Logging Configuration Changes on Linux Host

Detect changes of syslog daemons configuration files

Sigma rule (View on GitHub)

 1title: Logging Configuration Changes on Linux Host
 2id: c830f15d-6f6e-430f-8074-6f73d6807841
 3status: test
 4description: Detect changes of syslog daemons configuration files
 5references:
 6    - self experience
 7author: Mikhail Larin, oscd.community
 8date: 2019/10/25
 9modified: 2021/11/27
10tags:
11    - attack.defense_evasion
12    - attack.t1562.006
13logsource:
14    product: linux
15    service: auditd
16detection:
17    selection:
18        type: 'PATH'
19        name:
20            - /etc/syslog.conf
21            - /etc/rsyslog.conf
22            - /etc/syslog-ng/syslog-ng.conf
23    condition: selection
24fields:
25    - exe
26    - comm
27    - key
28falsepositives:
29    - Legitimate administrative activity
30level: high

References

Related rules

to-top