API tools faq
paste
Advertisement
Sweetening

Untitled

Sweetening
Dec 6th, 2024
35
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.67 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2.  
  3. # Automated Kernel Audit Script for Debian 12 Bookworm
  4. # Designed for high-security auditing
  5.  
  6. # Ensure the audit daemon is installed and running
  7. echo "Installing and starting the audit daemon..."
  8. sudo apt update && sudo apt install -y auditd
  9.  
  10. # Enable auditd to start on boot
  11. sudo systemctl enable auditd
  12. sudo systemctl start auditd
  13.  
  14. # Set auditctl rules for kernel modules, exec calls, and syscall executions
  15. echo "Setting up auditing rules..."
  16.  
  17. # Audit kernel module loading/unloading (insmod, rmmod, modprobe)
  18. sudo auditctl -w /sbin/insmod -p x -k kernel-modules
  19. sudo auditctl -w /sbin/rmmod -p x -k kernel-modules
  20. sudo auditctl -w /sbin/modprobe -p x -k kernel-modules
  21.  
  22. # Audit system calls related to execve for executable tracking
  23. sudo auditctl -a always,exit -F arch=b64 -S execve -k syscall-exec
  24. sudo auditctl -a always,exit -F arch=b32 -S execve -k syscall-exec
  25.  
  26. # Audit changes to critical system files (e.g., /etc, /bin, /sbin, /usr)
  27. sudo auditctl -w /etc -p wa -k config-changes
  28. sudo auditctl -w /bin -p wa -k bin-exec
  29. sudo auditctl -w /sbin -p wa -k sbin-exec
  30. sudo auditctl -w /usr -p wa -k usr-changes
  31.  
  32. # Audit for changes to user accounts (e.g., useradd, userdel, usermod)
  33. sudo auditctl -w /usr/sbin/useradd -p x -k user-modifications
  34. sudo auditctl -w /usr/sbin/userdel -p x -k user-modifications
  35. sudo auditctl -w /usr/sbin/usermod -p x -k user-modifications
  36.  
  37. # Audit for root privilege escalation attempts (e.g., sudo, su)
  38. sudo auditctl -w /usr/bin/sudo -p x -k sudo-exec
  39. sudo auditctl -w /bin/su -p x -k su-exec
  40.  
  41. # Audit system boot and shutdown logs
  42. sudo auditctl -w /var/log/boot.log -p wa -k boot-logs
  43. sudo auditctl -w /var/log/shutdown.log -p wa -k shutdown-logs
  44.  
  45. # Enable audit logging for all system calls (for comprehensive auditing)
  46. sudo auditctl -a always,exit -F arch=b64 -S all -k syscalls-all
  47. sudo auditctl -a always,exit -F arch=b32 -S all -k syscalls-all
  48.  
  49. # Start monitoring kernel activities in real-time
  50. echo "Starting real-time audit monitoring..."
  51. sudo ausearch -m avc -i &
  52.  
  53. # Check audit logs for any suspicious activities
  54. echo "Checking audit logs for suspicious activities..."
  55. sudo ausearch -k kernel-modules
  56. sudo ausearch -k syscall-exec
  57. sudo ausearch -k config-changes
  58. sudo ausearch -k bin-exec
  59. sudo ausearch -k sbin-exec
  60. sudo ausearch -k usr-changes
  61. sudo ausearch -k user-modifications
  62. sudo ausearch -k sudo-exec
  63. sudo ausearch -k su-exec
  64. sudo ausearch -k boot-logs
  65. sudo ausearch -k shutdown-logs
  66. sudo ausearch -k syscalls-all
  67.  
  68. # Print the status of the audit daemon
  69. echo "Audit daemon status:"
  70. sudo systemctl status auditd
  71.  
  72. echo "Audit configuration complete. Monitoring and logging in progress."
  73. echo "Done!"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!