https://pastein.ru/t/D4y
Загрузка данных
# ignore errors
-i
# delete all rules
-D
# for busy systems
-b 8192
# disable kprint
-f 0
--backlog_wait_time 1
##############################
# Excludes #
##############################
# exclude paths
-a never,exit -F arch=b64 -S open,openat -F path=/proc/filesystems
-a never,exit -F arch=b32 -S open,openat -F path=/proc/filesystems
# These executable files may produce a large amount of events.
# exclude bins (x64)
-a never,exit -F arch=b64 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,accept,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/usr/bin/vmtoolsd
-a never,exit -F arch=b64 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,accept,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/usr/sbin/haproxy
-a never,exit -F arch=b64 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,accept,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/usr/sbin/cron
-a never,exit -F arch=b64 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,accept,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/lib/systemd/systemd-timesyncd
-a never,exit -F arch=b64 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,accept,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/usr/lib/systemd/systemd-timesyncd
-a never,exit -F arch=b64 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,accept,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/lib/systemd/systemd-logind
-a never,exit -F arch=b64 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,accept,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/usr/lib/systemd/systemd-logind
-a never,exit -F arch=b64 -S socket,connect,accept,open,openat -F exe=/usr/bin/zabbix_agentd
-a never,exit -F arch=b64 -S open,openat -F exe=/usr/bin/ps
-a never,exit -F arch=b64 -S open,openat -F exe=/usr/bin/top
-a never,exit -F arch=b64 -S open,openat -F exe=/usr/bin/htop
-a never,exit -F arch=b64 -S open,openat -F exe=/usr/bin/find
-a never,exit -F arch=b64 -S open,openat -F exe=/usr/lib/systemd/systemd
# exclude bins (x32)
-a never,exit -F arch=b32 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/usr/bin/vmtoolsd
-a never,exit -F arch=b32 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,listen,execve,execveat,setuid,setgid,setreuid,setregid -F exe=/usr/sbin/haproxy
-a never,exit -F arch=b32 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/usr/sbin/cron
-a never,exit -F arch=b32 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/lib/systemd/systemd-timesyncd
-a never,exit -F arch=b32 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/usr/lib/systemd/systemd-timesyncd
-a never,exit -F arch=b32 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/usr/lib/systemd/systemd-logind
-a never,exit -F arch=b32 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/lib/systemd/systemd-logind
-a never,exit -F arch=b32 -S socket,connect,accept4,open,openat -F exe=/usr/bin/zabbix_agentd
-a never,exit -F arch=b32 -S open,openat -F exe=/usr/bin/ps
-a never,exit -F arch=b32 -S open,openat -F exe=/usr/bin/top
-a never,exit -F arch=b32 -S open,openat -F exe=/usr/bin/htop
-a never,exit -F arch=b32 -S open,openat -F exe=/usr/bin/find
-a never,exit -F arch=b32 -S open,openat -F exe=/usr/lib/systemd/systemd
##############################
# x64 syscalls #
##############################
# execute
-a always,exit -F arch=b64 -S execve,execveat -k pt_siem_execve
# network activities
-a always,exit -F arch=b64 -S socket -F a0=0x2 -F a1=0x3 -k pt_siem_api_socket
-a always,exit -F arch=b64 -S socket -F a0=0xA -F a1=0x3 -k pt_siem_api_socket
-a always,exit -F arch=b64 -S socket -F a0=0x2 -F a1=0xA -k pt_siem_api_socket
-a always,exit -F arch=b64 -S socket -F a0=0xA -F a1=0xA -k pt_siem_api_socket
-a always,exit -F arch=b64 -S socket -F a0=0x11 -k pt_siem_api_socket
-a always,exit -F arch=b64 -S connect -F a2=0x10 -k pt_siem_api_connect
-a always,exit -F arch=b64 -S connect -F a2=0x1C -k pt_siem_api_connect
#-a always,exit -F arch=b64 -S accept4 -k pt_siem_api_accept
#-a always,exit -F arch=b64 -S accept -k pt_siem_api_accept
-a always,exit -F arch=b64 -S listen -k pt_siem_api_listen
# file monitoring
-a always,exit -S all -F path=/etc/shadow -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F path=/etc/gshadow -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F path=/etc/passwd -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F path=/etc/group -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F path=/etc/security/opasswd -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F path=/etc/master.passwd -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F path=/etc/spwd.db -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F path=/etc/sudoers -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F dir=/etc/sudoers.d -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F dir=/etc/pam.d -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F dir=/var/log -F perm=wa -F auid!=-1 -k pt_siem_var_log_access
-a always,exit -S all -F dir=/home -F perm=rwa -F auid!=-1 -F auid>=1000 -C auid!=obj_uid -k pt_siem_home_access
-a always,exit -S open,openat -F dir=/proc -F filetype=file -F perm=r -F auid!=-1 -F key=pt_siem_proc
-w /etc -p wa -k pt_siem_etc_modify
-w /root -p rwa -k pt_siem_root_home_access
-w /var/www -p wa -k pt_siem_www_home_access
-w /var/spool/cron -p wa -k pt_siem_cron_modify
-w /var/spool/at -p wa -k pt_siem_cron_modify
-w /bin -p wa -k pt_siem_bin_modify
-w /usr/bin -p wa -k pt_siem_bin_modify
-w /sbin -p wa -k pt_siem_bin_modify
-w /usr/sbin -p wa -k pt_siem_bin_modify
-w /usr/local/bin -p wa -k pt_siem_bin_modify
-w /usr/local/sbin -p wa -k pt_siem_bin_modify
-w /usr/libexec -p wa -k pt_siem_bin_modify
-w /lib -p wa -k pt_siem_lib_modify
-w /lib64 -p wa -k pt_siem_lib_modify
-w /usr/lib -p wa -k pt_siem_lib_modify
-w /usr/lib64 -p wa -k pt_siem_lib_modify
-w /boot -p wa -k pt_siem_boot_modify
# capabilities, xattr, time change
-a always,exit -F arch=b64 -S capset -k pt_siem_api_caps
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr -k pt_siem_api_xattr
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k pt_siem_api_time
# kernel modules, process trace, special permissions
-a always,exit -F arch=b64 -S init_module,delete_module -F auid!=-1 -k pt_siem_api_kernel_mods
-a always,exit -F arch=b64 -S finit_module -F auid!=-1 -k pt_siem_api_kernel_mods
-a always,exit -F arch=b64 -S ptrace -F a0=0x0 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0xd -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0xf -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x10 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x11 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x13 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x4203 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x4205 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x4206 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x4207 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S setuid,setgid,setreuid,setregid -k pt_siem_api_setuid
##############################
# x32 syscalls #
##############################
# execute
-a always,exit -F arch=b32 -S execve,execveat -k pt_siem_execve
# capabilities, xattr, time change
-a always,exit -F arch=b32 -S capset -k pt_siem_api_caps
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr -k pt_siem_api_xattr
-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k pt_siem_api_time
# kernel modules, process trace, special permissions
-a always,exit -F arch=b32 -S init_module,delete_module -F auid!=-1 -k pt_siem_api_kernel_mods
-a always,exit -F arch=b32 -S finit_module -F auid!=-1 -k pt_siem_api_kernel_mods
-a always,exit -F arch=b32 -S ptrace -F a0=0x0 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0xd -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0xf -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x10 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x11 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x13 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x4203 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x4205 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x4206 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x4207 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S setuid,setgid,setreuid,setregid -k pt_siem_api_setuid
