735 lines
20 KiB
Text
735 lines
20 KiB
Text
##
|
|
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
|
|
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
|
|
##
|
|
##
|
|
|
|
[nix_ta_custom_eventtype]
|
|
search = NOT *
|
|
|
|
[nix_ta_data]
|
|
search = eventtype=nix_ta_custom_eventtype OR (sourcetype IN (docker_metric, vmstat_metric, iostat_metric, ps_metric, df_metric, interfaces_metric, cpu_metric, docker, vmstat, iostat, ps, top, netstat, bandwidth, protocol, openPorts, time, lsof, df, who, usersWithLoginPrivs, lastlog, interfaces, cpu, auditd, package, hardware, bash_history, Unix:ListeningPorts, Unix:UserAccounts, Linux:SELinuxConfig, Unix:Service, Unix:SSHDConfig, Unix:Update, Unix:Uptime, Unix:Version, Unix:VSFTPDConfig, config_file, dhcpd, nfsiostat, ignored_type, aix_secure, osx_secure, linux_secure, linux_audit, syslog) OR source IN (/Library/Logs/*, /var/log/*, /var/adm/*, /etc/*))
|
|
|
|
###### Globals ######
|
|
[nix_security]
|
|
search = sourcetype="*_secure"
|
|
#tags = os unix
|
|
|
|
[nix_configs]
|
|
search = eventtype=nix_ta_data AND (source="/etc/*" OR source="*.conf" OR source="*.cfg")
|
|
|
|
[nix_errors]
|
|
search = eventtype=nix_ta_data error OR critical OR failure OR fail OR failed OR fatal
|
|
#tags = error
|
|
|
|
|
|
###### DHCP ######
|
|
[dhcpd_server]
|
|
search = sourcetype=dhcpd (DHCPACK OR DHCPNAK OR DHCPRELEASE)
|
|
#tags = dhcp network session unix
|
|
|
|
[dhcpd_start]
|
|
search = sourcetype=dhcpd signature=DHCPACK
|
|
#tags = start
|
|
|
|
[dhcpd_unable_unexpected]
|
|
search = sourcetype=dhcpd unable OR unexpected
|
|
#tags = error
|
|
|
|
[dhcpd_server_dhcpack]
|
|
search = sourcetype=dhcpd DHCPACK
|
|
|
|
[dhcpd_server_dhcpdiscover]
|
|
search = sourcetype=dhcpd DHCPDISCOVER
|
|
|
|
[dhcpd_server_dhcpoffer]
|
|
search = sourcetype=dhcpd DHCPOFFER
|
|
|
|
[dhcpd_server_dhcprelease]
|
|
search = sourcetype=dhcpd DHCPRELEASE
|
|
#tags = end
|
|
|
|
[dhcpd_server_dhcprequest]
|
|
search = sourcetype=dhcpd DHCPREQUEST
|
|
|
|
|
|
###### Scripted Inputs ######
|
|
## CPU stats
|
|
[cpu]
|
|
search = sourcetype=cpu
|
|
#tags = performance os resource report unix cpu
|
|
|
|
[cpu_anomalous]
|
|
search = sourcetype=cpu PercentSystemTime>90
|
|
#tags = enabled
|
|
|
|
[df]
|
|
search = sourcetype=df
|
|
#tags = df host check success storage performance
|
|
|
|
[iostat]
|
|
search = sourcetype=iostat
|
|
|
|
[nfsiostat]
|
|
search = sourcetype=nfsiostat
|
|
|
|
[lsof]
|
|
search = sourcetype=lsof
|
|
|
|
[hardware]
|
|
search = sourcetype=hardware
|
|
|
|
[interfaces]
|
|
search = sourcetype=interfaces
|
|
# tags = Inventory Network
|
|
|
|
[lastlog]
|
|
search = sourcetype=lastlog
|
|
|
|
[netstat]
|
|
search = sourcetype=netstat
|
|
# listening port
|
|
|
|
[openPorts]
