Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Requirement for Installing Splunk Auditd #32

Open
rendi7936 opened this issue May 6, 2020 · 0 comments
Open

Requirement for Installing Splunk Auditd #32

rendi7936 opened this issue May 6, 2020 · 0 comments

Comments

@rendi7936
Copy link

Hello,

i have been installed Splunk Apps ( Linux Auditd and Auditd Addons ) following your documentation in https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration

Beside of that i also doing this following step.

  1. I have been add user splunk to root group.
  2. Give chmod 770 to /var/log/audit
  3. Give chmod 770 to /var/log/audit/audit.log
  4. Manually add data input in /var/log/audit/audit.log to Splunk
  5. Add configuration in /etc/pam.d/system-auth and /etc/pam.d/password-auth to record user keystroke.
  6. Press command line as user root for keystroke testing
  7. Keystroke recorded and can be looked by using aureport --tty command.
    But, after i do that. I can see root keystroke in User TTY view.

If, i use an other user ( example: rendi ).
I can not see rendi keystroke in User TTY view.

I am pretty use using enable=* in pam.d configuration.
I also check it in aureport --tty, and its show the rendi keystroke.

Am i missing something ?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rendi7936