title: Auditing Configuration Changes on Linux Host
id: 977ef627-4539-4875-adf4-ed8f780c4922
status: test
description: Detect changes in auditd configuration files
author: Mikhail Larin, oscd.community
references:
  - https://github.com/Neo23x0/auditd/blob/master/audit.rules
  - self experience
date: 2019/10/25
modified: 2021/11/27
logsource:
  product: linux
  service: auditd
detection:
  selection:
    type: PATH
    name:
      - /etc/audit/*
      - /etc/libaudit.conf
      - /etc/audisp/*
  condition: selection
fields:
  - exe
  - comm
  - key
falsepositives:
  - Legitimate administrative activity
level: high
tags:
  - attack.defense_evasion
  - attack.t1562.006