|
|
search = sourcetype=openPorts
|
|
|
|
[package]
|
|
search = sourcetype=package
|
|
|
|
[protocol]
|
|
search = sourcetype=protocol
|
|
|
|
[ps]
|
|
search = sourcetype=ps
|
|
#tags = process oshost success ps cpu performance
|
|
|
|
[top]
|
|
search = sourcetype=top
|
|
|
|
[time]
|
|
search = sourcetype=time
|
|
|
|
[usersWithLoginPrivs]
|
|
search = sourcetype=usersWithLoginPrivs
|
|
|
|
[docker]
|
|
search = sourcetype=docker
|
|
#tags = performance os avail unix report docker
|
|
|
|
[vmstat]
|
|
search = sourcetype=vmstat
|
|
#tags = performance os avail unix report vmstat resource success memory
|
|
|
|
[who]
|
|
search = sourcetype=who
|
|
|
|
[bandwidth]
|
|
search = sourcetype=bandwidth
|
|
|
|
|
|
###### System Logs ######
|
|
|
|
#### Account Management
|
|
[useradd]
|
|
search = eventtype=nix_ta_data useradd user
|
|
#tags = account management add change
|
|
|
|
# Aug 20 20:21:12 host useradd[12811]: new account added - account=splunk, uid=1003, gid=1000, home=/opt/splunk, shell=/bin/false, by=0
|
|
[useradd-suse]
|
|
search = eventtype=nix_ta_data useradd new account added
|
|
#tags = account management add change
|
|
|
|
[userdel]
|
|
search = eventtype=nix_ta_data userdel user
|
|
#tags = account management delete change
|
|
|
|
[groupadd]
|
|
search = eventtype=nix_ta_data groupadd group
|
|
#tags = account management add change
|
|
|
|
#Aug 20 20:21:12 host useradd[12811]: account added to group - account=splunk, group=services, gid=33, by=0
|
|
[groupadd-suse]
|
|
search = eventtype=nix_ta_data useradd account added group
|
|
#tags = account management add change
|
|
|
|
[groupdel]
|
|
search = eventtype=nix_ta_data (NOT *deleting-user-from*) (groupdel OR userdel) group
|
|
#tags = account management delete change
|
|
|
|
[linux-password-change]
|
|
search = eventtype=nix_ta_data process=passwd password changed
|
|
#tags = account management password modify change
|
|
|
|
#Feb 21 11:24:45 host passwd[17805]: password change failed, pam error 11 - account=root, uid=0, by=0
|
|
[linux-password-change-failed]
|
|
search = eventtype=nix_ta_data process=passwd password change failed
|
|
#tags = account management password modify change
|
|
|
|
|
|
#### acpi
|
|
[nix_acpi]
|
|
search = eventtype=nix_ta_data ACPI:
|
|
#tags = os unix power
|
|
|
|
|
|
#### agpgart
|
|
[nix_agpgart]
|
|
search = eventtype=nix_ta_data agpgart:
|
|
#tags = os unix graphics
|
|
|
|
|
|
#### apm
|
|
[nix_apm]
|
|
search = eventtype=nix_ta_data apm:
|
|
#tags = os unix power
|
|
|
|
|
|
#### auditd
|
|
[auditd]
|
|
search = sourcetype=auditd
|
|
#tags = os unix resource file
|
|
|
|
[auditd_modify]
|
|
search = source=auditd PATH
|
|
#tags = modify
|
|
|
|
|
|
#### Authentication
|
|
|
|
## ksu
|
|
[ksu_authentication]
