┌─ outputs/pkgs/website/src/content/_index.md ───────────────────────────────┐│ diff --git a/outputs/pkgs/website/src/content/_index.md b/outputs/pkgs/website/src ││ /content/_index.md ││ index 46a8248..837a177 100644 ││ --- a/outputs/pkgs/website/src/content/_index.md ││ +++ b/outputs/pkgs/website/src/content/_index.md ││ @@ -4,4 +4,4 @@ description = "ooknet is a personal website, a monorepo, a place t ││ o store my not ││ template = "home.html" ││ +++ ││ ││ -# Still very much under construction ││ +# ooknet │└────────────────────────────────────────────────────────────────────────────────────┘
┌─ ...website/src/content/_index.md ───┐│ diff --git a/outputs/pkgs/website/src/conten ││ t/_index.md b/outputs/pkgs/website/src/conte ││ nt/_index.md ││ index 46a8248..837a177 100644 ││ --- a/outputs/pkgs/website/src/content/_inde ││ x.md ││ +++ b/outputs/pkgs/website/src/content/_inde ││ x.md ││ @@ -4,4 +4,4 @@ description = "ooknet is a p ││ ersonal website, a monorepo, a place to stor ││ e my not ││ template = "home.html" ││ +++ ││ ││ -# Still very much under construction ││ +# ooknet │└──────────────────────────────────────────────┘
┌─ outputs/pkgs/website/src/content/notes/nix/chapter1/_index.md ────────────┐│ diff --git a/outputs/pkgs/website/src/content/notes/nix/chapter1/_index.md b/outpu ││ ts/pkgs/website/src/content/notes/nix/chapter1/_index.md ││ index 2ecc384..3f4ac67 100644 ││ --- a/outputs/pkgs/website/src/content/notes/nix/chapter1/_index.md ││ +++ b/outputs/pkgs/website/src/content/notes/nix/chapter1/_index.md ││ @@ -1,5 +1,6 @@ ││ +++ ││ title = "Syntax" ││ +template = "notebook/chapter.html" ││ +++ ││ ││ ## Resources ││ @@ -16,32 +17,45 @@ title = "Syntax" ││ ││ --- ││ ││ -The linux audit framework is a collection of tools used to log events the adminis ││ trator deems important; typically used to collect security-relevant information. I ││ t is not a form of protection against attacks, but simply a means of logging infor ││ mation to analyze after the fact. ││ +The linux audit framework is a collection of tools used to log events the ││ +administrator deems important; typically used to collect security-relevant ││ +information. It is not a form of protection against attacks, but simply a means ││ +of logging information to analyze after the fact. ││ ││ -Linux audit framework can be used in larger security pipelines, feeding informati ││ on to scripts and dashboards to catch any potential weaknesses in a systems securi ││ ty. ││ +Linux audit framework can be used in larger security pipelines, feeding ││ +information to scripts and dashboards to catch any potential weaknesses in a ││ +systems security. ││ ││ -It does this by listening to events reported by the kernel and logging them in a ││ file. ││ +It does this by listening to events reported by the kernel and logging them in a ││ +file. ││ ││ -> [!tip] ││ +> [!tip]\ ││ > The log file is typically found here: `/var/log/auditd.log`. ││ ││ Linux audit framework is broken down into a few parts: ││ ││ -1. **Audit kernel module** - included in _most_ linux kernels (some custom kernel ││ s may require additional steps to include). ││ -2. **Auditd** - A configurable daemon responsible for writing messages to the log ││ file. Configuration is done in the `/etc/audit/auditd.conf` file. ││ -3. **Command-line tools** - various command line tools to interface with the audi ││ t system. examples: ││ +1. **Audit kernel module** - included in _most_ linux kernels (some custom ││ + kernels may require additional steps to include). ││ +2. **Auditd** - A configurable daemon responsible for writing messages to the ││ + log file. Configuration is done in the `/etc/audit/auditd.conf` file. ││ +3. **Command-line tools** - various command line tools to interface with the ││ + audit system. examples: ││ - `auditctl`: