security_content/data_sources/linux_auditd_path.yml at 7ec9cbdac2398e16029fe2b5635069f85be9a344 · splunk/security_content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
name: Linux Auditd Path
id: 3d86125c-0496-4a5a-aae3-0d355a4f3d7d
version: 2
date: '2025-02-20'
author: Teoderick Contreras, Splunk
description: Logs file system access events on a Linux system, including details about
  file paths, permissions, and associated processes.
mitre_components:
- File Access
- File Metadata
- Process Metadata
- OS API Execution
- Application Log Content
source: auditd
sourcetype: auditd
separator: type
separator_value: PATH
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
supported_TA:
- name: Splunk Add-on for Unix and Linux
  url: https://splunkbase.splunk.com/app/833
  version: 10.1.0
fields:
- msg
- type
- item
- name
- inode
- dev
- mode
- ouid
- ogid
- rdev
- nametype
- cap_fp
- cap_fi
- cap_fe
- cap_fver
- cap_frootid
- OUID
- OGID
example_log: 'type=PATH msg=audit(1723043687.149:14898): item=1 name="/etc/ssh/ssh_config~"
  inode=1292 dev=103:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0
  cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"'