A client just asked for info on *nix commands that are most often run by attackers vs. legitimate users that we can find with auditd. Some things I thought of: ssh tunneling params stunnel nc cat/head/tail/more/less <critical config files> What else? Any cheat sheets out there?

Interesting question: will auditd log the leading spaces if the attacker tries to put space at the beginning of a command-line to avoid history?

Ooh, I don't know.

Auditd logs from the kernel audit framework at the syscall level. It will log the command executed. It also has a lot to do with the config.

so, is that a yes or no on the leading spaces? inquiring minds and all that.

I’m not sure if it will catch the leading space itself, but it should catch the actual executable depending on your auditd config. The CIS auditd rules usually target syscalls generated after the command line is parsed. github.com/major/cis-rhel-an…

thanx for the clarification. sounds like a test is in order. those leading spaces would be a dead give away for malicious intent. i can't think of a legitimate use for them. there may be one though.

I think that’d be a noisy signal because of typos, depending on the amount of time your admins spend on the command line.

i would rather alert on the few times it was a mistake rather than letting a great indicator slip by unnoticed. i make plenty of mistakes typing, but have never put a leading space in on accident. not that it can't, just not that prevalent i would imagine.

Yup, agree. The threshold of alert fatigue will be different in different environments.