Skip to content

Commit

Permalink
XP rules added
Browse files Browse the repository at this point in the history
  • Loading branch information
@mikmxmv
mikmxmv committed May 4, 2023
1 parent 5345d31 commit abec582
Show file tree
Hide file tree
Showing 3,261 changed files with 100,247 additions and 0 deletions.
The diff you're trying to view is too large. We only load the first 3000 changed files.
23 changes: 23 additions & 0 deletions ...at/rules/linux/system/normalization_formulas/UNIX_like/auditd/syslog/add_group/formula.xp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Triggered when a user-space group is added.

# <134>Oct 28 09:56:44 centos6 audispd: node=centos6 type=ADD_GROUP msg=audit(1446026204.056:543): user pid=1336 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding group to /etc/group id=504 exe="/usr/sbin/groupadd" hostname=? addr=? terminal=pts/0 res=success'
# <14>Apr 10 11:49:33 localhost audispd: node=localhost.localdomain type=ADD_GROUP msg=audit(1491803373.616:1038): pid=5640 uid=0 auid=1001 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-group id=1003 exe="/usr/sbin/groupadd" hostname=? addr=? terminal=pts/0 res=success'

TEXT = '{"<"NUMBER">"?} {time=DATETIME} {event_src.ip=IPV4|event_src.ip=IPV6|event_src.hostname=HOSTNAME|"(none)"|} audispd:
node={HOSTNAME} type=ADD_GROUP msg={STRING} {"user"?} pid={NUMBER} uid={NUMBER} auid={subject.id=NUMBER} ses={NUMBER}
subj={STRING} msg={"\'"?}op={STRING+} id={object.id=NUMBER} exe={STRING} hostname={"?"|IPV4|IPV6|src.hostname=HOSTNAME|}
addr={"?"|src.ip=IPV4|src.ip=IPV6|} terminal={STRING} res=success{"\'"?}'

subject = "account"
object = "user_group"
action = "create"
status = "success"

object.state = "New group was added"

importance = "info"

event_src.title = "unix_like"
event_src.category = "Operating system"

id = "PT_UNIX_like_auditd_syslog_add_group"
4 changes: 4 additions & 0 deletions ...s/linux/system/normalization_formulas/UNIX_like/auditd/syslog/add_group/i18n/i18n_en.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Description: 'A new user group was created on host'
EventDescriptions:
- LocalizationId: PT_UNIX_like_auditd_syslog_add_group
EventDescription: 'The user with UID {subject.id} created a user group with GID {object.id} on host {event_src.host}'
3 changes: 3 additions & 0 deletions ...s/linux/system/normalization_formulas/UNIX_like/auditd/syslog/add_group/i18n/i18n_ru.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
EventDescriptions:
- LocalizationId: PT_UNIX_like_auditd_syslog_add_group
EventDescription: 'Пользователь с UID {subject.id} создал группу с GID {object.id} на узле {event_src.host}'
4 changes: 4 additions & 0 deletions ...rules/linux/system/normalization_formulas/UNIX_like/auditd/syslog/add_group/metainfo.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
EventDescriptions:
- Criteria: id = "PT_UNIX_like_auditd_syslog_add_group"
LocalizationId: PT_UNIX_like_auditd_syslog_add_group
ObjectId: PT-NF-4326
16 changes: 16 additions & 0 deletions ...les/linux/system/normalization_formulas/UNIX_like/auditd/syslog/add_group/tests/norm_1.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{
"action": "create",
"event_src.category": "Operating system",
"event_src.hostname": "centos6",
"event_src.title": "unix_like",
"id": "PT_UNIX_like_auditd_syslog_add_group",
"importance": "info",
"object": "user_group",
"object.id": "504",
"object.state": "New group was added",
"src.ip": "192.168.56.1",
"status": "success",
"subject": "account",
"subject.id": "0",
"time": "2022-10-28T09:56:44.000Z"
}
15 changes: 15 additions & 0 deletions ...les/linux/system/normalization_formulas/UNIX_like/auditd/syslog/add_group/tests/norm_2.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{
"action": "create",
"event_src.category": "Operating system",
"event_src.hostname": "localhost",
"event_src.title": "unix_like",
"id": "PT_UNIX_like_auditd_syslog_add_group",
"importance": "info",
"object": "user_group",
"object.id": "1003",
"object.state": "New group was added",
"status": "success",
"subject": "account",
"subject.id": "1001",
"time": "2023-04-10T11:49:33.000Z"
}
1 change: 1 addition & 0 deletions ...les/linux/system/normalization_formulas/UNIX_like/auditd/syslog/add_group/tests/raw_1.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<134>Oct 28 09:56:44 centos6 audispd: node=centos6 type=ADD_GROUP msg=audit(1446026204.056:543): user pid=1336 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding group to /etc/group id=504 exe="/usr/sbin/groupadd" hostname=? addr=192.168.56.1 terminal=pts/0 res=success'
1 change: 1 addition & 0 deletions ...les/linux/system/normalization_formulas/UNIX_like/auditd/syslog/add_group/tests/raw_2.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<14>Apr 10 11:49:33 localhost audispd: node=localhost.localdomain type=ADD_GROUP msg=audit(1491803373.616:1038): pid=5640 uid=0 auid=1001 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-group id=1003 exe="/usr/sbin/groupadd" hostname=? addr=? terminal=pts/0 res=success'
23 changes: 23 additions & 0 deletions ...mat/rules/linux/system/normalization_formulas/UNIX_like/auditd/syslog/add_user/formula.xp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Triggered when a user-space user account is added.

