All Apps and Add-ons

How to configure Splunk to check for unauthorized software installations and also, for unauthorized baseline configuration changes?

Explorer

For the AWS environment, I need to create alerts notifying sys admins of the following: unauthorized software installation and unauthorized configuration changes. Thanks for the help!

0 Karma

Explorer

So I did a bit of research, since I could not find an out-of-the-box solution and as always there are multiple approaches:

In my opinion the prefereable way would be to use the already existing system monitoring apps for Windows (https://splunkbase.splunk.com/app/1680/) and Linux (https://splunkbase.splunk.com/app/273/). Although I'm not sure on what level they can be used directly, I think they'll give you a fair starting point. At worst you would need to write your own alerts and maybe add a software installation monitoring system (https://www.raymond.cc/blog/monitor-software-installs-remove-leftovers-install-monitor/) which log files can be indexed into Splunk.

However you could also try it from scratch. On Windows, Splunk is able to monitor the registry and you could check any changes for new software installation (https://answers.splunk.com/answers/8005/how-do-i-monitor-only-the-changes-to-windows-registry.html). For Linux there are many more solutions, since there are many more ways to install software on it. For example if you'd like to monitor installation over the APT package manager you should look into https://askubuntu.com/questions/425809/where-are-the-logs-for-apt-get and add it as an input to Splunk.

I'm sorry that I can't give you a pinpoint solution, but depending on the vast amount of variables I think that you need to invest some time adapting it to your parameters.

Best regards,
Bojan

0 Karma

Explorer

@jonasm1 can you provide some more information, like on what systems are you planning to log your software installation and maybe the tools you are planning to use for this? The information analyzed by Splunk needs still somewhere to be generated, e.g. using a script or some professional tools.

0 Karma

Explorer

The environment is mixed: Windows and Linux. We're planning to use a scripts however I was just asking if Splunk has built-in dashboards or add-ons where I could use out-of-the-box? On my research, for Change Management, Splunk has dashboards with over 40 reports built-in to it. What I'm trying to understand is if Splunk has this "out-of-the-box" capability to monitor unauthorized software installs. Would there be something written in the Splunk docs - so far have not found what I'm looking for.

0 Karma