Interacting with the daemons configuration on the fly. ││ - `ausearch`: Searching for specific events. ││ - `aureport`: Generating reports. ││ - `autrace`: Tracing processes. ││ - - There are many more tools that can be used to interact with the audit system ││ . ││ -4. **Audit rules** - A collection of `auditctl` command that are run at system bo ││ ot time. Configured in the file: `/etc/audit/audit.rules`. ││ + - There are many more tools that can be used to interact with the audit ││ + system. ││ +4. **Audit rules** - A collection of `auditctl` command that are run at system ││ + boot time. Configured in the file: `/etc/audit/audit.rules`. ││ ││ ## Installation ││ ││ --- ││ ││ -Although the kernel module is likely included with your distribution; you may nee ││ d to install the relevant packages to interface with it. For this example I will b ││ e showing how to enable the linux audit system on NixOS. ││ +Although the kernel module is likely included with your distribution; you may ││ +need to install the relevant packages to interface with it. For this example I ││ +will be showing how to enable the linux audit system on NixOS. ││ ││ `nixpkgs` includes a module that be used to enable the linux audit system: ││ ││ @@ -75,8 +89,9 @@ Sources for these modules: ││ - [nixpkgs/audit.nix](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/ ││ security/audit.nix) ││ - [nixpkgs/auditd.nix](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules ││ /security/auditd.nix) ││ ││ -> [!info] ││ -> Use the kernel parameter `audit=1` to allow the audit system to audit processes ││ that are run before the audit daemon starts. ││ +> [!info]\ ││ +> Use the kernel parameter `audit=1` to allow the audit system to audit ││ +> processes that are run before the audit daemon starts. ││ > ││ > This is set by default if you enable the NixOS module. ││ ││ @@ -84,9 +99,11 @@ Sources for these modules: ││ ││ --- ││ ││ -The `auditctl` command can be used to set and retrieve configuration settings, ch ││ anges made this way are ephemeral and will removed when the system restarts. ││ +The `auditctl` command can be used to set and retrieve configuration settings, ││ +changes made this way are ephemeral and will removed when the system restarts. ││ ││ -For permanent changes, configuration is done in the `/etc/audit/auditd.conf` file ││ . Configuration options are structured as such: ││ +For permanent changes, configuration is done in the `/etc/audit/auditd.conf` ││ +file. Configuration options are structured as such: ││ ││ `{conf}keyword=value` ││ ││ @@ -101,17 +118,25 @@ log_file=/var/log/auditd.log ││ ││ In most cases you can leave the default configuration. ││ ││ -For a list of all available configuration options, refer to the [auditd.conf(5) m ││ an page](https://linux.die.net/man/5/auditd.conf). ││ +For a list of all available configuration options, refer to the ││ +[auditd.conf(5) man page](https://linux.die.net/man/5/auditd.conf). ││ ││ ## Rules ││ ││ --- ││ ││ -> [!warning] ││ -> The output from the audit system can be _very_ verbose; filling up the log file ││ very quickly. Make sure to test all rules before deployment. ││ +> [!warning]\ ││ +> The output from the audit system can be _very_ verbose; filling up the log ││ +> file very quickly. Make sure to test all rules before deployment. ││ ││ -The `auditctl` command can also be used for setting rules; these rules are defini ││ tions for what events we want to log & configuration for the kernel module itself. ││ Configuring the audit system with the `auditctl` command is typically used for ad ││ hoc changes, as these modifications are not automatically saved to a permanent co ││ nfiguration file. Changes made with `auditctl` are only active for the current ses ││ sion and will be lost upon system restart. ││ -For persistent