Re: Feature Request: Track New SOFTWARE_UPDATE typ...

alexgwilkinson · ‎02-14-2019

Hi there,

As with RHEL7.6 auditd(8) provides RPM software update events i.e.

RPM now provides Audit events
With this update, the RPM Package Manager (RPM) provides Audit events. The information that a software package is installed or updated is important for system analysis with the Linux Audit system. RPM now creates a SOFTWARE_UPDATE audit event whenever a package is installed or upgraded by the root user. (BZ#1555326)

https://community.centminmod.com/threads/redhat-enterprise-linux-7-6-beta-released.15499/

Would it be possible to present this data set within a new/existing Panel ?

An example of what the raw event looks like is:

type=SOFTWARE_UPDATE msg=audit(1550197784.190:65750): pid=30926 uid=0 auid=1176812130 ses=22586 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='sw="splunkforwarder-7.1.2-a0c72a66db66.x86_64" sw_type=rpm key_enforce=0 gpg_res=0
root_dir="/" comm="yum" exe="/usr/bin/python2.7" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="foo"

-Alex

doksu · ‎02-17-2019

Yes, that's a great idea. Thanks for raising it. Will continue development here: https://github.com/doksu/splunk_auditd/issues/24

Feature Request: Track New SOFTWARE_UPDATE type (RPM audit events)

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?