Re: Feature Request: Track New SOFTWARE_UPDATE typ...

alexgwilkinson · ‎02-14-2019

Hi there,

As with RHEL7.6 auditd(8) provides RPM software update events i.e.

RPM now provides Audit events
With this update, the RPM Package Manager (RPM) provides Audit events. The information that a software package is installed or updated is important for system analysis with the Linux Audit system. RPM now creates a SOFTWARE_UPDATE audit event whenever a package is installed or upgraded by the root user. (BZ#1555326)

https://community.centminmod.com/threads/redhat-enterprise-linux-7-6-beta-released.15499/

Would it be possible to present this data set within a new/existing Panel ?

An example of what the raw event looks like is:

type=SOFTWARE_UPDATE msg=audit(1550197784.190:65750): pid=30926 uid=0 auid=1176812130 ses=22586 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='sw="splunkforwarder-7.1.2-a0c72a66db66.x86_64" sw_type=rpm key_enforce=0 gpg_res=0
root_dir="/" comm="yum" exe="/usr/bin/python2.7" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="foo"

-Alex

doksu · ‎02-17-2019

Yes, that's a great idea. Thanks for raising it. Will continue development here: https://github.com/doksu/splunk_auditd/issues/24

Feature Request: Track New SOFTWARE_UPDATE type (RPM audit events)

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Feature Request: Track New SOFTWARE_UPDATE type (RPM audit events)

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk