All Apps and Add-ons

How to configure Splunk to check for unauthorized software installations and also, for unauthorized baseline configuration changes?

jonasm1
Explorer

For the AWS environment, I need to create alerts notifying sys admins of the following: unauthorized software installation and unauthorized configuration changes. Thanks for the help!

0 Karma

bojanisch
Path Finder

So I did a bit of research, since I could not find an out-of-the-box solution and as always there are multiple approaches:

In my opinion the prefereable way would be to use the already existing system monitoring apps for Windows (https://splunkbase.splunk.com/app/1680/) and Linux (https://splunkbase.splunk.com/app/273/). Although I'm not sure on what level they can be used directly, I think they'll give you a fair starting point. At worst you would need to write your own alerts and maybe add a software installation monitoring system (https://www.raymond.cc/blog/monitor-software-installs-remove-leftovers-install-monitor/) which log files can be indexed into Splunk.

However you could also try it from scratch. On Windows, Splunk is able to monitor the registry and you could check any changes for new software installation (https://answers.splunk.com/answers/8005/how-do-i-monitor-only-the-changes-to-windows-registry.html). For Linux there are many more solutions, since there are many more ways to install software on it. For example if you'd like to monitor installation over the APT package manager you should look into https://askubuntu.com/questions/425809/where-are-the-logs-for-apt-get and add it as an input to Splunk.

I'm sorry that I can't give you a pinpoint solution, but depending on the vast amount of variables I think that you need to invest some time adapting it to your parameters.

Best regards,
Bojan

0 Karma

bojanisch
Path Finder

@jonasm1 can you provide some more information, like on what systems are you planning to log your software installation and maybe the tools you are planning to use for this? The information analyzed by Splunk needs still somewhere to be generated, e.g. using a script or some professional tools.

0 Karma

jonasm1
Explorer

The environment is mixed: Windows and Linux. We're planning to use a scripts however I was just asking if Splunk has built-in dashboards or add-ons where I could use out-of-the-box? On my research, for Change Management, Splunk has dashboards with over 40 reports built-in to it. What I'm trying to understand is if Splunk has this "out-of-the-box" capability to monitor unauthorized software installs. Would there be something written in the Splunk docs - so far have not found what I'm looking for.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...