SigmaHQ/rules/linux/auditd/lnx_auditd_logging_config_change.yml

title: Logging Configuration Changes on Linux Host
id: c830f15d-6f6e-430f-8074-6f73d6807841
description: Detect changes of syslog daemons configuration files
    # Example config for this one (place it at the top of audit.rules)
    # -w /etc/syslog.conf -p wa -k etc_modify_syslogconfig
    # -w /etc/rsyslog.conf -p wa -k etc_modify_rsyslogconfig
    # -w /etc/syslog-ng/syslog-ng.conf -p wa -k etc_modify_syslogngconfig
references:
    - self experience
tags:
    - attack.defense_evasion
    - attack.t1054    # an old one
    - attack.t1562.006
author: Mikhail Larin, oscd.community
status: experimental
date: 2019/10/25
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'PATH'
        name:
            - /etc/syslog.conf
            - /etc/rsyslog.conf
            - /etc/syslog-ng/syslog-ng.conf
    condition: selection
fields:
    - exe
    - comm
    - key
falsepositives:
    - Legitimate administrative activity
level: high