Linux Auditd Possible Access Or Modification Of Sshd Config File

The following analytic detects access, deletion or modification of the ssh_config file on Linux systems. It leverages data from Linux Auditd, focusing on events of type PATH with a nametype of ("NORMAL", "CREATE", "DELETE"). This activity could be significant because unauthorized changes to ssh_config can allow threat actors to redirect port connections or use unauthorized keys, potentially compromising the system. Correlate this with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent backdoor access, posing a severe security risk.