Awesome Open Source
Awesome Open Source

auditd-attack

A Linux Auditd rule set mapped to MITRE's Attack Framework

Disclaimer

Please ensure you test these rules prior to pushing them into production. This rule set is NOT meant to have all of its rules enabled all at once (although that'd be ideal) it is setup to serve as guidance toward increasing detection/hunting coverage.

WIKI

WIKI

Special Thanks To:

Eric Gershman

iase.disa.mil

cyb3rops

ugurengin

checkraze

auditdBroFramework

@MITREattack

TODO

  • [ ] Increase MITRE ATT&CK coverage
  • [ ] Test rules across multiple flavors of Linux
  • [ ] Determine performance impacts of the ruleset

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
linux (2,467
threat-hunting (67
mitre-attack (29