron
 -w /var/spool/cron/ -p wa -k cron
+-w /var/spool/cron/atjobs/ -p wa -k atjob
 
 ## User, group, password databases
 -w /etc/group -p wa -k etcgroup
@@ -593,6 +594,9 @@
 -w /usr/bin/wajig -p x -k software_mgmt
 -w /usr/bin/snap -p x -k software_mgmt
 
+#monitor apt config file which attackers can  used it for persistence 
+-w /etc/apt/apt.conf.d/ -p wa -k apt_config
+
 # PIP(3) (Python installs)
 -w /usr/bin/pip -p x -k third_party_software_mgmt
 -w /usr/local/bin/pip -p x -k third_party_software_mgmt
@@ -790,6 +794,10 @@
 ## Root command executions
 -a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -k rootcmd
 
+## in memory file execution(https://github.com/vahidmalekk/bypass-Neo23x0-auditd-config)
+-a always,exit -F arch=b64  -F auid!=-1 -S execveat -k Memory-Process-creation
+-a always,exit -F arch=b32  -F auid!=-1 -S execveat -k Memory-Process-creation
+
 ## File Deletion Events by User
 -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -k delete