Merge PR #5793 from @nasbench - Rename Auditd Folder Entries and update SYSCALL field

chore: rename auditd folders and others
update: Audio Capture - Updated syscall field to SYSCALL in order to make use of enriched logs
update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: System Info Discovery via Sysinfo Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Special File Creation via Mknod Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Webshell Remote Command Execution - Updated syscall field to SYSCALL in order to make use of enriched logs

rules/linux/auditd/lnx_auditd_audio_capture.yml

@@ -9,7 +9,7 @@ references:
     - https://ecasound.seul.org/ecasound/Documentation/examples.html#fconversions
 author: Pawel Mazur, Milad Cheraghi
 date: 2021-09-04
-modified: 2025-06-05
+modified: 2025-12-05
 tags:
     - attack.collection
     - attack.t1123
@@ -25,7 +25,7 @@ detection:
     selection_syscall_memfd_create:
         type: SYSCALL
         exe|endswith: "/ecasound"
-        syscall: 'memfd_create'
+        SYSCALL: 'memfd_create'
     condition: 1 of selection_*
 falsepositives:
     - Unknown

rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml

@@ -15,7 +15,7 @@ references:
     - https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/
 author: Milad Cheraghi
 date: 2025-05-26
-modified: 2025-10-18
+modified: 2025-12-05
 tags:
     - attack.privilege-escalation
     - attack.defense-evasion
@@ -27,7 +27,7 @@ logsource:
 detection:
     selection_syscall:
         type: 'SYSCALL'
-        syscall: 'personality'
+        SYSCALL: 'personality'
         a0: 40000
     selection_sysctl:
         type: 'EXECVE'

rules/linux/auditd/syscall/lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml

@@ -11,7 +11,7 @@ references:
     - https://man7.org/linux/man-pages/man1/dmesg.1.html
 author: Milad Cheraghi
 date: 2025-05-27
-modified: 2025-06-05
+modified: 2025-12-05
 tags:
     - attack.defense-evasion
     - attack.t1070.002
@@ -29,7 +29,7 @@ logsource:
 detection:
     selection:
         type: 'SYSCALL'
-        syscall: 'syslog'
+        SYSCALL: 'syslog'
         a0:
             - 4 # SYSLOG_ACTION_READ_CLEAR : Read and clear log
             - 5 # SYSLOG_ACTION_CLEAR: Clear kernel ring buffer (without reading)

rules/linux/auditd/syscall/lnx_auditd_susp_discovery_sysinfo_syscall.yml

@@ -9,6 +9,7 @@ references:
     - https://man7.org/linux/man-pages/man2/sysinfo.2.html
 author: Milad Cheraghi
 date: 2025-05-30
+modified: 2025-12-05
 tags:
     - attack.discovery
     - attack.t1057
@@ -23,7 +24,7 @@ logsource:
 detection:
     selection:
         type: 'SYSCALL'
-        syscall: 'sysinfo'
+        SYSCALL: 'sysinfo'
     filter_optional_splunk:
         exe|endswith: '/bin/splunkd'
     condition: selection and not 1 of filter_optional_*

rules/linux/auditd/syscall/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml

@@ -12,6 +12,7 @@ references:
     - https://hopeness.medium.com/master-the-linux-mknod-command-a-comprehensive-guide-1c150a546aa8
 author: Milad Cheraghi
 date: 2025-05-31
+modified: 2025-12-05
 tags:
     - attack.privilege-escalation
     - attack.persistence
@@ -22,7 +23,7 @@ logsource:
 detection:
     selection:
         type: 'SYSCALL'
-        syscall: 'mknod'
+        SYSCALL: 'mknod'
     condition: selection
 falsepositives:
     - Device creation by legitimate scripts or init systems (udevadm, MAKEDEV)

rules/linux/auditd/syscall/lnx_auditd_web_rce.yml

@@ -7,7 +7,7 @@ references:
     - https://www.vaadata.com/blog/what-is-command-injection-exploitations-and-security-best-practices/
 author: Ilyas Ochkov, Beyu Denis, oscd.community
 date: 2019-10-12
-modified: 2025-06-03
+modified: 2025-12-05
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -24,7 +24,7 @@ logsource:
 detection:
     selection:
         type: 'SYSCALL'
-        syscall:
+        SYSCALL:
             - 'execve'
             - 'execveat'
         euid: 33

tests/logsource.json

@@ -1,6 +1,6 @@
 {
     "title": "Field name by logsource",
-    "version": "20230113",
+    "version": "20251205",
     "legit":{
         "windows":{
             "common": ["EventID", "Provider_Name","Channel","Computer","Security_UserID"],
@@ -134,7 +134,7 @@
                     "oses", "ouid", "outif", "pa", "parent", "path", "pe", "per", "perm", "perm_mask", "permissive", "pfs", "pi", "pid", "pp", "ppid", "printer",
                     "proctitle", "prom", "proto", "qbytes", "range", "rdev", "reason", "removed", "res", "resrc", "result", "role", "rport", "saddr", "sauid",
                     "scontext", "selected-context", "seperm", "seperms", "seqno", "seresult", "ses", "seuser", "sgid", "sig", "sigev_signo", "smac", "spid",
-                    "sport", "state", "subj", "success", "suid", "syscall", "table", "tclass", "tcontext", "terminal", "tty", "type", "uid", "unit", "uri", "user",
+                    "sport", "state", "subj", "success", "suid", "syscall", "SYSCALL", "table", "tclass", "tcontext", "terminal", "tty", "type", "uid", "unit", "uri", "user",
                     "uuid", "val", "val", "ver", "virt", "vm", "vm-ctx", "vm-pid", "watch"],
                 "vsftpd":[],
                 "sshd":[],