-
Notifications
You must be signed in to change notification settings - Fork 11
Release Notes
doksu edited this page Oct 31, 2018
·
12 revisions
This version is designed to "modernise" the app to conform with new AppInspect requirements and improve support for features in newer versions of auditd.
- Linux Auditd Technology Add-On has been moved out of the parent app and renamed from TA_linux-auditd to TA-linux_auditd to conform with Splunk's current naming convention. The app is now available from https://splunkbase.splunk.com/app/4232/
- SA-LinuxAuditd app removed and its correlation search moved to documentation
- Enriched audit events are now supported to accommodate environments with inconsistent uid/gid allocation
- New auditd event types now supported
- PROCTITLE type events now decoded and normalised to CIM
- Syscall dashboard now supports keys
- Colour scheme changed to conform to Splunk 7.1+
- Host dashboard now uses new field in inventory lookup to determine uptime estimate, greatly improving performance
- Anomalous Event Volume pane in SOC dashboard updated to improve detection by accommodating changes to the predict command's LLP5 algorithm
- Host Inventory lookup now has an automatically updating last_boot field that can be used to indicate uptime
- Additional distribution releases now supported
- Unused capture groups in some transform regexes updated
- Unused default/data/ui/nav removed (v3.0.1)
- Indices spelling mistake corrected throughout apps
- Security Posture Dashboard's Anomalous Event Volume panel renames (https://answers.splunk.com/answers/691234/linux-auditd-app-is-the-spl-for-the-anomalous-even.html) have been fixed (v3.0.1)
The previous major release's goal was to make Linux Auditd log events understandable such that a practitioner could use them to find and resolve issues in their environment. With this release however, the principal goal was to take advantage of Splunk 6.3 features, automatically learning your environment, then detecting events that require attention.
- App Logo
- Auditd datamodel
- SA-LinuxAuditd app (Enterprise Security correlation search technology preview)
- Security Operations Centre
- Sudo
- User TTY
- Host
- Configure
- learnt_posix_identities KVStore collection
- auditd_host_inventory KVStore collection
- distribution_release lookup
- auditd_indicies lookup
- auditd_sourcetypes
- auditd_hosts
- auditd_decommissioned_hosts
- Welcome dashboard renamed to 'Help' and updated
- linux_audit events automatically have their sourcetype changed at index-time to linux:audit
- Linux Auditd sources are automatically detected to ensure they're always sourcetyped correctly
- With the exception of the Auditd datamodel's constraints, all non-pivot searches have been updated to use the auditd_indicies and auditd_soucetypes lookups instead of the 'auditd_events' eventtype.
- Macros moved into TA
- Hex decoding of command and TTY logging
- posix_identities lookup generator now resolves uid conflicts
- inputs.conf added to TA with monitor stanza for /var/log/audit/audit.log (disabled by default)
- REST api used to detect presence of TA rather than search
- Eventtypes behind CIM tags
- Events tagged against the CIM Change datamodel sometimes had incorrect field mappings
- System Call Dashboard's "Origin" checkbox assumes SELinux context exists in events: https://github.com/doksu/splunk_auditd/issues/12
- In an ES search head environment, the app_regex doesn't import TAs with that use the new 'TA_' naming convention. As a result, the 'TA_linux-auditd' app either needs to be manually added to the list of imported apps in '$SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/metadata/local.meta' so that the Auditd datamodel is "visible" to ES and the correlation search can pivot against it, or a local app_regex needs to be created as per this issue: https://github.com/doksu/splunk_auditd/issues/11
I'd like to thank my wife for designing the much needed logo. I'd also like to thank the University of Adelaide's Security team for suggesting the 'User TTY' dashboard and for their participation in the QA process.