This app is dedicated to my daughter. May this app improve the security of organisations great and small.
Please find documentation here: https://github.com/doksu/splunk_auditd/wiki
.conf 2019 release - be sure to attend "ATT&CKing Linux with SPL" session to see the new features.
- MITRE ATT&CK eventtypes and tag (TA app)
- MITRE ATT&CK in Auditd data model (TA app)
- SOFTWARE_UPDATE events now supported and report provided
Splunk .conf 2018 Edition!
- Linux Auditd Technology Add-On has been moved out of this parent app and is now available from https://splunkbase.splunk.com/app/4232/
- SA-LinuxAuditd app removed and its correlation search moved to documentation
- PROCTITLE type events now decoded and normalised to CIM
- Syscall dashboard now supports keys
- Colour scheme changed to conform to Splunk 7.1+
- Host dashboard now uses new field in inventory lookup to determine uptime estimate, greatly improving performance
- Anomalous Event Volume pane in SOC dashboard updated to improve detection by accommodating changes to the predict command's LLP5 algorithm
- Indices spelling mistake corrected throughout app
- Security Posture Dashboard's Anomalous Event Volume panel renames (https://answers.splunk.com/answers/691234/linux-auditd-app-is-the-spl-for-the-anomalous-even.html) have been fixed (v3.0.1)
This release has important bug fixes for which we recommended upgrading.
- Existing uid=4294967295 entry from learnt_posix_identities lookup no longer populates posix identity lookups
- Changed auditd_node transform regex to prevent inode extraction as host (thanks Max Rizzi for reporting bug)
This release has an important bug fix for which we recommended upgrading.
- Added prop/transform extracting "node" as host to support audisp-remote (https://answers.splunk.com/answers/507640/audit-logs-from-multiple-hosts.html)
- Added index=* to searches that populate the auditd_indicies lookup so that if the authorize.conf srchIndexesDefault doesn't include the indicies where Auditd events are being indexed, the lookup will still populate correctly
- Upcoming Fedora releases added to distribution_release.csv
- Unknown users being logged as auid=4294967295 no longer populates learnt_posix_identities lookup
- Improved CIM 'app' field normalisation.
- Changed deprecated 'seed' option in kernel dashboard to 'initialValue'
- Removed deprecated 'linkView' attribute from single value panes in dashboards
- Removed duplicate 'dispatch.rt_backfill' option in SA-LinuxAuditd app's savedsearches.conf
- The predict command changed in Splunk 6.4, breaking the Anomalous Event Volume indicator in the SOC dashboard (https://github.com/doksu/splunk_auditd/issues/14)
- The System Call dashboard did not show events from hosts with SELinux disabled (https://github.com/doksu/splunk_auditd/issues/12)
The following improvements have been made for certification:
- app.conf updated in SA-LinuxAuditd app
- README added to SA-LinuxAuditd app
- Correlation search in SA-LinuxAuditd app enabled by default
- 5 new dashboards
- Auditd datamodel
- Correlation Search for Enterprise Security
- Automatically learns about your environment (incl. users and hosts) to provide additional context
- Hex decoding of command and TTY logging
- posix_identities lookup generator now resolves uid conflicts
- Eventtypes behind CIM tags
Please see release notes for further details.
Version 1.3.0 is being released to celebrate 600 downloads of the Linux Auditd app and .conf 2015.
avc_table(2) macro to automatically correlate and summarise AVC and SYSCALL events - the first argument is the hostname and the second is the domain. To test, search for:
- Added support for RHEL 7's SYSCALL event fields
- Updated welcome dashboard to reflect README
- Fixed dest CIM field mapping
- Fixed auditallow AVC result in TE dashboard
- Fixed typo on welcome dashboard
- System Call and Type Enforcement dashboards now correlate events (see last pane of each dashboard)
- Added ANOM_ABEND signal lookup (Thanks to Pat Boyne for this feature request)
- New extracted/calculated fields
- Login report improved
- Migrated authentication, alerts and account change CIM tags to tags.conf
- Removed timechart axis labels
- Added dedup in "Rare Vectors" pane of Type Enforcement dashboard
- Fixed typo in installation instructions
- Upgrading app will no longer overwrite existing TA_linux-audit posix lookup files
- Ability to filter by role in System Call dashboard
- Extraction of subject context fields in non-AVC type events
- Effective User ID resolution
- Posix lookup generator saved search bug that truncated directories with more than 50K users
Various minor fixes since submission to Apptitude competition.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.