|
|
# NOTE: May want to restrict search `ksu` to `cmd="ksu"` to reduce false positives.
|
|
search = eventtype=nix_ta_data ksu ("authentication failed" OR authenticated OR (Account authorization (failed OR successful)))
|
|
#tags = authentication
|
|
|
|
## login
|
|
[login_authentication]
|
|
search = eventtype=nix_ta_data login: "Login failure on"
|
|
#tags = authentication
|
|
|
|
## pam
|
|
[pam_unix_authentication]
|
|
search = eventtype=nix_ta_data pam_unix (gdm OR sudo OR su) ("authentication failure" OR "session opened")
|
|
#tags = authentication
|
|
|
|
## passwd
|
|
#Oct 2 20:45:29 host passwd[15323]: User admin: Authentication failure
|
|
[passwd-auth-failure]
|
|
search = eventtype=nix_ta_data process=passwd Authentication failure punct="*__::_*_[]:__:__"
|
|
#tags = application authentication
|
|
|
|
## rlogin
|
|
[rlogin_too_many_failures]
|
|
search = eventtype=nix_ta_data "general syslog msg" "TOO MANY LOGIN TRIES"
|
|
#tags = application attack watchlist
|
|
|
|
## Detects a failed user login via Telnet or Rlogin (except root) on Linux Red Hat 6.2 or 7 server.
|
|
[remote_login_failure]
|
|
search = eventtype=nix_ta_data "pam_rhosts_auth" AND ("denied to" OR "access not allowed")
|
|
#tags = application authentication remote
|
|
|
|
## Detects a allowed user login via Telnet or Rlogin (except root) on Linux Red Hat 6.2 or 7 server.
|
|
[remote_login_allowed]
|
|
search = eventtype=nix_ta_data "pam_rhosts_auth" AND "allowed to"
|
|
#tags = application authentication remote
|
|
|
|
## sshd-session
|
|
[sshd_session_start]
|
|
search = sourcetype=linux_secure eventtype=nix_ta_data ("sshd-session[" OR "sshd[") AND ("Failed password for" OR "Connection closed by invalid user" OR "Unable to negotiate" OR "session opened for user" OR "banner exchange" OR "Could not get shadow information" OR "Accepted password")
|
|
#tags = network session start
|
|
|
|
[sshd_session_end]
|
|
search = sourcetype=linux_secure eventtype=nix_ta_data ("sshd-session[" OR "sshd[") AND ("Read error from remote host" OR "Connection timed out" OR "Disconnected from user" OR "Connection closed by" OR "session closed for user") AND NOT "Connection closed by invalid user"
|
|
#tags = network session end
|
|
|
|
## sshd
|
|
[sshd_authentication]
|
|
# osx sshd authentication error
|
|
# Jul 16 11:10:45 mycomputer sshd[34666]: error: PAM: authentication error for xxx from localhost via ::1
|
|
# Apr 2 12:42:08 mycomputer sshd[15578]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=host
|
|
search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT") AND NOT sourcetype=linux_secure
|
|
#tags = authentication remote
|
|
|
|
[ssh_login_postponed]
|
|
search = eventtype=nix_ta_data punct="*_::_*_[]:____*_...___" sshd Postponed
|
|
# no tags assigned to this eventtype
|
|
|
|
[ssh_open]
|
|
search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from) AND NOT sourcetype=linux_secure
|
|
#tags = communicate connect
|
|
|
|
# example = Dec 17 15:15:12 domU-12-31-39-03-01-11 sshd[24912]: Connection closed by 195.43.9.246
|
