All Apps and Add-ons

Why is an ssh-login as root not tagged as "privileged" by the Unix-AddOn?

Communicator

I can see, that events containing some app-data like su, sudo are the only ones the AddOn tags as privileged. But in my opinion a remote login via ssh as root should also be tagged as privileged - i.e. by default (of course, I know i can do it myself, but as this app is somehow "the official way to bring Unix/Linux data into Splunk", this should be already done).

What is the dev's opinion?

0 Karma

SplunkTrust
SplunkTrust

I would also tag any system that can have a remote login via ssh as root as "insecure by design." Or at least as having a broken audit trail. 🙂

Otherwise, I - though I have nothing to do with this add on - would agree with you it should be.

0 Karma