rules, we use the `/etc/audit/audit.rules` file or files in the `/ ││ etc/audit/rules.d/` directory. ││ +The `auditctl` command can also be used for setting rules; these rules are ││ +definitions for what events we want to log & configuration for the kernel module ││ +itself. Configuring the audit system with the `auditctl` command is typically ││ +used for ad hoc changes, as these modifications are not automatically saved to a ││ +permanent configuration file. Changes made with `auditctl` are only active for ││ +the current session and will be lost upon system restart.\ ││ +For persistent rules, we use the `/etc/audit/audit.rules` file or files in the ││ +`/etc/audit/rules.d/` directory. ││ ││ Rules in auditd are broken up into 3 varieties: ││ ││ @@ -123,9 +148,11 @@ Rules in auditd are broken up into 3 varieties: ││ ││ --- ││ ││ -These are commands that are used to configure the audit system (kernel module) di ││ rectly. ││ +These are commands that are used to configure the audit system (kernel module) ││ +directly. ││ ││ -For a full list of control rules see [auditctl(8) man page](https://linux.die.net ││ /man/8/auditctl). ││ +For a full list of control rules see ││ +[auditctl(8) man page](https://linux.die.net/man/8/auditctl). ││ ││ Some available _persistent_ options: ││ ││ @@ -133,54 +160,58 @@ Some available _persistent_ options: ││ ││ --- ││ ││ -`-f`: ││ - This is used for defining what _action_ to take when the a _critical error (fail ││ ure mode)_ is detected. the available options are: ││ +`-f`:\ ││ +This is used for defining what _action_ to take when the a _critical error ││ +(failure mode)_ is detected. the available options are: ││ ││ - `0` - silent. ││ - `1` - printk (print a failure message). ││ -- `2` - panic (halt the system). ││ +- `2` - panic (halt the system).\ ││ Example: `-f 1` print message when a critical error occurs. ││ ││ #### Buffer Size ││ ││ --- ││ ││ -`-b`: ││ - Set the maximum number of audit system buffers in the kernel. ││ - Example: `-b 8192` Sets the maximum number of buffers to 8192, exceeding this nu ││ mber will trigger a _critical error_. ││ +`-b`:\ ││ +Set the maximum number of audit system buffers in the kernel.\ ││ +Example: `-b 8192` Sets the maximum number of buffers to 8192, exceeding this ││ +number will trigger a _critical error_. ││ ││ #### Enable flag ││ ││ --- ││ ││ -`-e`: ││ - Set the enable flag. Available options: ││ +`-e`:\ ││ +Set the enable flag. Available options: ││ ││ - `0` - Disables auditing. ││ - `1` - Enables Auditing. ││ -- `2` - Locks the configuration file preventing any further changes. ││ +- `2` - Locks the configuration file preventing any further changes.\ ││ Example: `-e 2` Enables the auditing and locks the configuration file. ││ ││ #### Rate ││ ││ --- ││ ││ -`-r`: ││ - Set the message/sec limit, if set to `0`, disable rate limiting. If the rate is ││ exceeded a _critical error_ will be triggered. ││ - Example: `-r 60` sets the rate limit to 60 messages/sec. ││ +`-r`:\ ││ +Set the message/sec limit, if set to `0`, disable rate limiting. If the rate is ││ +exceeded a _critical error_ will be triggered.\ ││ +Example: `-r 60` sets the rate limit to 60 messages/sec. ││ ││ #### Delete ││ ││ --- ││ ││ -`-D`: ││ - Deletes all rules and watches. ││ +`-D`:\ ││ +Deletes all rules and watches. ││ ││ ### File System ││ ││ --- ││ ││ -Otherwise known as watches, the `-w` flag can be used to audit access to files an ││ d directories. ││ +Otherwise known as watches, the `-w` flag can be used to audit access to files ││ +and directories. ││ ││ Example: `-w path/to/file -p permissions -k keyname` ││ ││ @@ -188,13 +219,17 @@ Example: `-w path/to/file -p permissions -k keyname` ││ ││ --- ││ ││ -Paths can either be a file or a directory. If a directory is defined, then the ru ││ le is used recursively down