topic How to alert on command execution over pwd by users in Linux? in Splunk Search

How to alert on command execution over pwd by users in Linux?

alemarzu — Tue, 20 Oct 2015 18:41:58 GMT

Hi guys,

I'm trying to monitor command execution over certain directories in linux. To do that, I've made a report that displays that data in a table format, something like this...

USER    COMMAND    PWD          _time
usr1    cat        /opt         time1
usr2    less       /example1    time2
usr3    visudo     /example2    time3

But now, I wan't something more complex. I've created a whitelist (CSV file) with user, allowedCommands, directory(PWD) to alert not only when a user outside this whitelist is executing something, but also whitelisted users outside their allowed commands by directory.

I've been playing with lookups/inputlookups, but I couldn't make it work.

Any ideas ?

KR.

Re: How to alert on command execution over pwd by users in Linux?

somesoni2 — Tue, 20 Oct 2015 19:02:33 GMT

Try something like this

Step1: Add a field, say flag="Y" in your whitelist lookup file. This will used as return value for matches.
Step2: update your search like this

Your current search giving table with fields USER COMMAND PWD _time | lookup YourWhitelistTable user as USER allowedCommands as COMMAND OUTPUT flag as commandFlag | lookup YourWhitelistTable user as USER directory as PWD OUTPUT flag as pwdFlag | where commandFlag!="Y" OR pwdFlag!="Y"

Re: How to alert on command execution over pwd by users in Linux?

alemarzu — Fri, 23 Oct 2015 15:04:22 GMT

It's working!

Any idea why "commandFlag" field ends up with more than one "Y" per event in some cases?

Thx mate.