{"id":13540196,"url":"https://github.com/bfuzzy/auditd-attack","last_synced_at":"2025-04-02T07:30:34.405Z","repository":{"id":37768903,"uuid":"142580544","full_name":"bfuzzy/auditd-attack","owner":"bfuzzy","description":"A Linux Auditd rule set mapped to MITRE's Attack Framework","archived":false,"fork":false,"pushed_at":"2020-07-08T19:58:21.000Z","size":2114,"stargazers_count":777,"open_issues_count":3,"forks_count":131,"subscribers_count":62,"default_branch":"master","last_synced_at":"2024-08-01T09:26:15.552Z","etag":null,"topics":["attack-detection","auditd","linux","mitre-attack","threat-hunting"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bfuzzy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":"auditd-attack.rules","citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-07-27T13:27:57.000Z","updated_at":"2024-07-30T02:34:14.000Z","dependencies_parsed_at":"2022-08-08T22:00:45.603Z","dependency_job_id":null,"html_url":"https://github.com/bfuzzy/auditd-attack","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bfuzzy%2Fauditd-attack","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bfuzzy%2Fauditd-attack/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bfuzzy%2Fauditd-attack/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bfuzzy%2Fauditd-attack/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bfuzzy","download_url":"https://codeload.github.com/bfuzzy/auditd-attack/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":222810298,"owners_count":17040999,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attack-detection","auditd","linux","mitre-attack","threat-hunting"],"created_at":"2024-08-01T09:01:42.494Z","updated_at":"2024-11-03T05:30:55.871Z","avatar_url":"https://github.com/bfuzzy.png","language":null,"readme":"# auditd-attack\nA Linux Auditd rule set mapped to MITRE's Attack Framework\n\n![](https://github.com/bfuzzy/auditd-attack/blob/master/attack_map.png) \n\n## Disclaimer\n\nPlease ensure you test these rules prior to pushing them into production. This rule set is NOT meant to have all of its rules enabled all at once (although that'd be ideal) it is setup to serve as guidance toward increasing detection/hunting coverage. \n\n## WIKI\n\n[WIKI](https://github.com/bfuzzy/auditd-attack/wiki/Audit-Event-Fields)\n\n\n## Special Thanks To:\n\n[Eric Gershman](https://github.com/EricGershman/auditd-examples)\n\n[iase.disa.mil](https://iase.disa.mil/stigs/os/unix-linux/Pages/red-hat.aspx)\n\n[cyb3rops](https://gist.github.com/Neo23x0/9fe88c0c5979e017a389b90fd19ddfee)\n\n[ugurengin](https://gist.github.com/ugurengin/4d37ee83e87bc44291f8ae87a00504cd)\n\n[checkraze](https://github.com/checkraze/auditd-rules/blob/master/auditd.rules)\n\n[auditdBroFramework](https://github.com/set-element/auditdBroFramework/blob/master/system_config/audit.rules)\n\n[@MITREattack](https://twitter.com/MITREattack)\n\n\n## TODO\n- [ ] Increase MITRE ATT\u0026CK coverage\n- [ ] Test rules across multiple flavors of Linux\n- [ ] Determine performance impacts of the ruleset\n","funding_links":[],"categories":["\u003ca id=\"249c9d207ed6743e412c8c8bcd8a2927\"\u003e\u003c/a\u003eMitreATT\u0026CK","Others (1002)","Others","\u003ca id=\"a88c0c355b342b835fb42abee283bd71\"\u003e\u003c/a\u003e工具","Secure Programming"],"sub_categories":["\u003ca id=\"f2c76d99a0b1fda124d210bd1bbc8f3f\"\u003e\u003c/a\u003eWordlist生成","\u003ca id=\"6ab6835b55cf5c8462c4229a4a0ee94c\"\u003e\u003c/a\u003e未分类的","Fuzzing"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbfuzzy%2Fauditd-attack","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbfuzzy%2Fauditd-attack","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbfuzzy%2Fauditd-attack/lists"}