[Rule Tuning] Sudoers File Modification

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html

Other

1.95k stars 497 forks source link

[Rule Tuning] Sudoers File Modification #2558

Closed DefSecSentinel closed 4 months ago

DefSecSentinel commented 1 year ago

Link to rule

https://github.com/elastic/detection-rules/blob/f04ebf277c08aa4a8f4cc5454fa8b60ede9126f7/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml#L12

Description

Tune to exclude FP process executable patterns. Excluding vim, vi, nano, pico, visudo, kandji-parameter-agent and jumpcloud-agent.

swiftbird07 commented 1 year ago

Sorry for copy&pasting but same applies here:

My opinion: I generally see that false positives are annoying when editing the host file via nano or vim, but I would argue that information that a host file was modified, even via a well known file editor, should still be alarmed. A threat actor could modify the file via the mentioned tools and nobody would ever know it. Nevertheless I am still on board for whitelisting the obvious FP.

botelastic[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

swiftbird07 commented 4 months ago

So, how was this handled?