security_content/data_sources/linux_auditd_syscall.yml at develop · tapishj-splunk/security_content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
name: Linux Auditd Syscall
id: 4dff7047-0d43-4096-bb3f-b756c889bbad
version: 1
date: '2024-08-08'
author: Teoderick Contreras, Splunk
description: Data source object for Linux Auditd Syscall Type
source: /var/log/audit/audit.log
sourcetype: linux:audit
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
supported_TA:
- name: Splunk Add-on for Unix and Linux
  url: https://splunkbase.splunk.com/app/833
  version: 9.2.0
fields:
- msg
- type
- msg
- arch
- syscall
- success
- exit
- a1
- a2
- a3
- items
- ppid
- pid
- auid
- uid
- gid
- euid
- suid
- fsuid
- egid
- sgid
- fsgid
- tty
- ses
- comm
- exe
- subj
- key
- ARCH
- SYSCALL
- AUID
- UID
- GID
- EUID
- SUID
- FSUID
- EGID
- SGID
- FSGID
example_log: 'type=SYSCALL msg=audit(1723035666.627:3663): arch=c000003e syscall=59 success=yes exit=0 a0=556a6d697a58 a1=556a6d68ad00 a2=556a6d69c980 a3=0 items=2 ppid=1300 pid=1301 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="lsmod" exe="/usr/bin/kmod" subj=unconfined key="rootcmd" ARCH=x86_64 SYSCALL=execve AUID="ubuntu" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"'