# <134>Oct 28 10:00:54 centos6 audispd: node=centos6 type=ADD_USER msg=audit(1446026454.514:579): user pid=1340 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding user id=503 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success'
# <14>Apr 10 14:49:33 localhost audispd: node=localhost.localdomain type=ADD_USER msg=audit(1491814173.751:13392): pid=17359 uid=0 auid=1000 ses=12 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user id=1002 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/1 res=success'

TEXT = '{"<"NUMBER">"?} {time=DATETIME} {event_src.ip=IPV4|event_src.ip=IPV6|event_src.hostname=HOSTNAME|"(none)"|} audispd:
node={HOSTNAME} type=ADD_USER msg={STRING} {"user"?} pid={NUMBER} uid={NUMBER} auid={subject.id=NUMBER} ses={NUMBER}
subj={STRING} msg={"\'"?}op={STRING+} id={object.id=NUMBER} exe={STRING} hostname={"?"|IPV4|IPV6|src.hostname=HOSTNAME|}
addr={"?"|src.ip=IPV4|src.ip=IPV6|} terminal={STRING} res=success{"\'"?}'

subject = "account"
object = "account"
action = "create"
status = "success"

reason = "New user account added"

importance = "info"

event_src.title = "unix_like"
event_src.category = "Operating system"

