detection.wiki

Detection rules › Sigma

Auditing Configuration Changes on Linux Host

Status
test
Severity
high
Log source
product linux, service auditd
Author
Mikhail Larin, oscd.community
Source
github.com/SigmaHQ/sigma

Detect changes in auditd configuration files

MITRE ATT&CK coverage

TacticTechniques
Defense ImpairmentT1685 Disable or Modify Tools

Event coverage

ProviderEvent
Linux-AuditdEvent ID 1302

Rule body yaml

title: Auditing Configuration Changes on Linux Host
id: 977ef627-4539-4875-adf4-ed8f780c4922
status: test
description: Detect changes in auditd configuration files
references:
    - https://github.com/Neo23x0/auditd/blob/master/audit.rules
    - Self Experience
author: Mikhail Larin, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: PATH
        name:
            - /etc/audit/*
            - /etc/libaudit.conf
            - /etc/audisp/*
    condition: selection
falsepositives:
    - Legitimate administrative activity
level: high

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
    type: PATH
    name:
        - /etc/audit/*
        - /etc/libaudit.conf
        - /etc/audisp/*

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
namewildcard
  • /etc/audisp/*
  • /etc/audit/*
  • /etc/libaudit.conf
typeeq
  • PATH