Initial commit.

2021-05-24 22:18:33 +03:00
commit e2954d55f4
3701 changed files with 330017 additions and 0 deletions
--- a/audit/audit-stop.rules
+++ b/audit/audit-stop.rules
@@ -0,0 +1,8 @@
+# These rules are loaded when the audit daemon stops
+# if configured to do so.
+
+# Disable auditing
+-e 0
+
+# Delete all rules
+-D
--- a/audit/audit.rules
+++ b/audit/audit.rules
@@ -0,0 +1,85 @@
+## This file is automatically generated from /etc/audit/rules.d
+-D
+-b 8192
+-f 1
+--backlog_wait_time 60000
+-w /var/log/audit/ -k auditlog
+-w /etc/audit/ -p wa -k auditconfig
+-w /etc/libaudit.conf -p wa -k auditconfig
+-w /etc/audisp/ -p wa -k audispconfig
+-w /sbin/auditctl -p x -k audittools
+-w /sbin/auditd -p x -k audittools
+-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles
+-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles
+-a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount
+-a exit,always -F arch=b64 -S mount -S umount2 -k mount
+-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -k time
+-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time
+-w /etc/localtime -p wa -k localtime
+-w /usr/sbin/stunnel -p x -k stunnel
+-w /etc/cron.allow -p wa -k cron
+-w /etc/cron.deny -p wa -k cron
+-w /etc/cron.d/ -p wa -k cron
+-w /etc/cron.daily/ -p wa -k cron
+-w /etc/cron.hourly/ -p wa -k cron
+-w /etc/cron.monthly/ -p wa -k cron
+-w /etc/cron.weekly/ -p wa -k cron
+-w /etc/crontab -p wa -k cron
+-w /var/spool/cron/crontabs/ -k cron
+-w /etc/group -p wa -k etcgroup
+-w /etc/passwd -p wa -k etcpasswd
+-w /etc/gshadow -k etcgroup
+-w /etc/shadow -k etcpasswd
+-w /etc/security/opasswd -k opasswd
+-w /usr/bin/passwd -p x -k passwd_modification
+-w /usr/sbin/groupadd -p x -k group_modification
+-w /usr/sbin/groupmod -p x -k group_modification
+-w /usr/sbin/addgroup -p x -k group_modification
+-w /usr/sbin/useradd -p x -k user_modification
+-w /usr/sbin/usermod -p x -k user_modification
+-w /usr/sbin/adduser -p x -k user_modification
+-w /etc/login.defs -p wa -k login
+-w /etc/securetty -p wa -k login
+-w /var/log/faillog -p wa -k login
+-w /var/log/lastlog -p wa -k login
+-w /var/log/tallylog -p wa -k login
+-w /etc/hosts -p wa -k hosts
+-w /etc/network/ -p wa -k network
+-w /etc/inittab -p wa -k init
+-w /etc/init.d/ -p wa -k init
+-w /etc/init/ -p wa -k init
+-w /etc/ld.so.conf -p wa -k libpath
+-w /etc/sysctl.conf -p wa -k sysctl
+-w /etc/modprobe.conf -p wa -k modprobe
+-w /etc/pam.d/ -p wa -k pam
+-w /etc/security/limits.conf -p wa  -k pam
+-w /etc/security/pam_env.conf -p wa -k pam
+-w /etc/security/namespace.conf -p wa -k pam
+-w /etc/security/namespace.init -p wa -k pam
+-w /etc/puppetlabs/puppet/ssl -p wa -k puppet_ssl
+-w /etc/aliases -p wa -k mail
+-w /etc/postfix/ -p wa -k mail
+-w /etc/ssh/sshd_config -k sshd
+-a exit,always -F arch=b32 -S sethostname -k hostname
+-a exit,always -F arch=b64 -S sethostname -k hostname
+-w /etc/issue -p wa -k etcissue
+-w /etc/issue.net -p wa -k etcissue
+-a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd
+-a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd
+-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess
+-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess
+-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess
+-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess
+-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess
+-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess
+-a exit,always -F arch=b64 -S open -F dir=/usr/local/bin -F success=0 -k unauthedfileacess
+-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess
+-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess
+-w /bin/su -p x -k priv_esc
+-w /usr/bin/sudo -p x -k priv_esc
+-w /etc/sudoers -p rw -k priv_esc
+-w /sbin/halt -p x -k power
+-w /sbin/poweroff -p x -k power
+-w /sbin/reboot -p x -k power
+-w /sbin/shutdown -p x -k power
+-e 2
--- a/audit/audit.rules.prev
+++ b/audit/audit.rules.prev
@@ -0,0 +1,6 @@
+## This file is automatically generated from /etc/audit/rules.d
+-D
+-b 8192
+-f 1
+--backlog_wait_time 60000
+
--- a/audit/auditd.conf
+++ b/audit/auditd.conf
@@ -0,0 +1,39 @@
+#
+# This file controls the configuration of the audit daemon
+#
+
+local_events = yes
+write_logs = yes
+log_file = /var/log/audit/audit.log
+log_group = root
+log_format = ENRICHED
+flush = INCREMENTAL_ASYNC
+freq = 50
+max_log_file = 8
+num_logs = 5
+priority_boost = 4
+name_format = NONE
+##name = mydomain
+max_log_file_action = ROTATE
+space_left = 75
+space_left_action = SYSLOG
+verify_email = yes
+action_mail_acct = root
+admin_space_left = 50
+admin_space_left_action = SUSPEND
+disk_full_action = SUSPEND
+disk_error_action = SUSPEND
+use_libwrap = yes
+##tcp_listen_port = 60
+tcp_listen_queue = 5
+tcp_max_per_addr = 1
+##tcp_client_ports = 1024-65535
+tcp_client_max_idle = 0
+transport = TCP
+krb5_principal = auditd
+##krb5_key_file = /etc/audit/audit.key
+distribute_network = no
+q_depth = 400
+overflow_action = SYSLOG
+max_restarts = 10
+plugin_dir = /etc/audit/plugins.d
--- a/audit/plugins.d/af_unix.conf
+++ b/audit/plugins.d/af_unix.conf
@@ -0,0 +1,14 @@
+
+# This file controls the configuration of the
+# af_unix socket plugin. It simply takes events
+# and writes them to a unix domain socket. This
+# plugin can take 2 arguments, the path for the
+# socket and the socket permissions in octal.
+
+active = no
+direction = out
+path = builtin_af_unix
+type = builtin 
+args = 0640 /var/run/audispd_events
+format = string
+
--- a/audit/plugins.d/af_wazuh.conf
+++ b/audit/plugins.d/af_wazuh.conf
@@ -0,0 +1 @@
+/var/ossec/etc/af_wazuh.conf
--- a/audit/rules.d/99-finalize.rules
+++ b/audit/rules.d/99-finalize.rules
@@ -0,0 +1 @@
+-e 2
--- a/audit/rules.d/audit.rules
+++ b/audit/rules.d/audit.rules
@@ -0,0 +1,204 @@
+## First rule - delete all
+-D
+
+## Increase the buffers to survive stress events.
+## Make this bigger for busy systems
+-b 8192
+
+## This determine how long to wait in burst of events
+--backlog_wait_time 60000
+
+## Set failure mode to syslog
+-f 1
+
+###################
+# Audit the audit logs.
