doksu / splunk_auditd Goto Github PK

Hello,

does TA-linux_auditd support automatic sourcetype assigment for forwarded events?

I've installed TA-linux_auditd app on Splunk Heavy Forwarders, Indexers and Search Heads.

On endpoints, I use Splunk Universal Forwarders configured to send events to Heavy Forwarders, HFs in turn send events to Indexers.

Here is local/inputs.conf from Universal Forwarder:

[monitor:///var/log/audit/audit.log]
disabled = false
index = security

With these settings Splunk always assigns linux:audit sourcetype no matter which log format (RAW|ENRICHED) is set in auditd.conf.

Is there any way to make Splunk automatically set right sourcetype based on auditd log format?

Splunk version: 8.0.1
TA-linux_auditd version: 3.1.0

WBR,
litew

I tried to create correlation search in Splunk SH, but when I tried to save it says "distinctfields" search command does not exists.

Do you suggest any other Correlation search, as suggested search command did not work?

Please find atatched screenshot from Splunk SH.

Hi,

I have installed the app on a SHC. The installation and configuration instructions have been followed but the app is not populating and results in an error:

• None of the areas are being populated. Please help resolve this issue.

We have forwarded our audit.log files to cloudwatch logs as {hostname}/audit.log. For Linux Auditd (TA_linux-auditd) app we have configured inputs.conf as below

 [monitor://*/audit.log]
 disabled = false 
 sourcetype = aws:cloudwatchlogs 

But i don't see any data getting updated in the Linux Auditd app.

Any suggestions.

For version 2.0 I'd like to add an auth dashboard to essentially replace the 'Daily Linux Login Report'.

Hello,

i have been installed Splunk Apps ( Linux Auditd and Auditd Addons ) following your documentation in https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration

Beside of that i also doing this following step.

1. I have been add user splunk to root group.
2. Give chmod 770 to /var/log/audit
3. Give chmod 770 to /var/log/audit/audit.log
4. Manually add data input in /var/log/audit/audit.log to Splunk
5. Add configuration in /etc/pam.d/system-auth and /etc/pam.d/password-auth to record user keystroke.
6. Press command line as user root for keystroke testing
7. Keystroke recorded and can be looked by using aureport --tty command.
   But, after i do that. I can see root keystroke in User TTY view.

If, i use an other user ( example: rendi ).
I can not see rendi keystroke in User TTY view.

I am pretty use using enable=* in pam.d configuration.
I also check it in aureport --tty, and its show the rendi keystroke.

Am i missing something ?

It would be very useful to add the 'terminal' field to the "Daily Linux Login Summary" saved search, however ssh logins generate more than one entry (one for pty device and other for ssh), so we need to figure out the best way to approach adding the terminal field.

A data model including the following as a starting point would be useful:

• Time
• DVC (host)
• Audit Event Type
• Severity
• Category
• User
• Target? (the object or thing being changed/applied)
• Result

It would be very useful to have a calculated field (eval) which automatically compares the category set of the subject and object to determine a violation of the MCS policy (however it may be too complex for an eval and therefore require a new command would be required). In this way, a user could simply alert upon a search such as: eventtype=auditd_events type=AVC category_violation=true

Doing the equivalent for clearance/sensitivity would be a great deal easier I think, but so few people use SELinux as a Trusted System, so it doesn't seem like a priority at this stage.

As per: https://answers.splunk.com/answers/726794/feature-request-track-new-software-update-type-rpm.html

The Linux Auditd app now really needs a manual to explain how best to interpret and use the grow featureset.

The 'Origin' checkbox on the System Call dashboard assumes events contain an scontext role, which is not the case if SELinux is disabled, and so events do not appear in the dashboard.

"
Hello,

I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

• Auditd support for enriched data: uid/gid, saddr splitting, arch, syscall
• Make all libraries and utilities support and use enriched events
• Define dispatcher protocol to version 2
• Standardize all saddr interpretations in auparse
• Fix another DST bug in ausearch time conversion (#1334772)
• In autrace, if rule count loop times out don't assume 0 rules (#1344268)
• In auditd, check space left a little more often (#1345854)

This release of the audit package contains among other things a major new
piece of functionality. The audit daemon can now enrich events with
interpretation information at the time that the event is logged. This means
that if a user account is deleted, the uid can still be resolved to what it
was at the time of the event.