|
[ssh_close]
|
|
search = eventtype=nix_ta_data punct="*__::_*_[]:____*..." OR punct="*__::_*_[]:_(:):_____" OR punct="*__::_*_()[]:_____" sshd (Closing connection to) OR (Connection closed by) OR (session closed)
|
|
#tags = access stop logoff
|
|
|
|
# example = Dec 17 18:31:44 domU-12-31-39-03-01-11 sshd[31792]: Received disconnect from 74.53.187.50: 11: Bye Bye
|
|
[ssh_disconnect]
|
|
search = eventtype=nix_ta_data punct="*__::_*_[]:___*...:_:__" Bye Received disconnect
|
|
#tags = access stop logoff
|
|
|
|
[ssh_check_pass]
|
|
search = eventtype=nix_ta_data sshd check pass user unknown (punct="__*::_*_()[]:__;__" OR punct="*__::_*_[]:_(:):__;__")
|
|
#no tags assigned to this eventtype
|
|
|
|
## su
|
|
[su_authentication]
|
|
# Example event, from su on CentOS7
|
|
# type=USER_AUTH msg=audit(1611753517.687:2310): pid=10012 uid=0 auid=2024 ses=181 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_rootok acct="root" exe="/usr/bin/su" hostname=so1 addr=? terminal=pts/1 res=success'
|
|
|
|
search = eventtype=nix_ta_data NOT "USER_CMD" ((from to) OR succeeded OR success OR successful OR failed OR failure) (cmd="su" OR ("USER_AUTH" AND exe=*/su*) OR ((NOT BAD) su: from to at))
|
|
#tags = authentication
|
|
|
|
[su_failed]
|
|
search = eventtype=nix_ta_data (("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR ("BAD SU "))
|
|
#tags = authentication
|
|
|
|
[su_session]
|
|
search = eventtype=nix_ta_data su: session
|
|
#tags = session
|
|
|
|
[su_root_session]
|
|
search = eventtype=nix_ta_data su: session root
|
|
#tags = session privileged
|
|
|
|
## Telnet
|
|
[wksh_authentication]
|
|
search = eventtype=nix_ta_data wksh "HANDLING TELNET CALL"
|
|
# no tags assigned to this eventtype
|
|
|
|
#### automount
|
|
[nix_automount]
|
|
search = eventtype=nix_ta_data automount punct="::__::_*:_*"
|
|
#tags = os unix
|
|
|
|
|
|
#### Config
|
|
[nix_config_change]
|
|
search = eventtype=nix_ta_data Configuration changed
|
|
#tags = os unix host configuration modify
|
|
|
|
|
|
#### Console
|
|
[nix_console]
|
|
search = eventtype=nix_ta_data Console:
|
|
#tags = os unix
|
|
|
|
|
|
#### cron
|
|
[nix_cron]
|
|
search = eventtype=nix_ta_data cron OR crond punct="::__::_*:_*" NOT Install: NOT Updated: NOT Erased:
|
|
#tags = os unix
|
|
|
|
|
|
#### CUPS
|
|
[nix_cups_access]
|
|
search = eventtype=nix_ta_data punct="_-_-_[//:::_-]_\"_//._/.\"___-_-"
|
|
#tags = os unix access printer
|
|
|
|
[nix_cups_error]
|
|
search = eventtype=nix_ta_data punct="_[//:::_-]_*"
|
|
#tags = os unix printer
|
|
|
|
[nix_cups_page]
|
|
search = eventtype=nix_ta_data punct="___[//:::_-]___-_"
|
|
#tags = os unix printer
|
|
|
|
|
|
#### dhclient
|
|
[nix_dhclient]
|
|
search = eventtype=nix_ta_data dhclient punct="__::_*:_*" NOT punct="//_::_*:_*." NOT punct="\"///*\"" NOT Rule NOT Name
|
|
#tags = os unix
|
|
|
|
|
|
#### DMA
|
|
[nix_dma]
|
|
search = eventtype=nix_ta_data DMA zone:
|
|
#tags = os unix memory access
|
|
|
|
|
|
