Update audit.rules - fexecve

[CheraghiMilad]

check this PoC => https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config.git

[thegreatmhn]

Bruh… fexecve isn’t a syscall? Then what exactly do you expect auditd to monitor—your hopes and dreams?

[vahidmalekk]

Kiddo, you don't even know what a syscall is. Be happy you copied from me — you didn't even bother changing the repo name: https://github.com/vahidmalekk/bypass-Neo23x0-auditd-config
Did you ever test the rule you added?

auditctl -a always,exit -F arch=b64 -S fexecve -k fexecve_detect
Syscall name unknown: fexecve

[vahidmalekk]

[CheraghiMilad]

The PoC I wrote clearly uses the fexecve wrapper, which is a system call, not a syscall in the literal sense.

I actually saw your GitHub today for the first time — I don’t think I’ve come across your work before.
And about the repo name: if you were writing a PoC for bypassing Neo23x0’s auditd config, what would you name it?

Do you seriously think I’d be so naive as to copy something and leave the exact same repo name?
Even our PoCs differ significantly in terms of privilege level and approach.

[vahidmalekk]

be happy about your findings, but auditd won’t work the way you expect it to(You should read more about how auditd actually works before making pushing changes like this) It can’t monitor wrappers or what ever you call it. If you review what you pushed, you’ll notice it doesn’t work and some one else even pushed it in past https://github.com/Neo23x0/auditd/pull/156/files.