Auditing Configuration Changes on Linux Host
Detect changes in auditd configuration files
Sigma rule (View on GitHub)
1title: Auditing Configuration Changes on Linux Host
2id: 977ef627-4539-4875-adf4-ed8f780c4922
3status: test
4description: Detect changes in auditd configuration files
5references:
6 - https://github.com/Neo23x0/auditd/blob/master/audit.rules
7 - Self Experience
8author: Mikhail Larin, oscd.community
9date: 2019-10-25
10modified: 2021-11-27
11tags:
12 - attack.defense-evasion
13 - attack.t1562.006
14logsource:
15 product: linux
16 service: auditd
17detection:
18 selection:
19 type: PATH
20 name:
21 - /etc/audit/*
22 - /etc/libaudit.conf
23 - /etc/audisp/*
24 condition: selection
25fields:
26 - exe
27 - comm
28 - key
29falsepositives:
30 - Legitimate administrative activity
31level: high
References
-
Best Practice Auditd Configuration. Contribute to Neo23x0/auditd development by creating an account on GitHub.
Read More
Related rules
- Disable of ETW Trace - Powershell
- ETW Trace Evasion Activity
- Logging Configuration Changes on Linux Host
- Okta User Session Start Via An Anonymising Proxy Service
- AD Object WriteDAC Access