admin / Syanpse-Vanguard
public
Syanpse-Vanguard / synapse-vanguard-v3 / agents / linux / audit.rules
2420 B · main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 | ## Synapse-Vanguard starter auditd ruleset — high-signal syscall visibility. ## Installed to /etc/audit/rules.d/synapse-vanguard.rules by install-linux-agent.sh. ## Each rule carries a -k key so events are easy to search/normalize. ## Tuned to be safe on servers; trim if a busy host generates too much volume. ## --- identity & credential stores ------------------------------------------- -w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/group -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/sudoers -p wa -k priv_esc -w /etc/sudoers.d/ -p wa -k priv_esc ## --- ssh / auth config ------------------------------------------------------ -w /etc/ssh/sshd_config -p wa -k sshd_config -w /root/.ssh/ -p wa -k root_ssh_keys ## --- scheduled-task / persistence ------------------------------------------- -w /etc/crontab -p wa -k cron -w /etc/cron.d/ -p wa -k cron -w /etc/cron.daily/ -p wa -k cron -w /var/spool/cron/ -p wa -k cron -w /etc/systemd/system/ -p wa -k systemd_persistence -w /etc/rc.local -p wa -k init_persistence ## --- privilege escalation / process exec ----------------------------------- ## Command execution by real users (uid>=1000) and by root. -a always,exit -F arch=b64 -S execve -F auid>=1000 -F auid!=4294967295 -k exec_user -a always,exit -F arch=b64 -S execve -F auid=0 -k exec_root ## setuid/setgid privilege changes -a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid -k priv_change ## --- kernel module tampering (rootkits) ------------------------------------- -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules ## --- anti-forensics / tamper detection -------------------------------------- -w /var/log/audit/ -p wa -k audit_tamper -w /var/log/ -p wa -k log_tamper ## time changes can hide activity -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time_change ## --- suspicious tooling ----------------------------------------------------- -w /usr/bin/nc -p x -k netcat -w /usr/bin/ncat -p x -k netcat -w /usr/bin/wget -p x -k remote_fetch -w /usr/bin/curl -p x -k remote_fetch ## Keep this rule LAST. Makes the config immutable until reboot (attackers can't ## silently unload rules). Comment out during tuning. ## -e 2 |