add rule lnx_auditd_web_rce.yml

2024-11-07 01:45:21 +00:00 · 2019-10-21 11:54:21 +02:00 · 2019-10-21 11:54:21 +02:00 · e47caf4749
commit e47caf4749
parent a499141483
1 changed files with 18 additions and 10 deletions
--- a/rules/linux/auditd/lnx_auditd_web_rce.yml
+++ b/rules/linux/auditd/lnx_auditd_web_rce.yml
@ -1,18 +1,26 @@
-title: Webshell/RCE command execute detect status: experimental description: Posible command execute detect on web application/web shell
+title: Webshell/RCE command execute detect
+status: experimental
+description: Posible command execute detect on web application/web shell
 # You need to add to the config auditd.conf: 
-# -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www 
-# -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www 
-# change 33 to id you webserver user. default: 
-#www-data:x:33:33
+# -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www
+# -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www
+# change 33 to id you webserver user. default: www-data:x:33:33
 tags:
-    - attack.persistence references:
-    - personal experience author: Beyu Denis, oscd.community date: 2019/10/21 logsource:
+    - attack.persistence
+references:
+    - personal experience
+author: Beyu Denis, oscd.community
+date: 2019/10/12
+logsource:
    product: linux
-    service: auditd detection:
+    service: auditd
+detection:
    selection:
        type: 'SYSCALL'
        SYSCALL: 'execve'
        key: 'detect_execve_www'
-    condition: selection falsepositives:
+    condition: selection
+falsepositives:
    - Admin activity
-    - Crazy web applications level: critical
+    - Crazy web applications
+level: critical