the directory tree excluding any directories that may ││ be mount points. Keep this in mind as auditing a large tree may be resource intens ││ ive. Limiting the scope of your rules is key to optimizing performance. ││ +Paths can either be a file or a directory. If a directory is defined, then the ││ +rule is used recursively down the directory tree excluding any directories that ││ +may be mount points. Keep this in mind as auditing a large tree may be resource ││ +intensive. Limiting the scope of your rules is key to optimizing performance. ││ ││ #### Permissions ││ ││ --- ││ ││ -The `-p` option is for defining what permissions access type will trigger on. Ava ││ ilable permissions: ││ +The `-p` option is for defining what permissions access type will trigger on. ││ +Available permissions: ││ ││ - `r` - read of the file ││ - `w` - write to the file ││ @@ -207,7 +242,8 @@ These options can be combined e.g: `-p rw` or `-p rwa`. ││ ││ --- ││ ││ -The `-k` option is used to set a string as an identifier (key) for the rule. This ││ string is limited to 31 bytes long. ││ +The `-k` option is used to set a string as an identifier (key) for the rule. ││ +This string is limited to 31 bytes long. ││ ││ Typically used to group related rules to then be searched for with `ausearch`. ││ ││ @@ -226,14 +262,22 @@ Typically used to group related rules to then be searched fo ││ r with `ausearch`. ││ ││ In this example we set a few rules: ││ ││ -- `-w /etc/localtime -p wa -k system_changes` here we define a rule that tracks w ││ hen the `localtime` file is either written to (`w`), or had an attribute changed ( ││ `a`). We then assign it the `system_changes` key as a unique identifier. ││ -- `-w /etc/passwd -p x -k password_changes` & `-w /usr/bin/passwd -p x -k passwor ││ d_changes` here we are tracking when either of these files are executed (`x`), and ││ assigning them both the `password_changes` key. ││ +- `-w /etc/localtime -p wa -k system_changes` here we define a rule that tracks ││ + when the `localtime` file is either written to (`w`), or had an attribute ││ + changed (`a`). We then assign it the `system_changes` key as a unique ││ + identifier. ││ +- `-w /etc/passwd -p x -k password_changes` & ││ + `-w /usr/bin/passwd -p x -k password_changes` here we are tracking when either ││ + of these files are executed (`x`), and assigning them both the ││ + `password_changes` key. ││ ││ ### System Calls ││ ││ --- ││ ││ -System call rules are for tracking kernel syscalls. It does this by loading rules ││ into a matching engine that checks every syscall that all programs make on a syst ││ em. ││ +System call rules are for tracking kernel syscalls. It does this by loading ││ +rules into a matching engine that checks every syscall that all programs make on ││ +a system. ││ ││ Example structure: ││ │└────────────────────────────────────────────────────────────────────────────────────┘
┌─ .../notes/nix/chapter1/_index.md ───┐│ diff --git a/outputs/pkgs/website/src/conten ││ t/notes/nix/chapter1/_index.md b/outputs/pkg ││ s/website/src/content/notes/nix/chapter1/_in ││ dex.md ││ index 2ecc384..3f4ac67 100644 ││ --- a/outputs/pkgs/website/src/content/notes ││ /nix/chapter1/_index.md ││ +++ b/outputs/pkgs/website/src/content/notes ││ /nix/chapter1/_index.md ││ @@ -1,5 +1,6 @@ ││ +++ ││ title = "Syntax" ││ +template = "notebook/chapter.html" ││ +++ ││ ││ ## Resources ││ @@ -16,32 +17,45 @@ title = "Syntax" ││ ││ --- ││ ││ -The linux audit framework is a collection o ││ f tools used to log events the administrator ││ deems important; typically used to collect ││ security-relevant information. It is not a f ││ orm of protection against attacks, but simpl ││ y a means of logging information to analyze ││ after the fact. ││ +The linux audit framework is a collection o ││ f tools used to log