Linux support with automated detection validation

[Murat-Oruntak]

Summary

This PR adds Linux platform support to AttackRuleMap's automated detection pipeline.
Using an Ubuntu VM on VirtualBox, 385 Atomic Red Team Linux tests were executed and
validated against Sigma and ESCU detection rules via Splunk.

Results

• 25 MITRE ATT&CK techniques detected and validated (84 total entries)
• 8 techniques entirely new (not previously mapped for any platform)
• All detections are validated tests were executed in a Virtual Machine, logs collected and detection rules confirmed to trigger in Splunk

What changed

Code changes (7 files):

• config.py -- Platform-aware configuration (PLATFORM, VM_SSH_PORT, USE_PROXMOX)
• execution_handler.py -- SSH/bash executor, sudo for Linux, prereq executor fix,
  bash multiline command fix
• dynamic_generator.py -- Linux Sigma rule filtering, CIM mapping skip for auditd
• vm_handler.py -- VirtualBox (VBoxManage) support alongside Proxmox
• report_handler.py -- Platform-specific MITRE Navigator layers
• sigma_handler.py -- Linux-only Sigma rule filtering
• .env.example -- New environment variables documented

New files:

• dist/attack_rule_map_linux.json -- Linux detection mapping (25 techniques, 84 entries)
• dist/mitre_layer_*_linux.json -- MITRE ATT&CK Navigator layers for Linux
• add_splunk_macros.py -- Helper script to install ESCU filter macros in Splunk

Key design decisions

• All changes are behind config.PLATFORM checks -- Windows pipeline is untouched
• VirtualBox support is behind USE_PROXMOX flag -- Proxmox pipeline is untouched
• Linux tests use auditd for log collection (standard, production-ready)
• Sysmon for Linux was intentionally excluded (experimental, not widely adopted --
  could be added in the future for 119 additional Sigma rules)

Detected techniques

T1027.001, T1030, T1033, T1036.003, T1053.003, T1057, T1059.004,
T1070.003, T1070.006, T1082, T1105, T1113, T1136.001, T1201,
T1222.002, T1489, T1529, T1543.002, T1546.004, T1552.001,
T1552.003, T1560.001, T1562.001, T1562.006, T1564.001

VM setup required

• Ubuntu 24.04 on VirtualBox (NAT + port forwarding 2222→22)
• Splunk Universal Forwarder + Splunk_TA_nix
• auditd with 76 rules (execve, file watches, syscall monitoring)
• Packages: steghide, xclip, alsa-utils, ecasound, tcpdump, imagemagick

Limitations & future work

• 119 Sigma process_creation rules require Sysmon for Linux
• Some Atomic Red Team Linux tests are actually FreeBSD tests (I used ubuntu for tests)
• ESCU linux_auditd rules partially work (proctitle hex encoding issue)