Merge pull request 'install-script' (#7) from install-script into master

Reviewed-on: #7

scripts/install.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+
+
+# install yay
+cd ~
+git clone https://aur.archlinux.org/yay.git
+cd yay
+makepkg -si
+cd ..
+sudo rm -rf yay

services/aide/aide/aide.conf

@@ -0,0 +1,145 @@
+# Example configuration file for AIDE.
+#
+@@define DBDIR /var/lib/aide
+@@define LOGDIR /var/log/aide
+
+# The location of the database to be read.
+database=file:@@{DBDIR}/aide.db.gz
+
+# The location of the database to be written.
+#database_out=sql:host:port:database:login_name:passwd:table
+#database_out=file:aide.db.new
+database_out=file:@@{DBDIR}/aide.db.new.gz
+
+# Whether to gzip the output to database
+gzip_dbout=yes
+
+# Default.
+verbose=5
+
+report_url=file:@@{LOGDIR}/aide.log
+report_url=stdout
+#report_url=stderr
+# 
+# Here are all the attributes we can check
+#p:       permissions
+#i:       inode
+#n:       number of links
+#l:       link name
+#u:       user
+#g:       group
+#s:       size
+###b:        block count
+#m:       mtime
+#a:       atime
+#c:       ctime
+#S:       check for growing size
+#I:       ignore changed filename
+#ANF:     allow new files
+#ARF:     allow removed files
+#
+
+# Here are all the digests we can use
+#md5:           md5 checksum
+#sha1:          sha1 checksum
+#sha256:        sha256 checksum
+#sha512:        sha512 checksum
+#rmd160:        rmd160 checksum
+#tiger:         tiger checksum
+#haval:         haval checksum
+#crc32:         crc32 checksum
+#gost:          gost checksum
+#whirlpool:     whirlpool checksum
+
+# These are the default rules 
+#R:             p+i+l+n+u+g+s+m+c+md5
+#L:             p+i+l+n+u+g
+#E:             Empty group
+#>:             Growing logfile p+l+u+g+i+n+S
+
+# You can create custom rules - my home made rule definition goes like this 
+ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
+ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
+# Everything but access time (Ie. all changes)
+EVERYTHING = R+ALLXTRAHASHES
+
+# Sane, with multiple hashes
+# NORMAL = R+rmd160+sha256+whirlpool
+NORMAL = R+rmd160+sha256
+
+# For directories, don't bother doing hashes
+DIR = p+i+n+u+g+acl+xattrs
+
+# Access control only
+PERMS = p+i+u+g+acl
+
+# Logfile are special, in that they often change
+LOG = >
+
+# Just do md5 and sha256 hashes
+LSPP = R+sha256
+
+# Some files get updated automatically, so the inode/ctime/mtime change
+# but we want to know when the data inside them changes
+DATAONLY =  p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger
+
+
+# Next decide what directories/files you want in the database.
+
+/boot   NORMAL
+/bin    NORMAL
+/sbin   NORMAL
+/lib    NORMAL
+/lib64  NORMAL
+/opt    NORMAL
+/usr    NORMAL
+/root   NORMAL
+# These are too volatile
+!/usr/src
+!/usr/tmp
+
+# Check only permissions, inode, user and group for /etc, but
+# cover some important files closely.
+/etc    PERMS
+!/etc/mtab
+# Ignore backup files
+!/etc/.*~
+/etc/exports  NORMAL
+/etc/fstab    NORMAL
+/etc/passwd   NORMAL
+/etc/group    NORMAL
+/etc/gshadow  NORMAL
+/etc/shadow   NORMAL
+/etc/security/opasswd   NORMAL
+
+/etc/hosts.allow   NORMAL
+/etc/hosts.deny    NORMAL
+
+/etc/sudoers NORMAL
+/etc/skel NORMAL
+
+/etc/logrotate.d NORMAL
+
+/etc/resolv.conf DATAONLY
+
+/etc/nscd.conf NORMAL
+/etc/securetty NORMAL
+
+# Shell/X starting files
+/etc/profile NORMAL
+/etc/bashrc NORMAL
+/etc/bash_completion.d/ NORMAL
+/etc/login.defs NORMAL
+/etc/zprofile NORMAL
+/etc/zshrc NORMAL
+/etc/zlogin NORMAL
+/etc/zlogout NORMAL
+/etc/profile.d/ NORMAL
+/etc/X11/ NORMAL
+
+# Ignore logs
+!/var/lib/pacman/.*
+!/var/cache/.*
+!/var/log/.*  
+!/var/run/.*  
+!/var/spool/.*

services/audit-framework/README.md

@@ -0,0 +1,39 @@
+# Audit Framework
+
+## Kernel
+
+To ensure that all process which may have started before `auditd` are marked as auditable use boot time kernel param `audit=1`.
+
+## Userspace
+
+* Install the `audit` package, enable and start the `auditd.service`.
+* The config file is `auditd.conf`.
+* The rules are defined in `/etc/audit/audit.rules`.
+* `auditctl` can be used to edit rules on the fly.
+* `ausearch` and `aureport` are used to summarize and view data.
+
+
+## Rules
+
+* Read from `/etc/audit/auditd.rules`
+
+* If for example `/etc/audit/rules.d/syscalls.rules` is the sort of structure being followed,
+  `augenrules` is used to merge all the component rules files.
+    * It is recommended to run first with the `--check` flag and `--load` can be used if there were no errors found.
+    * The files are concatenated in order, based on their natural sort (see -v option of ls(1)) and stripped of empty and comment (#) lines.
+
+* rulesets:
+    * syscalls
+        * format: `-a action,list -S syscall -F field=value -k keyname`
+    * files
+        * format: `-w path-to-file -p permissions -k keyname`
+    * ..?
+
+
+
+## Further Reading
+
+* `man` pages (list here)
+* archwiki article
+* syscalls docs
+* update the format for rules

services/audit-framework/audit.md

@@ -1,13 +0,0 @@
-# Audit Framework
-
-## Kernel
-
-To ensure that all process which may have started before `auditd` are marked as auditable use boot time kernel param `audit=1`.
-
-## Userspace
-
-* Install the `audit` package, enable and start the `auditd.service`.
-* The config file is `auditd.conf`.
-* The rules are defined in `/etc/audit/audit.rules`.
-* `auditctl` can be used to edit rules on the fly.
-* `ausearch` and `aureport` are used to summarize and view data.

services/audit-framework/auditd/.auread-aliases

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# aureport and ausearch
+
+alias aurepwk='aureport --start this-week'
+alias aurepwkv='aureport --start this-week --key --summary'
+
+# syscall audit rule for failure to open files due to EPERM with key field access
+
+# add to syscall.rules
+# -a always,exit -F arch=b64 -S open -S openat -F exit=-EPERM -k access
+
+# check which files have been attempted
+alias aurfilist='ausearch --start this-week -k access --raw | aureport --file --summary'
+
+# check the user accounts implicated 
+
+alias aurlusfi='ausearch --start this-week -k access --raw | aureport --user --summary'
+
+

services/audit-framework/auditd/rules.d/file.rules

@@ -0,0 +1,3 @@
+-w /etc/passwd -p rwxa
+-w /etc/sudoers -p rwxa
+-w /etc/nftables.conf -p rwxa

services/audit-framework/auditd/rules.d/syscalls.rules

@@ -0,0 +1,4 @@
+
+-a entry,always -S chmod
+-a entry,always -S chown
+