id = "PT_UNIX_like_auditd_syslog_add_user"
4 changes: 4 additions & 0 deletions ...es/linux/system/normalization_formulas/UNIX_like/auditd/syslog/add_user/i18n/i18n_en.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Description: 'A new user account was created on host'
EventDescriptions:
- LocalizationId: PT_UNIX_like_auditd_syslog_add_user
EventDescription: 'The user with UID {subject.id} created the user account with UID {object.id} on host {event_src.host}'
3 changes: 3 additions & 0 deletions ...es/linux/system/normalization_formulas/UNIX_like/auditd/syslog/add_user/i18n/i18n_ru.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
EventDescriptions:
- LocalizationId: PT_UNIX_like_auditd_syslog_add_user
EventDescription: 'Пользователь с UID {subject.id} создал учетную запись с UID {object.id} на узле {event_src.host}'
4 changes: 4 additions & 0 deletions .../rules/linux/system/normalization_formulas/UNIX_like/auditd/syslog/add_user/metainfo.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
EventDescriptions:
- Criteria: id = "PT_UNIX_like_auditd_syslog_add_user"
LocalizationId: PT_UNIX_like_auditd_syslog_add_user
ObjectId: PT-NF-4327
15 changes: 15 additions & 0 deletions ...ules/linux/system/normalization_formulas/UNIX_like/auditd/syslog/add_user/tests/norm_1.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{
"action": "create",
"event_src.category": "Operating system",
"event_src.hostname": "centos6",
"event_src.title": "unix_like",
"id": "PT_UNIX_like_auditd_syslog_add_user",
"importance": "info",
"object": "account",
"object.id": "503",
"reason": "New user account added",
"status": "success",
"subject": "account",
"subject.id": "0",
"time": "2022-10-28T10:00:54.000Z"
}
15 changes: 15 additions & 0 deletions ...ules/linux/system/normalization_formulas/UNIX_like/auditd/syslog/add_user/tests/norm_2.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{
"action": "create",
"event_src.category": "Operating system",
"event_src.hostname": "localhost",
"event_src.title": "unix_like",
"id": "PT_UNIX_like_auditd_syslog_add_user",
"importance": "info",
"object": "account",
"object.id": "1002",
"reason": "New user account added",
"status": "success",
"subject": "account",
"subject.id": "1000",
"time": "2023-04-10T14:49:33.000Z"
}
1 change: 1 addition & 0 deletions ...ules/linux/system/normalization_formulas/UNIX_like/auditd/syslog/add_user/tests/raw_1.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<134>Oct 28 10:00:54 centos6 audispd: node=centos6 type=ADD_USER msg=audit(1446026454.514:579): user pid=1340 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding user id=503 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success'
1 change: 1 addition & 0 deletions ...ules/linux/system/normalization_formulas/UNIX_like/auditd/syslog/add_user/tests/raw_2.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<14>Apr 10 14:49:33 localhost audispd: node=localhost.localdomain type=ADD_USER msg=audit(1491814173.751:13392): pid=17359 uid=0 auid=1000 ses=12 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user id=1002 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/1 res=success'
25 changes: 25 additions & 0 deletions ...linux/system/normalization_formulas/UNIX_like/auditd/syslog/selinux_cmd_denied/formula.xp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# <134>Oct 27 13:39:14 centos6 audispd: node=centos6 type=AVC msg=audit(1446713197.129:203): avc: denied { open } for pid=1563 comm="httpd" name="index.html" dev=dm-0 ino=264033 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

# <134>Oct 27 13:39:14 centos6 audispd: node=centos6 type=AVC msg=audit(1446713197.129:202): avc: denied { getattr } for pid=1563 comm="httpd" path="/var/html/manual/index.html" dev=dm-0 ino=264033 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

# <123>Sep 12 08:26:43 dhcp83-5 audispd: node=centos6 type=AVC msg=audit(1158064002.046:4): avc: denied { read } for pid=2496 comm="bluez-pin" name=".gdm1K3IFT" dev=dm-0 ino=3601333 scontext=user_u:system_r:bluetooth_helper_t:s0-s0:c0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file

TEXT = '{"<"NUMBER">"?} {time=DATETIME} {event_src.ip=IPV4|event_src.ip=IPV6|event_src.hostname=HOSTNAME|"(none)"|} audispd:
node={HOSTNAME} type=AVC msg={STRING} avc: denied {"{"} {object.state=WORDDASH} {"}"} for pid={subject.id=NUMBER}
comm={$sname=STRING} {"path="|"name="}{$oname=STRING} {datafield1=REST}'

subject = "application"
object = "file"
action = "access"
status = "failure"

subject.name = strip($sname, '\"', '\"')
object.name = strip($oname, '\"', '\"')

importance = "info"

event_src.subsys = "selinux"
event_src.title = "unix_like"
event_src.category = "Operating system"

