This collection aims at detecting (when possible) local privilege escalation attacks.

• CVE-2021-4034 : Detect exploitation of pkexec vulnerability

⚠️ Please note those scenarios are detection only, and are very likely to be bypassed by smart attackers, do not rely solely on them ⚠️

Example acquisition for this collection :

1filenames:
2  - /var/log/auth.log
3  - /var/log/kern.log
4labels:
5  type: syslog

If you want to get kernel log through journalctl

1source: journalctl
2journalctl_filter:
3  - "-k"
4labels:
5  type: syslog

notes :

• Depending on your distribution/OS, paths to log files might change
• Only relevant if you are manually installing collection
• CVE-2023-4911 needs kernel log detection, either kern.log or through journalctl filtering