Skip to content

Installation and Configuration

doksu edited this page Oct 31, 2018 · 29 revisions

Requirements

  • Platform independent
  • Splunk Enterprise 6.5+ / Splunk Cloud
  • linux:audit and linux:audit:enriched sourcetype events (see Sourcetype section below)

Upgrade

To upgrade to version 3.x of the Linux Auditd app, please take a backup of then remove both the linux-auditd and TA_linux-auditd apps completely from all Splunk servers, then perform a normal installation as per below. The auditd_indicies lookup has been renamed to auditd_indices, so if you've used it in searches, be sure to adjust them accordingly after upgrade.

Installation

There are no special installation requirements. The Linux Auditd app and its associated technology add-on should be installed in your environment in the same way you would any other app. For example, on a normal stand-alone search head:

  1. Install the Linux Auditd Technology Add-On from Splunkbase (https://splunkbase.splunk.com/app/4232/)
  2. Install the Linux Auditd app from Splunkbase (https://splunkbase.splunk.com/app/2642/)
  3. Restart Splunk

N.B. If deploying to a search head cluster, please follow your normal procedure using the deployer to distribute the app and TA to the nodes.

It's recommended (but not essential) to install the TA-linux_auditd app on all heavy forwarders and indexers to ensure events are correctly indexed. There's no benefit installing either app on universal forwarders.

Sourcetype

It's essential that your Auditd events are sourcetyped correctly. If you install the TA-linux_auditd app on indexers and heavy forwarders, it will ensure that newly ingested events are correctly sourcetyped. It's best practice to collect events using Splunk's Universal Forwarder on the endpoint, but if that's not possible in your environment and you wish to use syslog instead, please see: https://github.com/doksu/splunk_auditd/wiki/FAQ#my-auditd-events-are-syslogged-how-do-i-sourcetype-them-correctly

If you have existing events indexed with the vendor's old underscore sourcetype convention (i.e. 'linux_audit') and you wish to use them with this app, then several minor (unsupported) changes must be made:

  1. Change 'linux:audit' stanza name in 'TA-linux_auditd/default/props.conf' to '[(::){0}linux*audit]' on search heads
  2. Append 'OR sourcetype=linux_audit' to the search in a local 'auditd_events' eventtype in the TA-linux_auditd app on search heads
  3. Add 'linux_audit' to list of sourcetypes in TA-linux_auditd/lookups/auditd_sourcetypes.csv
  4. Restart Splunk

If ingesting "ENRICHED" format auditd events, please use the sourcetype 'linux:audit:enriched'.

Configuration

After completing the installation steps above, please run the 'Configure' dashboard as a user with access to the auditd events and wait for all the searches to complete (N.B. This may take some time depending on the number of searchable auditd events in your environment and the time period selected).

The TA-linux_auditd app resolves uid values to posix usernames if using the default "RAW" auditd event format. For this to occur, two lookups require populating on the search heads. The first contains local users (typically created by package management) and can be extracted from /etc/passwd and populated on a Linux search head using the following command:

awk -F ':' 'BEGIN {print "uid,user"} {print $3","$1}' /etc/passwd > /opt/splunk/etc/apps/TA-linux_auditd/lookups/local_posix_identities.csv

The second lookup contains directory users and can be populated by scheduling the following search to run periodically with the SA-ldapsearch app (https://splunkbase.splunk.com/app/1151/):

| ldapsearch search="(&(objectclass=user)(uidNumber=*))" attrs="sAMAccountName,uidNumber" | rename sAMAccountName as user, uidNumber as uid | table uid user | outputlookup directory_posix_identities

N.B. If not using Active Directory, the author recommends using an alternative app that works better with LDAP implementations: https://splunkbase.splunk.com/app/3872/

Within 5 minutes of populating the lookups above, they will automatically be merged into the 'posix_identities' lookup. To check its status, open the 'Help' dashboard and wait until the 'Merged Posix Users' value is greater than zero.

Datamodel

At this point, it's strongly recommended to enable acceleration for the provided 'Auditd' datamodel. This can be done via the web interface on your search head: Settings -> Data models -> Edit (next to Auditd) -> Edit Acceleration -> Tick the box, and change the Summary Range (at least '7 Days', but preferably '1 month' or longer), then click 'Save'. N.B. The Auditd datamodel is quite modest in size - we know from extensive testing that the datamodel acceleration size is only +5% of the raw data.

Enterprise Security

Below is the suggested correlation search "New Distinct SELinux AVC Tuple":

| tstats summariesonly=t count from datamodel=Auditd where (nodename = Auditd.AVC) groupby _time, host, Auditd.scontext_domain, Auditd.tclass, Auditd.perm, Auditd.tcontext_type span=1d
| `drop_dm_object_name("Auditd")`
| distinctfields by=scontext_domain tclass perm tcontext_type
| eval mvcount=mvcount(distinctfields)
| where mvcount>1 AND _time>relative_time(now(),“-1d”)
| eval risk_object=host, risk_object_type="system", risk_score=mvcount*10

N.B. This correlation search uses the distinctfields command, which is provided by the Set Operations Technology Add-On: https://splunkbase.splunk.com/app/3516/

For more information, please see: https://conf.splunk.com/sessions/2017-sessions.html#search=The%20Art%20of%20Detection%20Using%20Splunk%20Enterprise%20Security&

Clone this wiki locally