events the ││ +administrator deems important; typically us ││ ed to collect security-relevant ││ +information. It is not a form of protection ││ against attacks, but simply a means ││ +of logging information to analyze after the ││ fact. ││ ││ -Linux audit framework can be used in larger ││ security pipelines, feeding information to ││ scripts and dashboards to catch any potentia ││ l weaknesses in a systems security. ││ +Linux audit framework can be used in larger ││ security pipelines, feeding ││ +information to scripts and dashboards to ca ││ tch any potential weaknesses in a ││ +systems security. ││ ││ -It does this by listening to events reporte ││ d by the kernel and logging them in a file. ││ +It does this by listening to events reporte ││ d by the kernel and logging them in a ││ +file. ││ ││ -> [!tip] ││ +> [!tip]\ ││ > The log file is typically found here: `/v ││ ar/log/auditd.log`. ││ ││ Linux audit framework is broken down into a ││ few parts: ││ ││ -1. **Audit kernel module** - included in _m ││ ost_ linux kernels (some custom kernels may ││ require additional steps to include). ││ -2. **Auditd** - A configurable daemon respo ││ nsible for writing messages to the log file. ││ Configuration is done in the `/etc/audit/au ││ ditd.conf` file. ││ -3. **Command-line tools** - various command ││ line tools to interface with the audit syst ││ em. examples: ││ +1. **Audit kernel module** - included in _m ││ ost_ linux kernels (some custom ││ + kernels may require additional steps to ││ include). ││ +2. **Auditd** - A configurable daemon respo ││ nsible for writing messages to the ││ + log file. Configuration is done in the ` ││ /etc/audit/auditd.conf` file. ││ +3. **Command-line tools** - various command ││ line tools to interface with the ││ + audit system. examples: ││ - `auditctl`: Interacting with the daemo ││ ns configuration on the fly. ││ - `ausearch`: Searching for specific eve ││ nts. ││ - `aureport`: Generating reports. ││ - `autrace`: Tracing processes. ││ - - There are many more tools that can be ││ used to interact with the audit system. ││ -4. **Audit rules** - A collection of `audit ││ ctl` command that are run at system boot tim ││ e. Configured in the file: `/etc/audit/audit ││ .rules`. ││ + - There are many more tools that can be ││ used to interact with the audit ││ + system. ││ +4. **Audit rules** - A collection of `audit ││ ctl` command that are run at system ││ + boot time. Configured in the file: `/etc ││ /audit/audit.rules`. ││ ││ ## Installation ││ ││ --- ││ ││ -Although the kernel module is likely includ ││ ed with your distribution; you may need to i ││ nstall the relevant packages to interface wi ││ th it. For this example I will be showing ho ││ w to enable the linux audit system on NixOS. ││ +Although the kernel module is likely includ ││ ed with your distribution; you may ││ +need to install the relevant packages to in ││ terface with it. For this example I ││ +will be showing how to enable the linux aud ││ it system on NixOS. ││ ││ `nixpkgs` includes a module that be used to ││ enable the linux audit system: ││ ││ @@ -75,8 +89,9 @@ Sources for these modules: ││ - [nixpkgs/audit.nix](https://github.com/Ni ││ xOS/nixpkgs/blob/master/nixos/modules/securi ││ ty/audit.nix) ││ - [nixpkgs/auditd.nix](https://github.com/N ││ ixOS/nixpkgs/blob/master/nixos/modules/secur ││ ity/auditd.nix) ││ ││ -> [!info] ││ -> Use the kernel parameter `audit=1` to all ││ ow the audit system to audit processes that ││ are run before the audit daemon starts. ││ +> [!info]\ ││ +> Use the kernel parameter `audit=1` to all ││ ow the audit system to audit ││ +> processes that are run before the audit d ││ aemon starts. ││ > ││ > This is set by default if you enable the ││ NixOS module. ││ ││ @@ -84,9 +99,11 @@ Sources for these modules ││ : ││ ││ --- ││ ││ -The `auditctl` command can be used to set a ││ nd retrieve configuration settings, changes ││ made this way are ephemeral and will removed ││ when the system restarts. ││ +The `auditctl` command can be used to set a ││ nd retrieve configuration settings, ││ +changes made this way are ephemeral and wil ││ l removed when the system restarts. ││ ││ -For permanent changes, configuration is don ││ e in the `/etc/audit/auditd.conf` file. Conf ││ iguration options are structured as such: ││ +For permanent changes, configuration is don ││ e in the `/etc/audit/auditd.conf` ││ +file. Configuration options are structured ││ as such: ││ ││ `{conf}keyword=value` ││ ││ @@ -101,17 +118,25 @@ log_file=/var/log/audi ││ td.log ││ ││ In most cases you can leave the default con ││ figuration. ││ ││ -For a list of all available configuration o ││ ptions, refer to the [auditd.conf(5) man pag ││ e](https://linux.die.net/man/5/auditd.conf). ││ +For a list of all available configuration o ││ ptions, refer to the ││ +[auditd.conf(5) man page](https://linux.die ││ .net/man/5/auditd.conf). ││ ││ ## Rules ││ ││ --- ││ ││ -> [!warning] ││ -> The output from the audit system can be _ ││ very_ verbose; filling up the log file very ││ quickly. Make sure to test all rules before ││ deployment. ││ +> [!warning]\ ││ +> The output from the audit system can be _ ││ very_ verbose; filling up the log ││ +> file very quickly. Make sure to test all ││ rules before deployment. ││ ││ -The `auditctl` command can also be used for ││ setting rules; these rules are definitions ││ for what events we want to log & configurati ││ on for the kernel module itself. Configuring ││ the audit system with the `auditctl` comman ││ d is typically used for ad hoc changes, as t ││ hese modifications are not automatically sav ││ ed to a permanent configuration file. Change ││ s made with `auditctl` are only active for t ││ he current session and will be lost upon sys ││ tem restart. ││ -For persistent rules, we use the `/etc/audi ││ t/audit.rules` file or files in the `/etc/au ││ dit/rules.d/` directory. ││ +The `auditctl` command can also be used for ││ setting rules; these rules are ││ +definitions for what events we want to log ││ & configuration for the kernel module ││ +itself. Configuring the audit system with t ││ he `auditctl` command is typically ││ +used for ad hoc changes, as these modificat ││ ions are not automatically saved to a ││ +permanent configuration file. Changes made ││ with `auditctl` are only active for ││ +the current session and will be lost upon s ││ ystem restart.\ ││ +For persistent rules, we use the `/etc/audi ││ t/audit.rules` file or files in the ││ +`/etc/audit/rules.d/` directory. ││ ││ Rules in auditd are broken up into 3 variet ││ ies: ││ ││ @@ -123,9 +148,11 @@ Rules in auditd are bro ││ ken up into 3 varieties: ││ ││ --- ││ ││ -These are commands that are used to configu ││ re the audit system (kernel module) directly ││ . ││ +These are commands that are used to configu ││ re the audit system (kernel module) ││ +directly. ││ ││ -For a full list of control rules see [audit ││ ctl(8) man page](https://linux.die.net/man/8 ││ /auditctl). ││ +For a full list of control rules see ││ +[auditctl(8) man page](https://linux.die.ne ││ t/man/8/auditctl). ││ ││ Some available _persistent_ options: ││ ││ @@ -133,54 +160,58 @@ Some available _persis ││ tent_ options: ││ ││ --- ││ ││ -`-f`: ││ - This is used for defining what _action_ to ││ take when the a _critical error (failure mo ││ de)_ is detected. the available options are: ││ +`-f`:\ ││ +This is used for defining what _action_ to ││ take when the a _critical error ││ +(failure mode)_ is detected. the available ││ options are: ││ ││ - `0` - silent. ││ - `1` - printk (print a failure message). ││ -- `2` - panic (halt the system). ││ +- `2` - panic (halt the system).