From 85660f12bf4be43f54778746aa3f0490a6d1d66a Mon Sep 17 00:00:00 2001
From: Badoodish <88710522+Badoodish@users.noreply.github.com>
Date: Sat, 27 Apr 2024 03:53:35 +1000
Subject: [PATCH] Added tests for T1562.012 (#2743)

* Added tests for T1562.012

* Update T1562.012.yaml

* Update T1562.012.yaml - Added cleanup commands

---------

Co-authored-by: Hare Sudhan <code@0x6c.dev>
---
 atomics/T1562.012/T1562.012.yaml | 43 ++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 atomics/T1562.012/T1562.012.yaml

diff --git a/atomics/T1562.012/T1562.012.yaml b/atomics/T1562.012/T1562.012.yaml
new file mode 100644
index 00000000..3a674d67
--- /dev/null
+++ b/atomics/T1562.012/T1562.012.yaml
@@ -0,0 +1,43 @@
+attack_technique: T1562.012
+display_name: 'Impair Defenses: Disable or Modify Linux Audit System'
+atomic_tests:
+- name: Delete all auditd rules using auditctl
+  description: |
+    Using 'auditctl -D' deletes all existing audit rules, resulting in the loss of previously configured monitoring settings and the audit trail. This action reduces visibility into system activities, potentially leading to compliance concerns and hampering security monitoring efforts. Additionally, it poses a risk of covering unauthorized activities by erasing evidence from audit logs.
+  supported_platforms:
+  - linux
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Check if auditd is installed.
+    prereq_command: |
+      if [ $(command -v auditctl) ]; then exit 0; else exit 1; fi
+    get_prereq_command: |
+      (yum install auditd -y) || (apt-get install auditd -y) || (dnf install auditd -y)
+  executor:
+    command: |
+      auditctl -D
+    name: sh
+    elevation_required: true
+    cleanup_command: |
+      service auditd restart
+- name: Disable auditd using auditctl
+  description: |
+    The command `auditctl -e 0` disables the audit system. By setting the parameter to `0`, auditing is deactivated, halting the monitoring and recording of security-related events. This action stops the generation of audit logs, ceasing the collection of data regarding system activities. Disabling auditing may be done for various reasons, such as troubleshooting, performance optimization, or temporarily suspending auditing requirements, but it reduces visibility into system events and can impact security monitoring and compliance efforts.
+  supported_platforms:
+  - linux
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Check if auditd is installed.
+    prereq_command: |
+      if [ $(command -v auditctl) ]; then exit 0; else exit 1; fi
+    get_prereq_command: |
+      (yum install auditd -y) || (apt-get install auditd -y) || (dnf install auditd -y)
+  executor:
+    command: |
+      auditctl -e 0
+    name: sh
+    elevation_required: true
+    cleanup_command: |
+      auditctl -e 1