security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7b64ab552f94de507753860b6ff0268d4a656321
blue-team-tools/rules/linux/auditd/lnx_auditd_auditing_config_change.yml
T
Mike Wade 52ab677798 Fixed my git issue
2020-09-13 22:03:04 -06:00

35 lines
989 B
YAML
Raw Blame History

title: Auditing Configuration Changes on Linux Host
id: 977ef627-4539-4875-adf4-ed8f780c4922
status: experimental
description: Detect changes in auditd configuration files
# Example config for this one (place it at the top of audit.rules)
# -w /etc/audit/ -p wa -k etc_modify_auditconfig
# -w /etc/libaudit.conf -p wa -k etc_modify_libauditconfig
# -w /etc/audisp/ -p wa -k etc_modify_audispconfig
author: Mikhail Larin, oscd.community
date: 2019/10/25
references:
- https://github.com/Neo23x0/auditd/blob/master/audit.rules
- self experience
logsource:
product: linux
service: auditd
detection:
selection:
type: PATH
name:
- /etc/audit/*
- /etc/libaudit.conf
- /etc/audisp/*
condition: selection
fields:
- exe
- comm
- key
falsepositives:
- Legitimate administrative activity
level: high
tags:
- attack.defense_evasion
- attack.t1054 # an old one
- attack.t1562.006
Reference in New Issue View Git Blame Copy Permalink