
Summary
The 'Linux Auditd Service Stop' detection rule is designed to identify suspicious activity related to the stopping of the audit daemon (auditd) in Linux environments. This service is crucial for maintaining an audit trail of system calls and activities, and any unauthorized attempts to stop it could signify malicious intent, such as unauthorized access or system compromises. The rule parses auditd log events to capture instances where the service is stopped, collecting critical details such as the host, process ID, user ID, command, and executable involved. It employs a query structure suitable for parsing and aggregating these events in Splunk, ensuring timely alerts when such an event occurs. Proper implementation entails setting up data ingestion through the Splunk Add-on for Unix and Linux, followed by normalization per the Splunk Common Information Model (CIM) to maintain consistency across data sources. Potential false positives may arise from legitimate administrative actions, which can be managed by refining filter macros in the data collection process. Overall, this detection rule is essential for security teams to monitor for attempts to disable auditing mechanisms on Linux systems, preventing serious security breaches.
Categories
- Linux
- Endpoint
Data Sources
- Pod
- Container
- User Account
- Windows Registry
- Script
- Image
- Web Credential
- Named Pipe
- Certificate
- WMI
- Cloud Storage
- Internet Scan
- Persona
- Group
- Application Log
- Logon Session
- Instance
- Sensor Health
- File
- Drive
- Snapshot
- Command
- Kernel
- Driver
- Volume
- Cloud Service
- Malware Repository
- Network Share
- Network Traffic
- Scheduled Job
- Firmware
- Active Directory
- Service
- Domain Name
- Process
- Firewall
- Module
ATT&CK Techniques
- T1489
Created: 2024-11-13