Auditd Field Spoofing: Now You Auditd Me, Now You Auditdon’t
ID: 49085d3c-9268-5b41-beb5-67f964cd638c
STIX ID: report--49085d3c-9268-5b41-beb5-67f964cd638c
Feed Name: Black Hills Infosec Blog
Threat Score
This report walks through kernel-source analysis and a userspace proof-of-concept that changes a process's audit user id (auid/loginuid) via /proc/<pid>/loginuid using CAP_AUDIT_CONTROL, demonstrates the resulting audit log behavior (including an old-auid field), and provides detection and mitigation recommendations (e.g., ensure LOGIN events are sent to SIEM and consider audit/loginuid immutability).
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.