2020-02-20 23:00:16 +01:00
|
|
|
title: Logging Configuration Changes on Linux Host
|
2019-12-19 23:56:36 +01:00
|
|
|
id: c830f15d-6f6e-430f-8074-6f73d6807841
|
2020-09-13 22:03:04 -06:00
|
|
|
status: experimental
|
2019-10-25 17:57:56 +03:00
|
|
|
description: Detect changes of syslog daemons configuration files
|
|
|
|
|
# Example config for this one (place it at the top of audit.rules)
|
|
|
|
|
# -w /etc/syslog.conf -p wa -k etc_modify_syslogconfig
|
|
|
|
|
# -w /etc/rsyslog.conf -p wa -k etc_modify_rsyslogconfig
|
|
|
|
|
# -w /etc/syslog-ng/syslog-ng.conf -p wa -k etc_modify_syslogngconfig
|
2019-10-29 01:40:06 +03:00
|
|
|
author: Mikhail Larin, oscd.community
|
2019-10-25 17:57:56 +03:00
|
|
|
date: 2019/10/25
|
2020-09-13 22:03:04 -06:00
|
|
|
references:
|
|
|
|
|
- self experience
|
2019-10-25 17:57:56 +03:00
|
|
|
logsource:
|
|
|
|
|
product: linux
|
|
|
|
|
service: auditd
|
|
|
|
|
detection:
|
|
|
|
|
selection:
|
2020-01-19 22:34:16 +01:00
|
|
|
type: 'PATH'
|
|
|
|
|
name:
|
|
|
|
|
- /etc/syslog.conf
|
|
|
|
|
- /etc/rsyslog.conf
|
|
|
|
|
- /etc/syslog-ng/syslog-ng.conf
|
2019-10-25 17:57:56 +03:00
|
|
|
condition: selection
|
|
|
|
|
fields:
|
|
|
|
|
- exe
|
|
|
|
|
- comm
|
|
|
|
|
- key
|
|
|
|
|
falsepositives:
|
|
|
|
|
- Legitimate administrative activity
|
|
|
|
|
level: high
|
2020-09-13 22:03:04 -06:00
|
|
|
tags:
|
|
|
|
|
- attack.defense_evasion
|
|
|
|
|
- attack.t1054 # an old one
|
|
|
|
|
- attack.t1562.006
|
