-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathauditd.rules
More file actions
41 lines (34 loc) · 1.42 KB
/
auditd.rules
File metadata and controls
41 lines (34 loc) · 1.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#
# DISCLAIMER
#
# USE AT YOUR OWN RISK.
#
# THIS RULESET COMES WITH NO WARRANTIES OF ANY FORM.
#
# /proc/$pid/mem and /proc/self/mem
# WARNING: generates a lot of noise
-w /proc/ -p w -k code_injection
## 32 bits
# ptrace: POKETEXT, POKEDATA, POKEUSER (memory writes)
-a always,exit -F arch=b32 -S ptrace -F a0=4 -k code_injection
-a always,exit -F arch=b32 -S ptrace -F a0=5 -k code_injection
-a always,exit -F arch=b32 -S ptrace -F a0=6 -k code_injection
# ptrace: SETREGS, SETREGSET (execution flow redirection)
-a always,exit -F arch=b32 -S ptrace -F a0=13 -k code_injection
-a always,exit -F arch=b32 -S ptrace -F a0=0x4205 -k code_injection
# ptrace: in general
-a always,exit -F arch=b32 -S ptrace -k ptrace
# process_vm_writev
-a always,exit -F arch=b32 -S process_vm_writev -k code_injection
## 64 bits
# ptrace: POKETEXT, POKEDATA, POKEUSER (memory writes)
-a always,exit -F arch=b64 -S ptrace -F a0=4 -k code_injection
-a always,exit -F arch=b64 -S ptrace -F a0=5 -k code_injection
-a always,exit -F arch=b64 -S ptrace -F a0=6 -k code_injection
# ptrace: SETREGS, SETREGSET (execution flow redirection)
-a always,exit -F arch=b64 -S ptrace -F a0=13 -k code_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x4205 -k code_injection
# ptrace: in general
-a always,exit -F arch=b64 -S ptrace -k ptrace
# process_vm_writev
-a always,exit -F arch=b64 -S process_vm_writev -k code_injection