Data Source: Linux Auditd Proctitle

Date: 2025-02-20

ID: 5a25984a-2789-400a-858b-d75c923e06b1

Author: Teoderick Contreras, Splunk

Description

Logs the full command-line arguments of a process execution on a Linux system, providing visibility into the executed command and its parameters.

Details

Property	Value
Source	`auditd`
Sourcetype	`auditd`
Separator	type

Name ▲▼	Technique ▲▼	Type ▲▼
Linux Auditd Add User Account	Local Account	Anomaly
Linux Auditd AI CLI Permission Override Activated	Execution Guardrails	Anomaly
Linux Auditd Change File Owner To Root	Linux and Mac File and Directory Permissions Modification	Anomaly
Linux Auditd Data Destruction Command	Data Destruction	TTP
Linux Auditd Dd File Overwrite	Data Destruction	TTP
Linux Auditd File Permission Modification Via Chmod	Linux and Mac File and Directory Permissions Modification	Anomaly
Linux Auditd Nopasswd Entry In Sudoers File	Sudo and Sudo Caching	Anomaly
Linux Auditd Possible Access To Credential Files	/etc/passwd and /etc/shadow	Anomaly
Linux Auditd Service Restarted	Systemd Timers	Anomaly
Linux Auditd Service Started	Service Execution	Anomaly
Linux Auditd Setuid Using Chmod Utility	Setuid and Setgid	Anomaly
Linux Auditd Shred Overwrite Command	Data Destruction	TTP
Linux Auditd Sudo Or Su Execution	Sudo and Sudo Caching	Anomaly

Supported Apps

Splunk Add-on for Unix and Linux (version 10.2.0)

Event Fields

+ Fields

  <span class="pill kill-chain">proctitle</span>
  
  <span class="pill kill-chain">msg</span>
  
  <span class="pill kill-chain">type</span>
  
</div>

Example Log

1type=PROCTITLE msg=audit(1722944427.844:4146): proctitle=63686D6F640037373700312E7368

Source: GitHub | Version: 2