All Apps and Add-ons

Why is my Linux Auditd app confusing the UID's with POSIX users?

Explorer

I have the latest version of Linux Auditd, version 2.0.5. I go to the configuration tab in the linux auditd app and click submit to run the dashboard searches so it will learn all the posix users. I have recently deleted some users and now the uids of existing users are matched with deleted users. For example, my current existing user is tuser and its uid is 1007 but now when I search index=* host=MY_HOST auid=1007 the field user in the "Interesting Fields section" on the Splunk web says jonny NOT tuser and that is because I recently deleted a user named jonny and create tuser and then refreshed the linux auditd dashboard to learn to posix users and now its confused.

I have seen others talking about this problem and people have said this issue was fixed in the latest version but I am having problems with it WITH the latest version of linux auditd. Its really messing up my searches that are relying on the user field.

Who can help me??

0 Karma

SplunkTrust
SplunkTrust

Reuse of POSIX uid numbers is a rare and strongly discouraged practice. As such, the Linux Auditd app is not designed to map uid to user in a temporal fashion to support this, so if the user assigned to uid does change the mapping will either be erroneous for historical events prior to the change or erroneous after the change.

Given the dedup command in the "Configure" dashboard's pane that performs the learning process will use the most recent login event for each uid to learn which user is assigned a particular uid, it is more likely that historical events will have an erroneous mapping. In your case it seems the new user assigned that reused uid has not yet logged into a machine logging auditd events and so the mapping is erroneous for events after the change.

My suggest is to not use the "Configure" dashboard again; disable the "Update learntposixidentities KVStore collection" scheduled search in the TAlinux-auditd app, then modify the "learntposix_identities" lookup to reflect your desired uid to user mappings. Within 5 minutes after performing this procedure the "user" field in sourcetype=linux:audit searches should be as expected.

0 Karma

Contributor

And how does one disable the search? At first I thought it would be on the Search or Configure panels of Linux Auditd but no...You have to go to 'Settings: (Knowledge) Searches, reports, and alerts', and then filter by 'App: Linux Auditd Technology Add-On (TAlinux-auditd)'. Locate the "Update learntposix_identities KVStore collection" search and then choose Disable from the Edit drop-down.

0 Karma