
Summary
This rule is designed to detect changes in the auditd configuration files on Linux systems, specifically focusing on the paths related to auditd configurations. By monitoring these specific configuration files, the rule aims to identify unauthorized alterations that may indicate an attempt to bypass security auditing measures, a tactic commonly employed by adversaries during defense evasion. The detection mechanism utilizes a selection condition that triggers alerts whenever changes are detected in designated files such as '/etc/audit/*', '/etc/libaudit.conf', and '/etc/audisp/*'. Given the critical nature of auditing in maintaining security, this rule is deemed vital to ensure the integrity of the audit logging functionality. A key highlight is the high severity level associated with this rule, reflecting its importance in safeguarding system configurations from malicious modifications, which could potentially compromise security monitoring capabilities.
Categories
- Linux
- Endpoint
- Cloud
- On-Premise
Data Sources
- File
- Process
Created: 2019-10-25