#### Firewall
|
|
# These firewall accept and deny rules are based on iptables logs. For additional firewalls the user must develop a device add
|
|
# on and tag their events with these tags
|
|
[iptables_firewall_accept]
|
|
search = eventtype=nix_ta_data signature=firewall action=PASS OR action=permit
|
|
#tags = os unix host firewall communicate success
|
|
|
|
[iptables_firewall_deny]
|
|
search = eventtype=nix_ta_data signature=firewall action=BLOCK OR action=dropped
|
|
#tags = os unix host firewall communicate failure
|
|
|
|
|
|
#### FTP
|
|
[nix_ftp_xferlog]
|
|
search = eventtype=nix_ta_data punct="___*::___...__///*"
|
|
#tags = os unix ftp transfer
|
|
|
|
[nix_ncftpd_logins]
|
|
search = eventtype=nix_ta_data ncftpd punct="*__::_*:_*"
|
|
#tags = os unix ftp authentication
|
|
|
|
|
|
#### Fingerprinting
|
|
[nix_fingerprinting]
|
|
search = eventtype=nix_ta_data Client OS detected:
|
|
#tags = os unix
|
|
|
|
|
|
#### gconfd
|
|
[nix_gconfd]
|
|
search = eventtype=nix_ta_data gconfd
|
|
#tags = os unix
|
|
|
|
[nix_gconfd_error]
|
|
search = eventtype=nix_ta_data gconfd Error
|
|
#tags = error
|
|
|
|
[nix_gconfd_exiting]
|
|
search = eventtype=nix_ta_data gconfd Exiting OR signal
|
|
#tags = stop
|
|
|
|
[nix_gconfd_resolved_address]
|
|
search = eventtype=nix_ta_data gconfd Resolved address
|
|
|
|
[nix_gconfd_starting]
|
|
search = eventtype=nix_ta_data gconfd starting
|
|
#tags = start
|
|
|
|
|
|
#### gdm
|
|
[nix_gdm]
|
|
search = eventtype=nix_ta_data gdm punct="*__::_*:_*" NOT scrollkeeper NOT Updated: NOT Installed: NOT Erased: NOT pam*
|
|
#tags = os unix
|
|
|
|
|
|
#### gpm
|
|
[nix_gpm]
|
|
search = eventtype=nix_ta_data gpm NOT Installed: NOT Updated: NOT Erased: NOT user NOT *.rpm punct="*__::_*:_*."
|
|
#tags = os unix
|
|
|
|
|
|
#### FreeBSD
|
|
[freebsd_refresh_na_answer]
|
|
search = eventtype=nix_ta_data refresh named punct="*__::_*_[]:__./:_:_-____...#_(_...#)"
|
|
#tags = os unix
|
|
|
|
[freebsd_refresh_retry_exceeded]
|
|
search = eventtype=nix_ta_data refresh named punct="*__::_*_[]:__./:_:_____...#__(_...#)"
|
|
#tags = os unix
|
|
|
|
|
|
#### hald
|
|
[nix_hald]
|
|
search = eventtype=nix_ta_data hald punct="*__::_*:_*"
|
|
#tags = os unix
|
|
|
|
|
|
#### hpiod
|
|
[hpiod_Linux_syslog]
|
|
search = eventtype=nix_ta_data hpiod punct="*__::_*:_*"
|
|
#tags = os unix
|
|
|
|
|
|
#### kernel
|
|
[nix_kernel_attached]
|
|
search = eventtype=nix_ta_data kernel
|
|
#tags = os unix kernel
|
|
|
|
|
|
#### kill
|
|
[nix_process_kill]
|
|
search = eventtype=nix_ta_data exiting signal 15
|
|
#tags = os unix process stop
|
|
|
|
|
|
#### mDNSResponder
|
|
[nix_mDNSResponder]
|
|
search = eventtype=nix_ta_data mDNSResponder punct="*__::_*:_*"
|
|
#tags = os unix dns
|
|
|
|
|
|
#### named
|
|
[nix_named1]
|
|
search = eventtype=nix_ta_data named punct="*__::_/_[]:__*" OR punct="*__::_..._[]:_*"
|
|
#tags = os unix dns
|
|
|
|
[nix_named2]
|
|
search = eventtype=nix_ta_data named punct="*__::_*_[]:__*" NOT punct="__::_*_[]:_____..."
