sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

auditd rules

Open small-greenfinger opened this issue 4 years ago • 1 comments

Are all of auditd rules required to write config in audit.rules?

small-greenfinger avatar Jul 13 '21 01:07 small-greenfinger

I'm only use one time auditd but look at https://github.com/Neo23x0/auditd

frack113 avatar Jul 25 '21 06:07 frack113

Are all of auditd rules required to write config in audit.rules?

If you're using a service like the default auditd on CentOS or similar. Then the rules are located on audit.rules and are read from the location /etc/audit/rules.d/audit.rules. If you use elastic then you might use a tool like auditbeat which will replace auditd as the client for the logs and the location of the rules can be set from a config file.

Whatever you choose the location of the rules is documented in the docs and SIGMA is independent of that.

To give you a quick explanation. The auditd rules found in the SigmaHQ repository use a log source called service: auditd. This log source is mapped to different backends here are a couple of examples.

During rule conversion, SIGMA will convert the rules based on these fields and it has nothing to do with the configuration of auditd on a system.

So you can use whatever you like just make sure that everything is set up correctly.

Hope this helps.

nasbench avatar Dec 19 '22 16:12 nasbench