In terms of central log aggregation, this means that aggregated logs can have
the uid mapping of the remote machine for interpretations. To enable this
functionality, you would want to edit the log_format setting in auditd.conf
and set it to ENRICHED. Restart the audit daemon and that's all there is to
it.

When the enriched logging format is active, the event is completely formatted
in the audit daemon and passed to audispd. This means that you do not need to
also set name_format in audispd.conf if you set it in auditd.conf.

If you write audispd plugins that want format set to binary, then you need to
be aware that enriched events are set with version set to AUDISP_PROTOCOL_VER2
to signify that the raw event is different and you might need to change what
you are doing. If the plugin uses string, then feed the event to auparse like
always and auparse will know what to do with it.

There is a change in interpretation for sockaddr fields. Now all the
information about the source and destination are available.

There were three bug fixes.

Please let me know if you run across any problems with this release.

-Steve

Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
"

Fresh install on a test searchhead with version 7.3.3. All other extractions work, and dashboards populate.

Log example:

node=foo-master-1.bar.foobar.com type=SERVICE_START msg=audit(1575573930.805:2486026): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=serial-getty@ttyS0 comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

In this case dest, dest host, host, dvc all populate as test-auditd-foobar.foo.foobar.com

Installed from within Splunk and then restarted splunk. Connecting to the apps resulted in the error in the issue line. Image attached?

Splunk Details:
Splunk Version
6.4.3
Splunk Build
b03109c2bad4

It would be good to add an automatically refreshing operations dashboard designed to be always open and give the server/security team an indication of anomalies. It would have a handful of panes with simple 1->3 dials indicating a volume-based risk assessment based on severity and category. The risk would be calculated using an accelerated data model and stdev.

Hi,
in the app there are all saved searches enabled by default and fact that are scheduled to run way too often with | outputlookup ... is causing bundle replication all the time.
it is not good from performance point of view to replicate bundle every few minutes around the clock.
Addon was recently installed on fresh splunk installation and caused pause whole replication bundle. After disabling the searches issue was solved.

It would be nice if searches are disabled by default and let users enable them (i would say best practice), or change schedule to run less often like once a day or so.

Thanks.

Hi,
the log shows:
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd
I only see this in the events:
grantors: pam_loginuid
Looks like the "," breaks this.

This app desperately needs a funky logo.

While the SSH log messages tell me that root logged in, the app shows unknown.
Looks like the ID filed is not taken into account by this:
[|inputlookup auditd_indices] [|inputlookup auditd_sourcetypes] type=USER_LOGIN | eval account=coalesce(acct,user) | table _time host terminal account src action
the USER_LOGIN audit record has neither user nor account set, but I see some default user=unknown in the fields for this event.
Probably the logic should include the ID field as shown by this event:
Jun 8 20:31:29 bsul0903 audispd: type=USER_LOGIN msg=audit(1623177089.054:532049): pid=1526 uid=0 auid=0 ses=6582 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=testbox addr=10.42.42.42 terminal=ssh res=success' UID="root" AUID="root" **ID="root"**

Version 2 has now been released and is undergoing the certification process. I've just implemented the requested changes.

Hello I see I can only see root user only in menu User TTY,
is this expected?

aureport --tty shows only this for 1002 uid:

`406. 05/05/2020 17:23:10 1653 0 pts1 12 bash "\000\000\000hostnamectl",,,,"ctl | grep vm",
407. 05/05/2020 17:23:10 1654 0 ? 12 ? "hostnamectl | grep vm"
408. 05/05/2020 17:23:17 1675 0 pts0 1 bash "\000\000\000\000",,
409. 05/05/2020 17:23:17 1676 0 ? 1 ? "aureport --tty"

416. 05/05/2020 17:24:30 1802 1002 pts2 13 bash "hostnamectl",,,,"ctl | grep vm",,"exit",`

I presume thats why it does not generate expected event data for User TTY saved search to consume?

Or may be you have other req to make it work? I see from how you write at your doc it should include "users" so not just root?
https://github.com/doksu/splunk_auditd/wiki/About-Auditd

may be need to update kernel? I use 5.x... centos 7.x

Hi,
it seems that the proctitle field uses Hex 0 for delimiters or spaces, so one gets the following:
proctitle comes in as "64617465002B2564"
and ends up as process_name="date+%d"
instead of "date +%d"

It may be possible to add integration with tools such as sesearch/audit2allow to provide suggestions about how to fix AVC denials. On the other hand, a simpler albeit huge boolean lookup table + common error (e.g. file_t label on files) advice may be of greater benefit.