|
|
#tags = os unix dns
|
|
|
|
|
|
#### OSX Crash Log
|
|
[osx_crash_log]
|
|
search = eventtype=nix_ta_data Host Name Date/Time
|
|
#tags = os unix error
|
|
|
|
|
|
#### Netlabel
|
|
[nix_netlabel]
|
|
search = eventtype=nix_ta_data NetLabel:
|
|
#tags = os unix kernel
|
|
|
|
|
|
#### PCI
|
|
[nix_pci]
|
|
search = eventtype=nix_ta_data PCI: NOT BIOS
|
|
#tags = os unix
|
|
|
|
|
|
#### Plug-n-play
|
|
[nix_pnp]
|
|
search = eventtype=nix_ta_data pnp:
|
|
#tags = os unix
|
|
|
|
|
|
#### POP3
|
|
[nix_popper]
|
|
search = eventtype=nix_ta_data popper
|
|
#tags = os unix mail
|
|
|
|
|
|
#### postfix
|
|
[nix_postfix]
|
|
search = eventtype=nix_ta_data postfix punct="*__::_*:_*"
|
|
#tags = os unix
|
|
|
|
|
|
#### Prelink
|
|
[nix_prelink]
|
|
search = eventtype=nix_ta_data /usr/sbin/prelink: OR Prelinking
|
|
#tags = os unix
|
|
|
|
|
|
#### RPC
|
|
[nix_rpc_statd]
|
|
search = eventtype=nix_ta_data rpc.statd
|
|
#tags = os unix
|
|
|
|
|
|
#### RPM
|
|
[nix_rpm]
|
|
search = eventtype=nix_ta_data *.rpm punct="*-*.*."
|
|
#tags = os update
|
|
|
|
|
|
#### Runlevel
|
|
[nix_runlevel_change]
|
|
search = eventtype=nix_ta_data init: punct="*__::_*:_*"
|
|
#tags = os unix configuration modify
|
|
|
|
|
|
#### SNMPD
|
|
[snmpd]
|
|
search = eventtype=nix_ta_data snmpd
|
|
#tags = os unix snmp
|
|
|
|
[snmpd_failure]
|
|
search = eventtype=nix_ta_data snmpd SNMPD_*_FAILURE
|
|
#tags = failure
|
|
|
|
|
|
#### scrollkeeper
|
|
[nix_scrollkeeper]
|
|
search = eventtype=nix_ta_data scrollkeeper punct="__::__*"
|
|
#tags = os unix
|
|
|
|
|
|
## Shutdown
|
|
[nix_halt]
|
|
search = eventtype=nix_ta_data shutdown: system halt
|
|
#tags = os unix stop
|
|
|
|
[nix_restart]
|
|
search = eventtype=nix_ta_data shutdown: system reboot
|
|
#tags = os unix stop
|
|
|
|
|
|
#### smartd
|
|
[nix_smartd]
|
|
search = eventtype=nix_ta_data smartd punct="*__::_*:_*"
|
|
#tags = os unix
|
|
|
|
|
|
#### Time
|
|
[nix_timesync]
|
|
search = eventtype=nix_ta_data (ntpd OR ntpdate OR xntpd OR xntpdate OR "MS Name/IP address") (("LastRx" AND "stratum") OR "Adjusting system clock" OR "synchronized to" OR "step time server" OR "adjust time server")
|
|
#tags = report time synchronize success
|
|
|
|
[nix_timesync_failure]
|
|
search = eventtype=nix_ta_data (ntpd OR ntpdate OR xntpd OR xntpdate OR 506) ("NTP Server Unreachable" OR "Cannot talk to daemon")
|
|
#tags = report time synchronize failure
|
|
|
|
|
|
#### Update
|
|
[nix_yum_update]
|
|
search = eventtype=nix_ta_data yum Updated
|
|
#tags = report update success
|
|
|
|
|
|
#### udevd
|
|
[nix_udevd]
|
|
search = eventtype=nix_ta_data udevd
|
|
#tags = os unix kernel
|
|
|
|
|
|
#### USB
|
|
[nix_usb]
|
|
search = eventtype=nix_ta_data usb*: NOT punct="<>:__*"
|
|