\ ││ Example: `-f 1` print message when a crit ││ ical error occurs. ││ ││ #### Buffer Size ││ ││ --- ││ ││ -`-b`: ││ - Set the maximum number of audit system buf ││ fers in the kernel. ││ - Example: `-b 8192` Sets the maximum number ││ of buffers to 8192, exceeding this number w ││ ill trigger a _critical error_. ││ +`-b`:\ ││ +Set the maximum number of audit system buff ││ ers in the kernel.\ ││ +Example: `-b 8192` Sets the maximum number ││ of buffers to 8192, exceeding this ││ +number will trigger a _critical error_. ││ ││ #### Enable flag ││ ││ --- ││ ││ -`-e`: ││ - Set the enable flag. Available options: ││ +`-e`:\ ││ +Set the enable flag. Available options: ││ ││ - `0` - Disables auditing. ││ - `1` - Enables Auditing. ││ -- `2` - Locks the configuration file preven ││ ting any further changes. ││ +- `2` - Locks the configuration file preven ││ ting any further changes.\ ││ Example: `-e 2` Enables the auditing and ││ locks the configuration file. ││ ││ #### Rate ││ ││ --- ││ ││ -`-r`: ││ - Set the message/sec limit, if set to `0`, ││ disable rate limiting. If the rate is exceed ││ ed a _critical error_ will be triggered. ││ - Example: `-r 60` sets the rate limit to 60 ││ messages/sec. ││ +`-r`:\ ││ +Set the message/sec limit, if set to `0`, d ││ isable rate limiting. If the rate is ││ +exceeded a _critical error_ will be trigger ││ ed.\ ││ +Example: `-r 60` sets the rate limit to 60 ││ messages/sec. ││ ││ #### Delete ││ ││ --- ││ ││ -`-D`: ││ - Deletes all rules and watches. ││ +`-D`:\ ││ +Deletes all rules and watches. ││ ││ ### File System ││ ││ --- ││ ││ -Otherwise known as watches, the `-w` flag c ││ an be used to audit access to files and dire ││ ctories. ││ +Otherwise known as watches, the `-w` flag c ││ an be used to audit access to files ││ +and directories. ││ ││ Example: `-w path/to/file -p permissions -k ││ keyname` ││ ││ @@ -188,13 +219,17 @@ Example: `-w path/to/f ││ ile -p permissions -k keyname` ││ ││ --- ││ ││ -Paths can either be a file or a directory. ││ If a directory is defined, then the rule is ││ used recursively down the directory tree exc ││ luding any directories that may be mount poi ││ nts. Keep this in mind as auditing a large t ││ ree may be resource intensive. Limiting the ││ scope of your rules is key to optimizing per ││ formance. ││ +Paths can either be a file or a directory. ││ If a directory is defined, then the ││ +rule is used recursively down the directory ││ tree excluding any directories that ││ +may be mount points. Keep this in mind as a ││ uditing a large tree may be resource ││ +intensive. Limiting the scope of your rules ││ is key to optimizing performance. ││ ││ #### Permissions ││ ││ --- ││ ││ -The `-p` option is for defining what permis ││ sions access type will trigger on. Available ││ permissions: ││ +The `-p` option is for defining what permis ││ sions access type will trigger on. ││ +Available permissions: ││ ││ - `r` - read of the file ││ - `w` - write to the file ││ @@ -207,7 +242,8 @@ These options can be com ││ bined e.g: `-p rw` or `-p rwa`. ││ ││ --- ││ ││ -The `-k` option is used to set a string as ││ an identifier (key) for the rule. This strin ││ g is limited to 31 bytes long. ││ +The `-k` option is used to set a string as ││ an identifier (key) for the rule. ││ +This string is limited to 31 bytes long. ││ ││ Typically used to group related rules to th ││ en be searched for with `ausearch`. ││ ││ @@ -226,14 +262,22 @@ Typically used to grou ││ p related rules to then be searched for with ││ `ausearch`. ││ ││ In this example we set a few rules: ││ ││ -- `-w /etc/localtime -p wa -k system_change ││ s` here we define a rule that tracks when th ││ e `localtime` file is either written to (`w` ││ ), or had an attribute changed (`a`). We the ││ n assign it the `system_changes` key