Auditbeat failed loading rules

Hello,

When I try to load the following rules I got from https://github.com/bfuzzy1/auditd-attack

-a always,exit -F arch=b32 -S touch -k T1099_Timestomp
-a always,exit -F arch=b64 -S touch -k T1099_Timestomp

I get errors and auditbeat doesn't start:

Oct 01 12:55:55 myserver auditbeat[15223]: 2019-10-01T12:55:55.895+0200        ERROR        instance/beat.go:878        Exiting: 1 error: 1 error: failed to unpack the auditd config: 1 error: failed loading rules: 2 errors: at (audit_rules at auditbeat.yml):56: failed to interpret rule '-a always,exit -F arch=b32 -S touch -k T1099_Timestomp': failed to add syscall 'touch': unknown syscall 'touch' for arch i386; at (audit_rules at auditbeat.yml):57: failed to interpret rule '-a always,exit -F arch=b64 -S touch -k T1099_Timestomp': failed to add syscall 'touch': unknown syscall 'touch' for arch x86_64 accessing 'auditbeat.modules.0' (source:'/etc/auditbeat/auditbeat.yml')
Oct 01 12:55:55 myserver auditbeat[15223]: Exiting: 1 error: 1 error: failed to unpack the auditd config: 1 error: failed loading rules: 2 errors: at (audit_rules at auditbeat.yml):56: failed to interpret rule '-a always,exit -F arch=b32 -S touch -k T1099_Timestomp': failed to add syscall 'touch': unknown syscall 'touch' for arch i386; at (audit_rules at auditbeat.yml):57: failed to interpret rule '-a always,exit -F arch=b64 -S touch -k T1099_Timestomp': failed to add syscall 'touch': unknown syscall 'touch' for arch x86_64 accessing 'auditbeat.modules.0' (source:'/etc/auditbeat/auditbeat.yml')

Not sure what's happening here. Disabled them for now.

Grtz

Willem

Hm, I don't think there is a touch syscall?

Created https://github.com/bfuzzy1/auditd-attack/issues/2

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.