
Summary
This rule detects suspicious access or modification attempts on the essential sshd_config file on Linux systems. Leveraging data collected from Linux Auditd, it monitors command-line activities related to well-known text editors and file viewers like 'cat', 'nano', 'vim', and 'vi'. The significance of this detection lies in the potential security risks associated with unauthorized alterations to the sshd_config file, which controls SSH server settings. Such unauthorized modifications could allow attackers to redirect network traffic or utilize unauthorized keys, leading to possible privilege escalation or establishment of persistent backdoors, thereby posing critical threats to system integrity. Implementation requires proper setup of Linux Auditd logging and the normalization of field names to align with the Splunk Common Information Model (CIM). This ensures effective monitoring, control, and mitigation of risks surrounding unauthorized access to SSH configurations.
Categories
- Linux
- Endpoint
Data Sources
- Kernel
- Logon Session
- File
ATT&CK Techniques
- T1098
- T1098.004
Created: 2024-11-13