security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #5661 from @CheraghiMilad - Update ASLR Disabled Via Sysctl or Direct Syscall

Browse Source 
update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Add sysctl option

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
This commit is contained in:
Milad Cheraghi
2025-10-29 04:13:27 +03:30
committed by GitHub
parent e40fc91954
commit 2d32b91bce
1 changed files with 17 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml
+17 -10
View File
@@ -1,19 +1,21 @@
title: Disable ASLR Via Personality Syscall - Linux
title: ASLR Disabled Via Sysctl or Direct Syscall - Linux
id: e497a24e-9345-4a62-9803-b06d7d7cb132
status: experimental
description: |
Detects the use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000),
which disables Address Space Layout Randomization (ASLR) in Linux. This is often used by attackers
exploit development, or to bypass memory protection mechanisms.
A successful use of this flag can reduce the effectiveness of ASLR and make memory corruption
attacks more reliable.
Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:
- Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
- Modification of the /proc/sys/kernel/randomize_va_space file
- Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms.
A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
references:
- https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/personality-syscall/README.md
- https://man7.org/linux/man-pages/man2/personality.2.html
- https://manual.cs50.io/2/personality
- https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/
author: Milad Cheraghi
date: 2025-05-26
modified: 2025-06-05
modified: 2025-10-18
tags:
- attack.privilege-escalation
- attack.defense-evasion
@@ -23,11 +25,16 @@ logsource:
product: linux
service: auditd
detection:
selection:
selection_syscall:
type: 'SYSCALL'
syscall: 'personality'
a0: 40000
condition: selection
selection_sysctl:
type: 'EXECVE'
a0: 'sysctl'
a1: '-w'
a2: 'kernel.randomize_va_space=0' # 0 = disable
condition: 1 of selection_*
falsepositives:
- Debugging or legitimate software testing
level: low
level: high