Skip to content

audit: fix watch rules in artifacts #130

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
djoreilly merged 1 commit into from
Mar 20, 2025
Merged

audit: fix watch rules in artifacts #130

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 14 additions & 4 deletions artifacts/definitions/SUSE/Linux/Events/NewFilesNoOwner.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,21 @@ sources:
sep="|"
)

// function to make audit keys from paths e.g. /var/log/ -> vrr_var_log
LET path2key(path) = "vrr_" + regex_replace(source=strip(string=path, prefix="/", suffix="/"), replace="_", re="/")

// ["/home", "/var/log"] -> ["-w /home -p w -k vrr_home", "-w /var/log -p w -k vrr_var_log"]
LET new_files_audit_rules = array(
a={ SELECT format(format='-w %s -p w -k vrr_unknown_uid_watch', args=_value)
a={ SELECT "-w " + _value + " -p w -k " + path2key(path=_value)
FROM foreach(row=directories) }
)

// ["/home", "/var/log"] -> "^vrr_home$|^vrr_var_log$"
LET new_files_audit_keys_regex = join(
array=array(a={ SELECT "^" + path2key(path=_value) + "$" FROM foreach(row=directories) }),
sep="|"
)

// cleans path with relpath - see https://pkg.go.dev/path/filepath#Rel
LET clean_path(path) = "/" + relpath(path=path, base="/")

Expand All @@ -53,8 +63,8 @@ sources:
Uid, set(item=known_uids, field=Uid, value=TRUE)
FROM Artifact.Linux.Sys.Users()
} AS _update_known_uids
FROM audit(rules="-w /etc/passwd -p w -k vrr_unknown_uids_etc_passwd")
WHERE "vrr_unknown_uids_etc_passwd" IN Tags
FROM audit(rules="-w /etc/passwd -p wa -k vrr_etc_passwd")
WHERE "vrr_etc_passwd" IN Tags
AND Result = "success"
AND Summary.action = "opened-file"
AND log(message="/etc/passwd may have changed - reloading user uids", dedup=-1)
Expand All @@ -68,7 +78,7 @@ sources:
// and adds a mapping to inode_to_path for each new file.
LET new_file_events = SELECT _
FROM audit(rules=new_files_audit_rules)
WHERE "vrr_unknown_uid_watch" IN Tags
WHERE any(items=Tags, regex=new_files_audit_keys_regex)
AND Result = "success"
AND Summary.action = "opened-file"
AND Paths[-1].nametype = "CREATE"
Expand Down
14 changes: 11 additions & 3 deletions artifacts/definitions/SUSE/Linux/Events/NewHiddenFile.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,17 @@ parameters:

sources:
- query: |
// function to make audit keys from paths e.g. /var/log/ -> vrr_var_log
LET path2key(path) = "vrr_" + regex_replace(source=strip(string=path, prefix="/", suffix="/"), replace="_", re="/")

LET audit_rules = array(
a= { SELECT format(format='-w %s -p w -k vrr_hidden_files', args=_value)
FROM foreach(row=directories) })
a={ SELECT "-w " + _value + " -p w -k " + path2key(path=_value) FROM foreach(row=directories) })

// ["/home", "/var/log"] -> "^vrr_home$|^vrr_var_log$"
LET audit_keys_regex = join(
array=array(a={ SELECT "^" + path2key(path=_value) + "$" FROM foreach(row=directories) }),
sep="|"
)

LET isHidden(name) = if(
condition=substr(str=name, start=0, end=1) = ".", then=true,
Expand All @@ -34,7 +42,7 @@ sources:
basename(path=Paths[1].name) AS Filename,
full_path(parent=Paths[0].name, name=Paths[1].name) AS Path
FROM audit(rules=audit_rules)
WHERE "vrr_hidden_files" IN Tags
WHERE any(items=Tags, regex=audit_keys_regex)
AND Result = "success"
AND action =~ "opened-file|created-directory"
AND Paths[1].nametype = "CREATE"
Expand Down
4 changes: 2 additions & 2 deletions artifacts/definitions/SUSE/Linux/Events/UserAccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ type: CLIENT_EVENT
sources:

- query: |
LET user_acct_rules = ("-w /etc/shadow -p wa -k vrr_etc_shadow", "-w /etc/passwd -p wa -k vrr_etc_modifications", "-w /etc/nsswitch.conf -p wa -k vrr_etc_nsswitch_conf")
LET user_acct_rules = ("-w /etc/shadow -p wa -k vrr_etc_shadow", "-w /etc/passwd -p wa -k vrr_etc_passwd", "-w /etc/nsswitch.conf -p wa -k vrr_etc_nsswitch_conf")

LET user_acct_log = SELECT timestamp(string=Timestamp) AS Time, Sequence,
atoi(string=Process.PID) AS Pid,
Expand All @@ -18,7 +18,7 @@ sources:
join(array=[Summary.action,Summary.object.type, Summary.object.primary], sep=" ") AS Action,
Process.Title AS CmdLine
FROM audit(rules=user_acct_rules)
WHERE "vrr_etc_modifications" in Tags OR "vrr_etc_nsswitch_conf" in Tags OR "vrr_etc_shadow" in Tags
WHERE "vrr_etc_passwd" in Tags OR "vrr_etc_nsswitch_conf" in Tags OR "vrr_etc_shadow" in Tags

// Cache Uid -> Username mapping.
LET usrs <= SELECT User, atoi(string=Uid) AS Uid
Expand Down