Linux Auditd app for Splunk

Douglas Brown doug.brown at qut.edu.au
Thu Mar 31 05:18:22 UTC 2016 

Hi Farhan,

Good question. There’s no source of truth (that I know of) for the severity of auditd event types so I created a lookup based upon my experience. Here it is: https://github.com/doksu/splunk_auditd/blob/master/linux-auditd/appserver/addons/TA_linux-auditd/lookups/audit_types.csv

Naturally you can change it to suit your environment but any suggestions for improvement are much appreciated. :)

The app has three identities lookups it merges together: local, directory and learnt. The first two you’re meant to populate (see here for more details: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#configuration), but technically you don’t have to bother because version 2 automatically learns posix identities being used in your environment by periodically updating the ‘learnt’ lookup based upon USER_START events.

Cheers,
Doug

From: F Rafi <farhanible at gmail.com<mailto:farhanible at gmail.com>>
Date: Thursday, 31 March 2016 at 3:01 PM
To: Doksu <doug.brown at qut.edu.au<mailto:doug.brown at qut.edu.au>>
Cc: "linux-audit at redhat.com<mailto:linux-audit at redhat.com>" <linux-audit at redhat.com<mailto:linux-audit at redhat.com>>, Steve Grubb <sgrubb at redhat.com<mailto:sgrubb at redhat.com>>
Subject: Re: Linux Auditd app for Splunk

"I've turned SELinux off ... and as per Dan Walsh that's a bad thing."   Love it.

Some questions.

1. For the Severe Events panel: Where is the severity coming from? The auditd logs don't show a severity rating.

2. AUID to username mapping: How are you doing this? Via tty logs or fetching passwd file contents somehow?

Thanks,
Farhan

On Wed, Mar 30, 2016 at 8:46 PM, Steve Grubb <sgrubb at redhat.com<mailto:sgrubb at redhat.com>> wrote:
Hello,

On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
> This week I released version 2 of the Linux Auditd app for Splunk:
> https://splunkbase.splunk.com/app/2642/

> Be sure to let me know if you have any suggestions for improvements.

Thanks for posting this. Its good to see utilities like this supporting the
audit daemon.

If anyone else has plugins to logging frameworks, reports, helpful scripts,
etc...feel free to post a notice about them. We are sort of working on a new
home for the audit system at github and can probably dedicate a page to
related and helpful projects.

-Steve

--
Linux-audit mailing list
Linux-audit at redhat.com<mailto:Linux-audit at redhat.com>
https://www.redhat.com/mailman/listinfo/linux-audit

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160331/6f026b8c/attachment.htm>

More information about the Linux-audit mailing list