Hello,
I've installed the Linux Auditd app https://splunkbase.splunk.com/app/2642/ and I'm pulling auditd logs into Splunk. Once a user goes into root "su root", the events are logged by the app but I can't group the events together with the corresponding user. Other questions about the app suggest this should be done out of the box, so I guess there is something I need to change. I am interested in results similar to when we run "ausearch -ui" where the elevated "su -" events are grouped together with sudo and regular events by a/uid. Any advice or links to knowledge are appreciated! Thank you, -Sean
I have run through the configure option within the app and everything seems to be populating correctly.
--------------- sample log -----------------
2020-04-20T14:13:28.243-0700 type=PROCTITLE msg=audit(1587417208.243:33451): proctitle=636861747472002B61002F726F6F742F2E626173685F686973746F72792E616C696D6D2D61
2020-04-20T14:13:28.243-0700 type=PATH msg=audit(1587417208.243:33451): item=1 name="/lib/ld64.so.1" inode=155 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
2020-04-20T14:13:28.243-0700 type=PATH msg=audit(1587417208.243:33451): item=0 name="/usr/bin/chattr" inode=405135 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
2020-04-20T14:13:28.243-0700 type=CWD msg=audit(1587417208.243:33451): cwd="/root"
2020-04-20T14:13:28.243-0700 type=EXECVE msg=audit(1587417208.243:33451): argc=3 a0="chattr" a1="+a" a2="/root/.bash_history.ali12"
2020-04-20T14:13:28.243-0700 type=SYSCALL msg=audit(1587417208.243:33451): arch=80000016 syscall=11 success=yes exit=0 a0=1ca3b8d0 a1=1ca4dd20 a2=1ca4a0b0 a3=3ffa0d79710 items=2 ppid=55675 pid=55721 auid=1503413 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=602 comm="chattr" exe="/usr/bin/chattr" key=(null)
2020-04-20T14:13:28.243-0700 type=PROCTITLE msg=audit(1587417208.243:33450): proctitle="logname"
2020-04-20T14:13:28.243-0700 type=PATH msg=audit(1587417208.243:33450): item=1 name="/lib/ld64.so.1" inode=155 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
2020-04-20T14:13:28.243-0700 type=PATH msg=audit(1587417208.243:33450): item=0 name="/usr/bin/logname" inode=405524 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
2020-04-20T14:13:28.243-0700 type=CWD msg=audit(1587417208.243:33450): cwd="/root"
2020-04-20T14:13:28.243-0700 type=EXECVE msg=audit(1587417208.243:33450): argc=1 a0="logname"
2020-04-20T14:13:28.243-0700 type=SYSCALL msg=audit(1587417208.243:33450): arch=80000016 syscall=11 success=yes exit=0 a0=1ca38c60 a1=1c912b90 a2=1ca4a0b0 a3=3ffa0d79710 items=2 ppid=55719 pid=55720 auid=1503413 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=602 comm="logname" exe="/usr/bin/logname" key=(null)
2020-04-20T14:13:39.293-0700 type=PROCTITLE msg=audit(1587417219.293:33452): proctitle=617564697463746C002D6C
2020-04-20T14:13:39.293-0700 type=PATH msg=audit(1587417219.293:33452): item=1 name="/lib/ld64.so.1" inode=155 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
2020-04-20T14:13:39.293-0700 type=PATH msg=audit(1587417219.293:33452): item=0 name="/sbin/auditctl" inode=420444 dev=fe:00 mode=0100750 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
2020-04-20T14:13:39.293-0700 type=CWD msg=audit(1587417219.293:33452): cwd="/root"
2020-04-20T14:13:39.293-0700 type=EXECVE msg=audit(1587417219.293:33452): argc=2 a0="auditctl" a1="-l"
2020-04-20T14:13:39.293-0700 type=SYSCALL msg=audit(1587417219.293:33452): arch=80000016 syscall=11 success=yes exit=0 a0=1ca5f0b0 a1=1ca5e8f0 a2=1ca778a0 a3=3ffa0d79710 items=2 ppid=55675 pid=55727 auid=1503413 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=602 comm="auditctl" exe="/usr/sbin/auditctl" key=(null)
Have you also installed the required auditd add-on?
Thanks for the asking. Yes, I believe I've installed and updated the add-on and configs correctly.
I followed the relevant instructions from https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration. Within the auditd Splunk app, I click into the configure menu and everything is populating in there as expected. I am not ingesting TTY logs.