Given ~10% of the search heads with this app currently installed are known to be running Windows/OS X, and integration with sesearch or similar tools would require an Enterprise Linux / Fedora-based distro, perhaps this feature may not come to pass. Thoughts?

In our environment uid and usernames are not uniquely assigned on each server. Therefore it happens that for example on server1 the uid 500 is assigned to userA and on server2 the uid 500 is assigned to userB.
Would it be possible to have a hostname field in the lookup, that if empty means this specific uid is in general assinged the specific username, but for specific hosts (where hostname is set and matches) override the user assignment.

Example:
uid,user,hostname
0,root,
1,system,
500,splunk,
500,usera,system1
500,userb,system2

In this example root is always uid 0 and system always 1.
uid 500 is splunk for all systems except system1 and system2 (for example system3, ...)
uid 500 is usera on system1 and userb on system2.

Splunk 6.4 changes the predict command functionality, breaking the Anomalous Event Volume IOC in the SOC dashboard. Please see here for more information: https://answers.splunk.com/answers/416861/why-is-the-predict-command-adding-text-prediction.html

I think we aren't clear on exactly how the UID lookups would work. In our environment, we have hundreds of Linux boxes with individual (local) accounts (i.e. not federated, Kerberos, LDAPS, etc.). The lookups for the UID appear to be from a table built within the search head, which in our case is some random AWS box that lives in Splunk Cloud, as we are a hosted environment. How then would UID lookups ever work, if UID's greatly vary across boxes? Would we install the app on all of the Linux Universal Forwarders and then populate a lookup table based on /etc/passwd on each box? Or, if this won't work, is there a way to simply hide that field extraction such that it doesn't show up?

Hi,
I noticed there's a typo throughout the app.
instead of indices we have indicies causing the dashboard and searching to not return any results (especially for the indices.csv lookup file issue)

The Installation-and-Configuration wiki page appears to have a typo regarding the wildcard sourcetype matching.

https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration

This:
[(::){0}linux*audit]

Should be
[(?::){0}linux*audit]

You were missing the ?

As of Splunk 9, "All Simple XML dashboards require a version attribute set to 1.1 to certify that they are compatible with jQuery 3.5 or higher. You must update user-created dashboards with a version attribute." Please see https://docs.splunk.com/Documentation/Splunk/latest/Viz/DashboardjQuery for more details.

It actually appears that this issue was fixed by bc82b56, but the "Releases" section has not been updated, and the latest version available on Splunkbase is still 3.1.0 (the commit that adds support for jQuery 3.5 references appears to bump the version to 3.1.2, but it seems it was never pushed to Splunkbase).

Can you please make this "new" version available for download from Splunkbase?

Thanks!

Hi,
My security operations centre don't showing any information

When i click on this red triangle i get "command="predict", No data"
Also when i go to Help in field "Directory Posix Users" i have " The lookup table 'directory_posix_identities' is invalid." in yellow triangle

I have no idea what is wrong

Regards,
Matthew

Hello, I am interested in manually adding users to the posix_identities.csv file and the table learnt_posix_identities. The reason is that some of my users are not detected automatically in the configure dashboard. Everytime I try to do it manually it does not work, the value is written to the table and to the lookup file but it is not picked up by the app. The search:
inputlookup posix_identities | stats dc(user)
only shows that there is one entry in the posix_identities file.

However, the search:

posix_identities | stats dc(uid)

shows the correct number (2). Is there a way to do this that I am missing?

Just a quick note - Splunk Enterprise Security has an import filter for TAs:
app_regex = (search)|([ST]A-.)|(Splunk[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_._)

This means when the TA is named "TA_" it will not import into ESS. It would be great if the name was updated to use "TA-" for auto import in ESS.

The current CIM mappings need to be checked and fixed where necessary. Many audit event types are so rare that the only means by which their format could be determined with any confidence, would be to look at the source of auditd. This is however important, as many organisations will be using this app's TA with the Enteprise Security app and if the mappings are wrong/incomplete it won't work well.

correlationsearches.conf has been removed from ES as of 4.6 (cloud) and 4.7 (on prem). Please update SA-LinuxAuditd to include a singled savedsearches.conf for ES.

hello,
I would like to thank you very much for your great efforts in build such a great app, is this app works for UNIX"AIX" ?

Thanks