← Library
splApache-2.0from splunk/security_content

Linux Auditd Auditd Daemon Start

The following analytic detects the (re)initialization of the Linux audit daemon (auditd) by identifying log entries of type DAEMON_START. This event indicates that the audit subsystem has resumed logging after being stopped or has started during system boot. While DAEMON_START may be expected during reboots or legitimate configuration changes, it can also signal attempts to re-enable audit logging after evasion, or restarts with modified or reduced rule sets. Monitoring this event in correlation with DAEMON_END, DAEMON_ABORT, and auditctl activity provides visibility into the continuity and integrity of audit logs. Frequent or unexplained DAEMON_START events should be investigated, especially if they are not accompanied by valid administrative or system activity.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_auditd_daemon_start.yml
`linux_auditd` type=DAEMON_START
  | rename host as dest
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY type op res
       auid dest pid
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `linux_auditd_auditd_daemon_start_filter`