as a un ││ ique identifier. ││ -- `-w /etc/passwd -p x -k password_changes` ││ & `-w /usr/bin/passwd -p x -k password_chan ││ ges` here we are tracking when either of the ││ se files are executed (`x`), and assigning t ││ hem both the `password_changes` key. ││ +- `-w /etc/localtime -p wa -k system_change ││ s` here we define a rule that tracks ││ + when the `localtime` file is either writt ││ en to (`w`), or had an attribute ││ + changed (`a`). We then assign it the `sys ││ tem_changes` key as a unique ││ + identifier. ││ +- `-w /etc/passwd -p x -k password_changes` ││ & ││ + `-w /usr/bin/passwd -p x -k password_chan ││ ges` here we are tracking when either ││ + of these files are executed (`x`), and as ││ signing them both the ││ + `password_changes` key. ││ ││ ### System Calls ││ ││ --- ││ ││ -System call rules are for tracking kernel s ││ yscalls. It does this by loading rules into ││ a matching engine that checks every syscall ││ that all programs make on a system. ││ +System call rules are for tracking kernel s ││ yscalls. It does this by loading ││ +rules into a matching engine that checks ev ││ ery syscall that all programs make on ││ +a system. ││ ││ Example structure: ││ │└──────────────────────────────────────────────┘
┌─ ...uts/pkgs/website/src/content/notes/nix/chapter1/name-value-pairs.md ───┐│ diff --git a/outputs/pkgs/website/src/content/notes/nix/chapter1/name-value-pairs. ││ md b/outputs/pkgs/website/src/content/notes/nix/chapter1/name-value-pairs.md ││ index d2e79c9..801c377 100644 ││ --- a/outputs/pkgs/website/src/content/notes/nix/chapter1/name-value-pairs.md ││ +++ b/outputs/pkgs/website/src/content/notes/nix/chapter1/name-value-pairs.md ││ @@ -1,5 +1,6 @@ ││ +++ ││ title = "Name-value Pairs" ││ +template = "notebook/note.html" ││ +++ ││ ││ ## References: ││ @@ -14,7 +15,8 @@ In [[Nix]], [[key-value-pair|key-value-pairs]] go by _name-value ││ -pairs_. ││ ││ - **Key**: The key in [[Nix]] doesn't have to be a string. ││ - **Separator**: Values are assigned to a value with an equal sign (`=`). ││ -- **Value**: Values can be any [[primitive-data-types|primitive data types]], [[f ││ unctions]], or [[attribute-sets|attribute sets]], or [[lists]]. ││ +- **Value**: Values can be any [[primitive-data-types|primitive data types]], ││ + [[functions]], or [[attribute-sets|attribute sets]], or [[lists]]. ││ - **Delimiter**: name-value-pairs in a set are delimited by a semicolon (`;`) ││ ││ _example structure_ │└────────────────────────────────────────────────────────────────────────────────────┘
┌─ .../chapter1/name-value-pairs.md ───┐│ diff --git a/outputs/pkgs/website/src/conten ││ t/notes/nix/chapter1/name-value-pairs.md b/o ││ utputs/pkgs/website/src/content/notes/nix/ch ││ apter1/name-value-pairs.md ││ index d2e79c9..801c377 100644 ││ --- a/outputs/pkgs/website/src/content/notes ││ /nix/chapter1/name-value-pairs.md ││ +++ b/outputs/pkgs/website/src/content/notes ││ /nix/chapter1/name-value-pairs.md ││ @@ -1,5 +1,6 @@ ││ +++ ││ title = "Name-value Pairs" ││ +template = "notebook/note.html" ││ +++ ││ ││ ## References: ││ @@ -14,7 +15,8 @@ In [[Nix]], [[key-value-pa ││ ir|key-value-pairs]] go by _name-value-pairs ││ _. ││ ││ - **Key**: The key in [[Nix]] doesn't have ││ to be a string. ││ - **Separator**: Values are assigned to a v ││ alue with an equal sign (`=`). ││ -- **Value**: Values can be any [[primitive- ││ data-types|primitive data types]], [[functio ││ ns]], or [[attribute-sets|attribute sets]], ││ or [[lists]]. ││ +- **Value**: Values can be any [[primitive- ││ data-types|primitive data types]], ││ + [[functions]], or [[attribute-sets|attrib ││ ute sets]], or [[lists]]. ││ - **Delimiter**: name-value-pairs in a set ││ are delimited by a semicolon (`;`) ││ ││ _example structure_ │└──────────────────────────────────────────────┘