id = "PT_UNIX_like_auditd_syslog_selinux_cmd_denied"
4 changes: 4 additions & 0 deletions ...ystem/normalization_formulas/UNIX_like/auditd/syslog/selinux_cmd_denied/i18n/i18n_en.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Description: 'The process access for file was denied on the host'
EventDescriptions:
- LocalizationId: PT_UNIX_like_auditd_syslog_selinux_cmd_denied
EventDescription: 'The process "{subject.name}" is denied access to the file "{object.name}" on host {event_src.host}'
3 changes: 3 additions & 0 deletions ...ystem/normalization_formulas/UNIX_like/auditd/syslog/selinux_cmd_denied/i18n/i18n_ru.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
EventDescriptions:
- LocalizationId: PT_UNIX_like_auditd_syslog_selinux_cmd_denied
EventDescription: 'Запрещен доступ к файлу {object.name} для процесса {subject.name} на узле {event_src.host}'
4 changes: 4 additions & 0 deletions ...ux/system/normalization_formulas/UNIX_like/auditd/syslog/selinux_cmd_denied/metainfo.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
EventDescriptions:
- Criteria: id = "PT_UNIX_like_auditd_syslog_selinux_cmd_denied"
LocalizationId: PT_UNIX_like_auditd_syslog_selinux_cmd_denied
ObjectId: PT-NF-4345
18 changes: 18 additions & 0 deletions .../system/normalization_formulas/UNIX_like/auditd/syslog/selinux_cmd_denied/tests/norm_1.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{
"action": "access",
"datafield1": "dev=dm-0 ino=264033 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file",
"event_src.category": "Operating system",
"event_src.hostname": "centos6",
"event_src.subsys": "selinux",
"event_src.title": "unix_like",
"id": "PT_UNIX_like_auditd_syslog_selinux_cmd_denied",
"importance": "info",
"object": "file",
"object.name": "index.html",
"object.state": "open",
"status": "failure",
"subject": "application",
"subject.id": "1563",
"subject.name": "httpd",
"time": "2022-10-27T13:39:14.000Z"
}
18 changes: 18 additions & 0 deletions .../system/normalization_formulas/UNIX_like/auditd/syslog/selinux_cmd_denied/tests/norm_2.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{
"action": "access",
"datafield1": "dev=dm-0 ino=264033 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file",
"event_src.category": "Operating system",
"event_src.hostname": "centos6",
"event_src.subsys": "selinux",
"event_src.title": "unix_like",
"id": "PT_UNIX_like_auditd_syslog_selinux_cmd_denied",
"importance": "info",
"object": "file",
"object.name": "/var/html/manual/index.html",
"object.state": "getattr",
"status": "failure",
"subject": "application",
"subject.id": "1563",
"subject.name": "httpd",
"time": "2022-10-27T13:39:14.000Z"
}
18 changes: 18 additions & 0 deletions .../system/normalization_formulas/UNIX_like/auditd/syslog/selinux_cmd_denied/tests/norm_3.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{
"action": "access",
"datafield1": "dev=dm-0 ino=3601333 scontext=user_u:system_r:bluetooth_helper_t:s0-s0:c0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file",
"event_src.category": "Operating system",
"event_src.hostname": "dhcp83-5",
"event_src.subsys": "selinux",
"event_src.title": "unix_like",
"id": "PT_UNIX_like_auditd_syslog_selinux_cmd_denied",
"importance": "info",
"object": "file",
"object.name": ".gdm1K3IFT",
"object.state": "read",
"status": "failure",
"subject": "application",
"subject.id": "2496",
"subject.name": "bluez-pin",
"time": "2022-09-12T08:26:43.000Z"
}
1 change: 1 addition & 0 deletions .../system/normalization_formulas/UNIX_like/auditd/syslog/selinux_cmd_denied/tests/raw_1.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<134>Oct 27 13:39:14 centos6 audispd: node=centos6 type=AVC msg=audit(1446713197.129:203): avc: denied { open } for pid=1563 comm="httpd" name="index.html" dev=dm-0 ino=264033 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
1 change: 1 addition & 0 deletions .../system/normalization_formulas/UNIX_like/auditd/syslog/selinux_cmd_denied/tests/raw_2.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<134>Oct 27 13:39:14 centos6 audispd: node=centos6 type=AVC msg=audit(1446713197.129:202): avc: denied { getattr } for pid=1563 comm="httpd" path="/var/html/manual/index.html" dev=dm-0 ino=264033 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
1 change: 1 addition & 0 deletions .../system/normalization_formulas/UNIX_like/auditd/syslog/selinux_cmd_denied/tests/raw_3.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<123>Sep 12 08:26:43 dhcp83-5 audispd: node=centos6 type=AVC msg=audit(1158064002.046:4): avc: denied { read } for pid=2496 comm="bluez-pin" name=".gdm1K3IFT" dev=dm-0 ino=3601333 scontext=user_u:system_r:bluetooth_helper_t:s0-s0:c0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file
21 changes: 21 additions & 0 deletions ...inux/system/normalization_formulas/UNIX_like/auditd/syslog/selinux_cmd_granted/formula.xp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# <134>Oct 27 13:39:14 centos6 audispd: node=centos6 type=AVC msg=audit(1188833848.190:34): avc: granted { getattr } for pid=4310 comm="ls" name="foo.pp" dev=sda5 ino=295171 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=filetclass=process

