Skip to content
A Linux Auditd rule set mapped to MITRE's Attack Framework
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Initial commit Jul 27, 2018
README.md Update README.md Nov 20, 2018
attack_map.png Updated ATT&CK Mappings Nov 19, 2018
auditd-attack.rules Commented out Ignoring SELinux IT IS bad practice Nov 27, 2018
base_config.rules base config Oct 26, 2018
layer-2.json Updated ATT&CK Mapping Nov 19, 2018

README.md

auditd-attack

A Linux Auditd rule set mapped to MITRE's Attack Framework

Disclaimer

Please ensure you test these rules prior to pushing them into production. This rule set is NOT meant to have all of its rules enabled all at once (although that'd be ideal) it is setup to serve as guidance toward increasing detection/hunting coverage.

WIKI

WIKI

Special Thanks To:

Eric Gershman

iase.disa.mil

cyb3rops

ugurengin

checkraze

auditdBroFramework

@MITREattack

TODO

  • Increase MITRE ATT&CK coverage
  • Test rules across multiple flavors of Linux
  • Determine performance impacts of the ruleset
You can’t perform that action at this time.