Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/bfuzzy/auditd-attack
A Linux Auditd rule set mapped to MITRE's Attack Framework
https://github.com/bfuzzy/auditd-attack
attack-detection auditd linux mitre-attack threat-hunting
Last synced: about 1 month ago
JSON representation
A Linux Auditd rule set mapped to MITRE's Attack Framework
- Host: GitHub
- URL: https://github.com/bfuzzy/auditd-attack
- Owner: bfuzzy
- License: mit
- Created: 2018-07-27T13:27:57.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2020-07-08T19:58:21.000Z (over 4 years ago)
- Last Synced: 2024-08-01T09:26:15.552Z (4 months ago)
- Topics: attack-detection, auditd, linux, mitre-attack, threat-hunting
- Homepage:
- Size: 2.02 MB
- Stars: 777
- Watchers: 62
- Forks: 131
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Audit: auditd-attack.rules
Awesome Lists containing this project
- awesome-hacking-lists - bfuzzy/auditd-attack - A Linux Auditd rule set mapped to MITRE's Attack Framework (Others)
README
# auditd-attack
A Linux Auditd rule set mapped to MITRE's Attack Framework![](https://github.com/bfuzzy/auditd-attack/blob/master/attack_map.png)
## Disclaimer
Please ensure you test these rules prior to pushing them into production. This rule set is NOT meant to have all of its rules enabled all at once (although that'd be ideal) it is setup to serve as guidance toward increasing detection/hunting coverage.
## WIKI
[WIKI](https://github.com/bfuzzy/auditd-attack/wiki/Audit-Event-Fields)
## Special Thanks To:
[Eric Gershman](https://github.com/EricGershman/auditd-examples)
[iase.disa.mil](https://iase.disa.mil/stigs/os/unix-linux/Pages/red-hat.aspx)
[cyb3rops](https://gist.github.com/Neo23x0/9fe88c0c5979e017a389b90fd19ddfee)
[ugurengin](https://gist.github.com/ugurengin/4d37ee83e87bc44291f8ae87a00504cd)
[checkraze](https://github.com/checkraze/auditd-rules/blob/master/auditd.rules)
[auditdBroFramework](https://github.com/set-element/auditdBroFramework/blob/master/system_config/audit.rules)
[@MITREattack](https://twitter.com/MITREattack)
## TODO
- [ ] Increase MITRE ATT&CK coverage
- [ ] Test rules across multiple flavors of Linux
- [ ] Determine performance impacts of the ruleset