Disabling or modifying the Linux Audit system through process termination (auditd killed), service management (systemctl stop auditd), or tampering with rule/configuration files (/etc/audit/audit.rules, audit.conf). Defender view: suspicious execution of auditctl/systemctl commands, file modifications to audit rules, or sudden absence of audit logs correlated with privileged execution.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:EXECVE | Execution of auditctl, systemctl stop auditd, or kill -9 auditd |
| Process Modification (DC0020) | auditd:SYSCALL | kill syscalls targeting auditd process |
| File Modification (DC0061) | auditd:FILE | Modification or deletion of /etc/audit/audit.rules or /etc/audit/audit.conf |
| Service Metadata (DC0041) | linux:syslog | auditd service stopped or disabled |
| Field | Description |
|---|---|
| ServiceWhitelist | Exclude legitimate administrative service stops during system maintenance. |
| FilePathScope | Specify monitored paths (/etc/audit/audit.rules, audit.conf) to avoid false positives from unrelated file writes. |
| TimeWindow | Correlate suspicious commands, file modifications, and audit log gaps in short succession. |