Catalyst / admin/Syanpse-Vanguard 14.8 GB / 57.8 GB 40.0 GB free
Help Sign in

admin / Syanpse-Vanguard

public
Code Issues Pull requests Pipelines Packages Security Insights Wiki Settings
Syanpse-Vanguard / synapse-vanguard-v3 / agents / linux / audit.rules 2420 B · main
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
## Synapse-Vanguard starter auditd ruleset — high-signal syscall visibility.
## Installed to /etc/audit/rules.d/synapse-vanguard.rules by install-linux-agent.sh.
## Each rule carries a -k key so events are easy to search/normalize.
## Tuned to be safe on servers; trim if a busy host generates too much volume.

## --- identity & credential stores -------------------------------------------
-w /etc/passwd    -p wa -k identity
-w /etc/shadow    -p wa -k identity
-w /etc/group     -p wa -k identity
-w /etc/gshadow   -p wa -k identity
-w /etc/sudoers   -p wa -k priv_esc
-w /etc/sudoers.d/ -p wa -k priv_esc

## --- ssh / auth config ------------------------------------------------------
-w /etc/ssh/sshd_config -p wa -k sshd_config
-w /root/.ssh/          -p wa -k root_ssh_keys

## --- scheduled-task / persistence -------------------------------------------
-w /etc/crontab      -p wa -k cron
-w /etc/cron.d/      -p wa -k cron
-w /etc/cron.daily/  -p wa -k cron
-w /var/spool/cron/  -p wa -k cron
-w /etc/systemd/system/ -p wa -k systemd_persistence
-w /etc/rc.local     -p wa -k init_persistence

## --- privilege escalation / process exec -----------------------------------
## Command execution by real users (uid>=1000) and by root.
-a always,exit -F arch=b64 -S execve -F auid>=1000 -F auid!=4294967295 -k exec_user
-a always,exit -F arch=b64 -S execve -F auid=0 -k exec_root
## setuid/setgid privilege changes
-a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid -k priv_change

## --- kernel module tampering (rootkits) -------------------------------------
-w /sbin/insmod  -p x -k modules
-w /sbin/rmmod   -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules

## --- anti-forensics / tamper detection --------------------------------------
-w /var/log/audit/ -p wa -k audit_tamper
-w /var/log/       -p wa -k log_tamper
## time changes can hide activity
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time_change

## --- suspicious tooling -----------------------------------------------------
-w /usr/bin/nc      -p x -k netcat
-w /usr/bin/ncat    -p x -k netcat
-w /usr/bin/wget    -p x -k remote_fetch
-w /usr/bin/curl    -p x -k remote_fetch

## Keep this rule LAST. Makes the config immutable until reboot (attackers can't
## silently unload rules). Comment out during tuning.
## -e 2