TEXT = '{"<"NUMBER">"?} {time=DATETIME} {event_src.ip=IPV4|event_src.ip=IPV6|event_src.hostname=HOSTNAME|"(none)"|}
audispd: node={HOSTNAME} type=AVC msg={STRING} avc: granted {"{"} {object.state=WORDDASH} {"}"} for pid={subject.id=NUMBER}
comm={$sname=STRING} {"path="|"name="}{$oname=STRING} {datafield1=REST}'

subject = "application"
object = "file"
action = "access"
status = "success"

subject.name = strip($sname, '\"', '\"')
object.name = strip($oname, '\"', '\"')

importance = "info"

event_src.subsys = "selinux"
event_src.title = "unix_like"
event_src.category = "Operating system"

id = "PT_UNIX_like_auditd_syslog_selinux_cmd_granted"
4 changes: 4 additions & 0 deletions ...stem/normalization_formulas/UNIX_like/auditd/syslog/selinux_cmd_granted/i18n/i18n_en.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Description: 'The process access for file was granted on the host'
EventDescriptions:
- LocalizationId: PT_UNIX_like_auditd_syslog_selinux_cmd_granted
EventDescription: 'The process "{subject.name}" is granted access to the file "{object.name}" on host {event_src.host}'
3 changes: 3 additions & 0 deletions ...stem/normalization_formulas/UNIX_like/auditd/syslog/selinux_cmd_granted/i18n/i18n_ru.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
EventDescriptions:
- LocalizationId: PT_UNIX_like_auditd_syslog_selinux_cmd_granted
EventDescription: 'Разрешен доступ к файлу {object.name} для процесса {subject.name} на узле {event_src.host}'
4 changes: 4 additions & 0 deletions ...x/system/normalization_formulas/UNIX_like/auditd/syslog/selinux_cmd_granted/metainfo.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
EventDescriptions:
- Criteria: id = "PT_UNIX_like_auditd_syslog_selinux_cmd_granted"
LocalizationId: PT_UNIX_like_auditd_syslog_selinux_cmd_granted
ObjectId: PT-NF-4346
18 changes: 18 additions & 0 deletions ...system/normalization_formulas/UNIX_like/auditd/syslog/selinux_cmd_granted/tests/norm_1.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{
"action": "access",
"datafield1": "dev=sda5 ino=295171 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=filetclass=process",
"event_src.category": "Operating system",
"event_src.hostname": "centos6",
"event_src.subsys": "selinux",
"event_src.title": "unix_like",
"id": "PT_UNIX_like_auditd_syslog_selinux_cmd_granted",
"importance": "info",
"object": "file",
"object.name": "foo.pp",
"object.state": "getattr",
"status": "success",
"subject": "application",
"subject.id": "4310",
"subject.name": "ls",
"time": "2022-10-27T13:39:14.000Z"
}
1 change: 1 addition & 0 deletions ...system/normalization_formulas/UNIX_like/auditd/syslog/selinux_cmd_granted/tests/raw_1.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<134>Oct 27 13:39:14 centos6 audispd: node=centos6 type=AVC msg=audit(1188833848.190:34): avc: granted { getattr } for pid=4310 comm="ls" name="foo.pp" dev=sda5 ino=295171 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=filetclass=process
35 changes: 35 additions & 0 deletions ...ules/linux/system/normalization_formulas/UNIX_like/auditd/syslog/service_start/formula.xp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# Triggered when a service is started.

