security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/linux/auditd/lnx_auditd_auditing_config_change.yml
T
frack113 4631d0c482 remove invalid tag
2022-01-19 18:23:30 +01:00

32 lines
676 B
YAML
Raw Blame History

title: Auditing Configuration Changes on Linux Host
id: 977ef627-4539-4875-adf4-ed8f780c4922
status: test
description: Detect changes in auditd configuration files
author: Mikhail Larin, oscd.community
references:
- https://github.com/Neo23x0/auditd/blob/master/audit.rules
- self experience
date: 2019/10/25
modified: 2021/11/27
logsource:
product: linux
service: auditd
detection:
selection:
type: PATH
name:
- /etc/audit/*
- /etc/libaudit.conf
- /etc/audisp/*
condition: selection
fields:
- exe
- comm
- key
falsepositives:
- Legitimate administrative activity
level: high
tags:
- attack.defense_evasion
- attack.t1562.006
Reference in New Issue View Git Blame Copy Permalink