forked from openbsm/bsmtrace
-
Notifications
You must be signed in to change notification settings - Fork 0
/
bsmtrace.conf
97 lines (86 loc) · 1.33 KB
/
bsmtrace.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
#
# Define subject (or user) groupings
#
define set $fwadmins <auid> {
csjp;
};
#
# Define various event groups that we are interested in
#
define set $execution <auditevent> {
AUE_EXEC,
AUE_EXECVE;
};
define set $login <auditevent> {
AUE_openssh,
AUE_login,
AUE_su;
};
#
# Define our object (or file) groups
#
define set $trusteddirs <path> {
/bin,
/sbin,
/usr/bin,
/usr/sbin,
/usr/local/bin,
/usr/X11R6/bin,
/usr/local/sbin,
/usr/games;
};
define set $opendirs <path> {
/tmp,
/var/tmp;
};
define set $fwtools <path> {
/sbin/pfctl;
};
############################################################
#
# Define our state machines or actual "IDS signatures"
#
############################################################
sequence firewall.change.attempt {
subject not $fwadmins;
state {
event $execution;
object $fwtools;
status any;
};
};
sequence non.trusted.exec {
subject any;
state {
event $execution;
object not $trusteddirs;
status success;
};
};
sequence mktemp.race {
subject any;
state {
event <auditevent> { AUE_SYMLINK; };
object $opendirs;
status success;
};
};
sequence login.brute.force {
subject any;
state {
event $login;
status failure;
multiplier 2;
};
state {
event $login;
status success;
};
};
sequence login {
subject any;
state {
event $login;
status success;
};
};