# <134>Oct 28 10:12:48 centos6 audispd: node=centos6 type=SERVICE_START msg=audit(1337705954.274:38): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="bluetooth" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
# <14>Apr 10 11:47:10 localhost audispd: node=localhost.localdomain type=SERVICE_START msg=audit(1491803230.512:997): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
# <14>Dec 25 16:50:40 centos audispd: node=domen.ru type=SERVICE_START msg=audit(1514209840.270:435): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rsyslog comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success

TEXT = '{"<"NUMBER">"?} {time=DATETIME}
{event_src.ip=IPV4|event_src.ip=IPV6|event_src.hostname=HOSTNAME|"(none)"|} audispd:
node={IPV4|IPV6|HOSTNAME} type=SERVICE_START msg={STRING} {"user"?} pid={NUMBER}
uid={subject.account.id=NUMBER} auid={NUMBER} ses={NUMBER} subj={STRING} msg=\'
{$service=STRING?} comm={STRING} exe="{subject.process.fullpath=UNTIL("\\"")} hostname={src.hostname=HOSTNAME|"?"}
addr={src.ip=IPV4|src.ip=IPV6|"?"} terminal={STRING} res=success{REST}'

subject = "account"
action = "start"
object = "service"
status = "success"

$process_path_and_name = csv(subject.process.fullpath, "/", "")
subject.process.name = $process_path_and_name[length($process_path_and_name) - 1]
subject.process.path = strip(subject.process.fullpath, "", subject.process.name)

object.name = strip($service, "unit=", "")

importance = "info"

category.generic = "Service"
category.high = "Availability Management"
category.low = "Control"

event_src.title = "unix_like"
event_src.category = "Operating system"

id = "PT_UNIX_like_auditd_syslog_service_start"

6 changes: 6 additions & 0 deletions ...nux/system/normalization_formulas/UNIX_like/auditd/syslog/service_start/i18n/i18n_en.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
Description: 'UNIX-like service is enable on the host'
EventDescriptions:
- LocalizationId: PT_UNIX_like_auditd_syslog_service_start_name
EventDescription: 'The user with UID {subject.id} started the service "{object.name}" on host {event_src.host}'
- LocalizationId: PT_UNIX_like_auditd_syslog_service_start_not_name
EventDescription: 'The user with UID {subject.id} started a service on host {event_src.host}'
5 changes: 5 additions & 0 deletions ...nux/system/normalization_formulas/UNIX_like/auditd/syslog/service_start/i18n/i18n_ru.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
EventDescriptions:
- LocalizationId: PT_UNIX_like_auditd_syslog_service_start_name
EventDescription: 'Пользователь с UID {subject.id} запустил службу "{object.name}" на узле {event_src.host}'
- LocalizationId: PT_UNIX_like_auditd_syslog_service_start_not_name
EventDescription: 'Пользователь с UID {subject.id} запустил службу на узле {event_src.host}'
8 changes: 8 additions & 0 deletions ...s/linux/system/normalization_formulas/UNIX_like/auditd/syslog/service_start/metainfo.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
EventDescriptions:
- Criteria: id = "PT_UNIX_like_auditd_syslog_service_start" and object.name !=
null
LocalizationId: PT_UNIX_like_auditd_syslog_service_start_name
- Criteria: id = "PT_UNIX_like_auditd_syslog_service_start" and object.name =
null
LocalizationId: PT_UNIX_like_auditd_syslog_service_start_not_name
ObjectId: PT-NF-4347
19 changes: 19 additions & 0 deletions ...linux/system/normalization_formulas/UNIX_like/auditd/syslog/service_start/tests/norm_1.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"action": "start",
"category.generic": "Service",
"category.high": "Availability Management",
"category.low": "Control",
"event_src.category": "Operating system",
"event_src.hostname": "centos6",
"event_src.title": "unix_like",
"id": "PT_UNIX_like_auditd_syslog_service_start",
"importance": "info",
"object": "service",
"status": "success",
"subject": "account",
"subject.account.id": "0",
"subject.process.fullpath": "/usr/lib/systemd/systemd",
"subject.process.name": "systemd",
"subject.process.path": "/usr/lib/systemd/",
"time": "2022-10-28T10:12:48.000Z"
}
Loading

0 comments on commit abec582

Please sign in to comment.