Data Source: Linux Auditd Syscall

Date: 2025-02-20

ID: 4dff7047-0d43-4096-bb3f-b756c889bbad

Author: Teoderick Contreras, Splunk

Description

Logs system calls made by processes on a Linux system, including details about the syscall number, arguments, return values, and associated process metadata.

Details

Property	Value
Source	`auditd`
Sourcetype	`auditd`
Separator	type

Name ▲▼	Technique ▲▼	Type ▲▼
Linux Auditd At Application Execution	At	Anomaly
Linux Auditd Data Transfer Size Limits Via Split Syscall	Data Transfer Size Limits	Anomaly
Linux Auditd Doas Tool Execution	Sudo and Sudo Caching	Anomaly
Linux Auditd Edit Cron Table Parameter	Cron	Anomaly
Linux Auditd Insert Kernel Module Using Insmod Utility	Kernel Modules and Extensions	Anomaly
Linux Auditd Install Kernel Module Using Modprobe Utility	Kernel Modules and Extensions	Anomaly
Linux Auditd Kernel Module Enumeration	System Information Discovery, Rootkit	Anomaly
Linux Auditd Kernel Module Using Rmmod Utility	Kernel Modules and Extensions	TTP
Linux Auditd System Network Configuration Discovery	System Network Configuration Discovery	Anomaly
Linux Auditd Whoami User Discovery	System Owner/User Discovery	Anomaly

Supported Apps

Splunk Add-on for Unix and Linux (version 10.2.0)

Event Fields

+ Fields

  <span class="pill kill-chain">msg</span>
  
  <span class="pill kill-chain">type</span>
  
  <span class="pill kill-chain">msg</span>
  
  <span class="pill kill-chain">arch</span>
  
  <span class="pill kill-chain">syscall</span>
  
  <span class="pill kill-chain">success</span>
  
  <span class="pill kill-chain">exit</span>
  
  <span class="pill kill-chain">a1</span>
  
  <span class="pill kill-chain">a2</span>
  
  <span class="pill kill-chain">a3</span>
  
  <span class="pill kill-chain">items</span>
  
  <span class="pill kill-chain">ppid</span>
  
  <span class="pill kill-chain">pid</span>
  
  <span class="pill kill-chain">auid</span>
  
  <span class="pill kill-chain">uid</span>
  
  <span class="pill kill-chain">gid</span>
  
  <span class="pill kill-chain">euid</span>
  
  <span class="pill kill-chain">suid</span>
  
  <span class="pill kill-chain">fsuid</span>
  
  <span class="pill kill-chain">egid</span>
  
  <span class="pill kill-chain">sgid</span>
  
  <span class="pill kill-chain">fsgid</span>
  
  <span class="pill kill-chain">tty</span>
  
  <span class="pill kill-chain">ses</span>
  
  <span class="pill kill-chain">comm</span>
  
  <span class="pill kill-chain">exe</span>
  
  <span class="pill kill-chain">subj</span>
  
  <span class="pill kill-chain">key</span>
  
  <span class="pill kill-chain">ARCH</span>
  
  <span class="pill kill-chain">SYSCALL</span>
  
  <span class="pill kill-chain">AUID</span>
  
  <span class="pill kill-chain">UID</span>
  
  <span class="pill kill-chain">GID</span>
  
  <span class="pill kill-chain">EUID</span>
  
  <span class="pill kill-chain">SUID</span>
  
  <span class="pill kill-chain">FSUID</span>
  
  <span class="pill kill-chain">EGID</span>
  
  <span class="pill kill-chain">SGID</span>
  
  <span class="pill kill-chain">FSGID</span>
  
</div>

Example Log

1type=SYSCALL msg=audit(1723035666.627:3663): arch=c000003e syscall=59 success=yes exit=0 a0=556a6d697a58 a1=556a6d68ad00 a2=556a6d69c980 a3=0 items=2 ppid=1300 pid=1301 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="lsmod" exe="/usr/bin/kmod" subj=unconfined key="rootcmd" ARCH=x86_64 SYSCALL=execve AUID="ubuntu" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

Required Output Fields

comm
exe
syscall
uid
ppid
pid
dest

Source: GitHub | Version: 2