From 7e71df34ad1075fd7d5625186f37f945211eb5b7 Mon Sep 17 00:00:00 2001
From: sai prashanth pulisetti
 <40313110+prashanthpulisetti@users.noreply.github.com>
Date: Wed, 27 Nov 2024 19:33:34 +0530
Subject: [PATCH] Monitoring in-memory file executions

Added rules for monitoring in-memory file execution
---
 audit.rules | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/audit.rules b/audit.rules
index f71bf7c..64681f1 100644
--- a/audit.rules
+++ b/audit.rules
@@ -806,6 +806,14 @@
 -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification
 -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification
 
+
+## Monitor for creation of anonymous files in memory
+-a always,exit -F arch=b64 -S memfd_create -F key=anon_file_create
+
+## Monitor execution of in-memory files
+-a always,exit -F arch=b64 -S fexecve -F key=in_memory_execution
+
+
 ## 32bit API Exploitation
 ### If you are on a 64 bit platform, everything _should_ be running
 ### in 64 bit mode. This rule will detect any use of the 32 bit syscalls