+###################
+-w /var/log/audit/ -k auditlog
+
+###################
+## Auditd configuration
+###################
+## Modifications to audit configuration that occur while the audit (check your paths)
+-w /etc/audit/ -p wa -k auditconfig
+-w /etc/libaudit.conf -p wa -k auditconfig
+-w /etc/audisp/ -p wa -k audispconfig
+
+###################
+# Monitor for use of audit management tools
+###################
+# Check your paths
+-w /sbin/auditctl -p x -k audittools
+-w /sbin/auditd -p x -k audittools
+
+###################
+# Special files
+###################
+-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles
+-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles
+
+###################
+# Mount operations
+###################
+-a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount
+-a exit,always -F arch=b64 -S mount -S umount2 -k mount
+
+###################
+# Changes to the time
+###################
+-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -k time
+-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time
+-w /etc/localtime -p wa -k localtime
+
+###################
+# Use of stunnel
+###################
+-w /usr/sbin/stunnel -p x -k stunnel
+
+###################
+# Schedule jobs
+###################
+-w /etc/cron.allow -p wa -k cron
+-w /etc/cron.deny -p wa -k cron
+-w /etc/cron.d/ -p wa -k cron
+-w /etc/cron.daily/ -p wa -k cron
+-w /etc/cron.hourly/ -p wa -k cron
+-w /etc/cron.monthly/ -p wa -k cron
+-w /etc/cron.weekly/ -p wa -k cron
+-w /etc/crontab -p wa -k cron
+-w /var/spool/cron/crontabs/ -k cron
+
+## user, group, password databases
+-w /etc/group -p wa -k etcgroup
+-w /etc/passwd -p wa -k etcpasswd
+-w /etc/gshadow -k etcgroup
+-w /etc/shadow -k etcpasswd
+-w /etc/security/opasswd -k opasswd
+
+###################
+# Monitor usage of passwd command
+###################
+-w /usr/bin/passwd -p x -k passwd_modification
+
+###################
+# Monitor user/group tools
+###################
+-w /usr/sbin/groupadd -p x -k group_modification
+-w /usr/sbin/groupmod -p x -k group_modification
+-w /usr/sbin/addgroup -p x -k group_modification
+-w /usr/sbin/useradd -p x -k user_modification
+-w /usr/sbin/usermod -p x -k user_modification
+-w /usr/sbin/adduser -p x -k user_modification
+
+###################
+# Login configuration and stored info
+###################
+-w /etc/login.defs -p wa -k login
+-w /etc/securetty -p wa -k login
+-w /var/log/faillog -p wa -k login
+-w /var/log/lastlog -p wa -k login
+-w /var/log/tallylog -p wa -k login
+
+###################
+# Network configuration
+###################
+-w /etc/hosts -p wa -k hosts
+-w /etc/network/ -p wa -k network
+
+###################
+## system startup scripts
+###################
+-w /etc/inittab -p wa -k init
+-w /etc/init.d/ -p wa -k init
+-w /etc/init/ -p wa -k init
+
+###################
+# Library search paths
+###################
+-w /etc/ld.so.conf -p wa -k libpath
+
+###################
+# Kernel parameters and modules
+###################
+-w /etc/sysctl.conf -p wa -k sysctl
+-w /etc/modprobe.conf -p wa -k modprobe
+###################
+
+###################
+# PAM configuration
+###################
+-w /etc/pam.d/ -p wa -k pam
+-w /etc/security/limits.conf -p wa  -k pam
+-w /etc/security/pam_env.conf -p wa -k pam
+-w /etc/security/namespace.conf -p wa -k pam
+-w /etc/security/namespace.init -p wa -k pam
+
+###################
+# Puppet (SSL)
+###################
+-w /etc/puppetlabs/puppet/ssl -p wa -k puppet_ssl
+
+###################
+# Postfix configuration
+###################
+-w /etc/aliases -p wa -k mail
+-w /etc/postfix/ -p wa -k mail
+###################
+
+###################
+# SSH configuration
+###################
+-w /etc/ssh/sshd_config -k sshd
+
+###################
+# Hostname
+###################
+-a exit,always -F arch=b32 -S sethostname -k hostname
+-a exit,always -F arch=b64 -S sethostname -k hostname
+
+###################
+# Changes to issue
+###################
+-w /etc/issue -p wa -k etcissue
+-w /etc/issue.net -p wa -k etcissue
+
+###################
+# Log all commands executed by root
+###################
+-a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd
+-a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd
+
+###################
+## Capture all failures to access on critical elements
+###################
+-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess
+-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess
+-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess
+-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess
+-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess
+-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess
+-a exit,always -F arch=b64 -S open -F dir=/usr/local/bin -F success=0 -k unauthedfileacess
+-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess
+-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess
+
+###################
+## su/sudo
+###################
+-w /bin/su -p x -k priv_esc
+-w /usr/bin/sudo -p x -k priv_esc
+-w /etc/sudoers -p rw -k priv_esc
+
+###################
+# Poweroff/reboot tools
+###################
+-w /sbin/halt -p x -k power
+-w /sbin/poweroff -p x -k power
+-w /sbin/reboot -p x -k power
+-w /sbin/shutdown -p x -k power
+
+###################
+# Make the configuration immutable
+###################
+-e 2
+
+# EOF