All Apps and Add-ons

Tracking user after switching to root not working in Linux Auditd app.

rewritex
Contributor

Hello,

I've installed the Linux Auditd app https://splunkbase.splunk.com/app/2642/ and I'm pulling auditd logs into Splunk. Once a user goes into root "su root", the events are logged by the app but I can't group the events together with the corresponding user. Other questions about the app suggest this should be done out of the box, so I guess there is something I need to change. I am interested in results similar to when we run "ausearch -ui" where the elevated "su -" events are grouped together with sudo and regular events by a/uid. Any advice or links to knowledge are appreciated! Thank you, -Sean

I have run through the configure option within the app and everything seems to be populating correctly.

--------------- sample log -----------------

2020-04-20T14:13:28.243-0700    type=PROCTITLE msg=audit(1587417208.243:33451): proctitle=636861747472002B61002F726F6F742F2E626173685F686973746F72792E616C696D6D2D61

2020-04-20T14:13:28.243-0700    type=PATH msg=audit(1587417208.243:33451): item=1 name="/lib/ld64.so.1" inode=155 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

2020-04-20T14:13:28.243-0700    type=PATH msg=audit(1587417208.243:33451): item=0 name="/usr/bin/chattr" inode=405135 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

2020-04-20T14:13:28.243-0700    type=CWD msg=audit(1587417208.243:33451): cwd="/root"

2020-04-20T14:13:28.243-0700    type=EXECVE msg=audit(1587417208.243:33451): argc=3 a0="chattr" a1="+a" a2="/root/.bash_history.ali12"

2020-04-20T14:13:28.243-0700    type=SYSCALL msg=audit(1587417208.243:33451): arch=80000016 syscall=11 success=yes exit=0 a0=1ca3b8d0 a1=1ca4dd20 a2=1ca4a0b0 a3=3ffa0d79710 items=2 ppid=55675 pid=55721 auid=1503413 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=602 comm="chattr" exe="/usr/bin/chattr" key=(null)

2020-04-20T14:13:28.243-0700    type=PROCTITLE msg=audit(1587417208.243:33450): proctitle="logname"

2020-04-20T14:13:28.243-0700    type=PATH msg=audit(1587417208.243:33450): item=1 name="/lib/ld64.so.1" inode=155 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

2020-04-20T14:13:28.243-0700    type=PATH msg=audit(1587417208.243:33450): item=0 name="/usr/bin/logname" inode=405524 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

2020-04-20T14:13:28.243-0700    type=CWD msg=audit(1587417208.243:33450): cwd="/root"

2020-04-20T14:13:28.243-0700    type=EXECVE msg=audit(1587417208.243:33450): argc=1 a0="logname"

2020-04-20T14:13:28.243-0700    type=SYSCALL msg=audit(1587417208.243:33450): arch=80000016 syscall=11 success=yes exit=0 a0=1ca38c60 a1=1c912b90 a2=1ca4a0b0 a3=3ffa0d79710 items=2 ppid=55719 pid=55720 auid=1503413 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=602 comm="logname" exe="/usr/bin/logname" key=(null)

2020-04-20T14:13:39.293-0700    type=PROCTITLE msg=audit(1587417219.293:33452): proctitle=617564697463746C002D6C

2020-04-20T14:13:39.293-0700    type=PATH msg=audit(1587417219.293:33452): item=1 name="/lib/ld64.so.1" inode=155 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

2020-04-20T14:13:39.293-0700    type=PATH msg=audit(1587417219.293:33452): item=0 name="/sbin/auditctl" inode=420444 dev=fe:00 mode=0100750 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

2020-04-20T14:13:39.293-0700    type=CWD msg=audit(1587417219.293:33452): cwd="/root"

2020-04-20T14:13:39.293-0700    type=EXECVE msg=audit(1587417219.293:33452): argc=2 a0="auditctl" a1="-l"

2020-04-20T14:13:39.293-0700    type=SYSCALL msg=audit(1587417219.293:33452): arch=80000016 syscall=11 success=yes exit=0 a0=1ca5f0b0 a1=1ca5e8f0 a2=1ca778a0 a3=3ffa0d79710 items=2 ppid=55675 pid=55727 auid=1503413 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=602 comm="auditctl" exe="/usr/sbin/auditctl" key=(null)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you also installed the required auditd add-on?

---
If this reply helps you, Karma would be appreciated.
0 Karma

rewritex
Contributor

Thanks for the asking. Yes, I believe I've installed and updated the add-on and configs correctly.
I followed the relevant instructions from https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration. Within the auditd Splunk app, I click into the configure menu and everything is populating in there as expected. I am not ingesting TTY logs.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...