I can see, that events containing some app-data like su
, sudo
are the only ones the AddOn tags as privileged
. But in my opinion a remote login via ssh
as root
should also be tagged as privileged
- i.e. by default (of course, I know i can do it myself, but as this app is somehow "the official way to bring Unix/Linux data into Splunk", this should be already done).
What is the dev's opinion?
I would also tag any system that can have a remote login via ssh as root as "insecure by design." Or at least as having a broken audit trail. 🙂
Otherwise, I - though I have nothing to do with this add on - would agree with you it should be.