Re: Feature Request: Track New SOFTWARE_UPDATE typ...

alexgwilkinson · ‎02-14-2019

Hi there,

As with RHEL7.6 auditd(8) provides RPM software update events i.e.

RPM now provides Audit events
With this update, the RPM Package Manager (RPM) provides Audit events. The information that a software package is installed or updated is important for system analysis with the Linux Audit system. RPM now creates a SOFTWARE_UPDATE audit event whenever a package is installed or upgraded by the root user. (BZ#1555326)

https://community.centminmod.com/threads/redhat-enterprise-linux-7-6-beta-released.15499/

Would it be possible to present this data set within a new/existing Panel ?

An example of what the raw event looks like is:

type=SOFTWARE_UPDATE msg=audit(1550197784.190:65750): pid=30926 uid=0 auid=1176812130 ses=22586 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='sw="splunkforwarder-7.1.2-a0c72a66db66.x86_64" sw_type=rpm key_enforce=0 gpg_res=0
root_dir="/" comm="yum" exe="/usr/bin/python2.7" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="foo"

-Alex

doksu · ‎02-17-2019

Yes, that's a great idea. Thanks for raising it. Will continue development here: https://github.com/doksu/splunk_auditd/issues/24

Feature Request: Track New SOFTWARE_UPDATE type (RPM audit events)

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation