Hello,
When I try to load the following rules I got from https://github.com/bfuzzy1/auditd-attack
-a always,exit -F arch=b32 -S touch -k T1099_Timestomp
-a always,exit -F arch=b64 -S touch -k T1099_Timestomp
I get errors and auditbeat doesn't start:
Oct 01 12:55:55 myserver auditbeat[15223]: 2019-10-01T12:55:55.895+0200 ERROR instance/beat.go:878 Exiting: 1 error: 1 error: failed to unpack the auditd config: 1 error: failed loading rules: 2 errors: at (audit_rules at auditbeat.yml):56: failed to interpret rule '-a always,exit -F arch=b32 -S touch -k T1099_Timestomp': failed to add syscall 'touch': unknown syscall 'touch' for arch i386; at (audit_rules at auditbeat.yml):57: failed to interpret rule '-a always,exit -F arch=b64 -S touch -k T1099_Timestomp': failed to add syscall 'touch': unknown syscall 'touch' for arch x86_64 accessing 'auditbeat.modules.0' (source:'/etc/auditbeat/auditbeat.yml')
Oct 01 12:55:55 myserver auditbeat[15223]: Exiting: 1 error: 1 error: failed to unpack the auditd config: 1 error: failed loading rules: 2 errors: at (audit_rules at auditbeat.yml):56: failed to interpret rule '-a always,exit -F arch=b32 -S touch -k T1099_Timestomp': failed to add syscall 'touch': unknown syscall 'touch' for arch i386; at (audit_rules at auditbeat.yml):57: failed to interpret rule '-a always,exit -F arch=b64 -S touch -k T1099_Timestomp': failed to add syscall 'touch': unknown syscall 'touch' for arch x86_64 accessing 'auditbeat.modules.0' (source:'/etc/auditbeat/auditbeat.yml')
Not sure what's happening here. Disabled them for now.
Grtz
Willem