1 ## These rules watch for code injection by the ptrace facility.
2 ## This could indicate someone trying to do something bad or
5 #-a always,exit -F arch=b32 -S ptrace -F key=tracing
6 #-a always,exit -F arch=b64 -S ptrace -F key=tracing
7 -a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
8 -a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
9 -a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
10 -a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
11 -a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
12 -a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
13 -a always,exit -F arch=b64 -S ptrace -F key=64bit_ptrace
14 -a always,exit -F arch=b32 -S ptrace -F key=32bit_ptrace
15 -a always,exit -F arch=b32 -S tgkill -F key=32bit_tgkill
16 -a always,exit -F arch=b64 -S tgkill -F key=64bit_tgkill
17 -a always,exit -F arch=b32 -S tkill -F key=32bit_tkill
18 -a always,exit -F arch=b64 -S tkill -F key=64bit_tkill
19 -a always,exit -F arch=b32 -S kill -F key=32bit_kill
20 -a always,exit -F arch=b64 -S kill -F key=64bit_kill
21 -a always,exit -F arch=b32 -S prlimit64 -F key=32bit_prlimit64
22 -a always,exit -F arch=b64 -S prlimit64 -F key=64bit_prlimit64
23 -a always,exit -F arch=b32 -S unshare -F key=32bit_unshare
24 -a always,exit -F arch=b64 -S unshare -F key=64bit_unshare
25 {% if ansible_architecture not in ['aarch64'] %}
26 -a always,exit -F arch=b32 -S set_thread_area -F key=32bit_set_thread_area
27 -a always,exit -F arch=b64 -S set_thread_area -F key=64bit_set_thread_area
29 -a always,exit -F arch=b32 -S sched_setattr -F key=32bit_sched_setattr
30 -a always,exit -F arch=b64 -S sched_setattr -F key=64bit_sched_setattr
31 -a always,exit -F arch=b32 -S pivot_root -F key=32bit_pivot_root
32 -a always,exit -F arch=b64 -S pivot_root -F key=64bit_pivot_root
33 -a always,exit -F arch=b32 -S setns -F key=32bit_setns
34 -a always,exit -F arch=b64 -S setns -F key=64bit_setns
Code Review / ta / infra-ansible.git / blob