← Library
splApache-2.0from splunk/security_content

Linux Auditd Auditd Daemon Abort

The following analytic detects the abnormal termination of the Linux audit daemon (auditd) by identifying DAEMON_ABORT events in audit logs. These terminations suggest a serious failure of the auditing subsystem, potentially due to resource exhaustion, corruption, or malicious interference. Unlike a clean shutdown, DAEMON_ABORT implies that audit logging may have been disabled without system administrator intent. Alerts should be generated on detection and correlated with DAEMON_START, DAEMON_END, and system logs to determine root cause. If no DAEMON_START follows soon after, or this pattern repeats, it indicates a high-severity issue that impacts log integrity and should be immediately investigated.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_auditd_daemon_abort.yml
`linux_auditd` type=DAEMON_ABORT
  | rename host as dest
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY type op res
       uid dest pid
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `linux_auditd_auditd_daemon_abort_filter`