auditd-attack: Linux Auditd rule set mapped to MITRE’s Attack Framework
auditd-attack
A Linux Auditd rule set mapped to MITRE’s Attack Framework
Login Events
| Event | Description |
|---|---|
| AUDIT_CRYPTO_KEY_USER | Create delete negotiate crypto keys |
| AUDIT_CRYPTO_SESSION | Record parameters set during TLS session establishment |
| AUDIT_USER_AUTH | User system access authentication |
| AUDIT_LOGIN | Define the login id and information |
| AUDIT_USER_ACCT | User system access authorization |
| AUDIT_USER_CHAUTHTOK | User acct password or pin changed |
| AUDIT_USER_ERR | User acct state error |
| AUDIT_CRED_ACQ | User credential acquired |
| AUDIT_USER_ROLE_CHANGE | User changed to a new role |
| AUDIT_USER_START | User session start |
| AUDIT_USER_LOGIN | User has logged in |
| AUDIT_CRED_REFR | User credential refreshed |
| AUDIT_GRP_AUTH | Authentication for group password |
| AUDIT_CHUSER_ID | Changed user ID supplemental data |
| AUDIT_CHGRP_ID | User space group ID changed |
| AUDIT_USER_LOGOUT | User has logged out |
| AUDIT_USER_END | User session end |
| AUDIT_CRED_DISP | User credential disposed |
| AUDIT_ANOM_LOGIN_FAILURES | Failed login limit reached |
| AUDIT_ANOM_LOGIN_TIME | Login attempted at bad time |
| AUDIT_ANOM_LOGIN_SESSIONS | Max concurrent sessions reached |
| AUDIT_ANOM_LOGIN_ACCT | Login attempted to watched acct |
| AUDIT_ANOM_LOGIN_LOCATION | Login from forbidden location |
More…
Download
git clone https://github.com/bfuzzy/auditd-attack.git
Copyright (c) 2018 bfuzzy