#tags = os unix usb
|
|
|
|
|
|
#### userhelper
|
|
[nix_userhelper]
|
|
search = eventtype=nix_ta_data userhelper* NOT punct="__*::_*:_*"
|
|
#tags = os unix
|
|
|
|
|
|
###### ADDED FROM UNIX APP ######
|
|
[failed_login]
|
|
search = eventtype=nix_ta_data ("failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for") AND NOT sourcetype=linux_secure
|
|
#tags = authentication
|
|
|
|
[Failed_SU]
|
|
search = eventtype=nix_ta_data ("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR (exe="/bin/su" AND res="failed") OR (FAILED su for) OR (source="/var/adm/sulog" SU " - ") OR ("BAD SU ")
|
|
#tags = authentication
|
|
|
|
[nix-all-logs]
|
|
search = eventtype=nix_ta_data AND (source="*.log" OR source="*.log.*" OR source="*/log/*" OR source="/var/adm/*" OR source="access*" OR source="*error*" OR sourcetype="syslo*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog)
|
|
|
|
###### END FROM UNIX APP ######
|
|
|
|
###### ADDED FROM TA-deploymentapps ######
|
|
|
|
###### Scripted Inputs ######
|
|
|
|
## Global
|
|
[aix_scripted_input]
|
|
search = sourcetype=AIX:*
|
|
#tags = check report
|
|
|
|
[hpux_scripted_input]
|
|
search = sourcetype=HPUX:*
|
|
#tags = check report
|
|
|
|
[linux_scripted_input]
|
|
search = sourcetype=Linux:*
|
|
#tags = check report
|
|
|
|
[osx_scripted_input]
|
|
search = sourcetype=OSX:*
|
|
#tags = check report
|
|
|
|
[solaris_scripted_input]
|
|
search = sourcetype=Solaris:*
|
|
#tags = check report
|
|
|
|
[unix_scripted_input]
|
|
search = sourcetype=Unix:*
|
|
#tags = check report
|
|
|
|
## CPUTime
|
|
[cputime]
|
|
search = NOT (sourcetype=WMI:CPUTime OR sourcetype=Perfmon:CPUTime) sourcetype=*:CPUTime
|
|
#tags = performance os avail cpu
|
|
|
|
[cputime_anomalous]
|
|
search = NOT (sourcetype=WMI:CPUTime OR sourcetype=Perfmon:CPUTime) sourcetype=*:CPUTime PercentSystemTime>90
|
|
#tags = anomalous
|
|
|
|
## Disk
|
|
[freediskspace]
|
|
search = NOT (sourcetype=WMI:FreeDiskSpace OR sourcetype=Perfmon:FreeDiskSpace) sourcetype=*:FreeDiskSpace
|
|
#tags = performance os avail disk storage
|
|
|
|
[freediskspace_anomalous]
|
|
search = NOT (sourcetype=WMI:FreeDiskSpace OR sourcetype=Perfmon:FreeDiskSpace) sourcetype=*:FreeDiskSpace PercentFreeSpace<10
|
|
#tags = anomalous
|
|
|
|
## Listening Ports
|
|
[listeningports]
|
|
search = (NOT sourcetype=WMI:ListeningPorts) sourcetype=*:ListeningPorts (NOT file_hash=*)
|
|
#tags = os config report
|
|
|
|
## Local Processes
|
|
[localprocesses]
|
|
search = (NOT sourcetype=WMI:LocalProcesses) sourcetype=*:LocalProcesses
|
|
#tags = os avail process
|
|
|
|
[localprocesses_anomalous]
|
|
search = (NOT sourcetype=WMI:LocalProcesses) sourcetype=*:LocalProcesses (PercentSystemTime>50 OR PercentMemory>50) NOT app=Total
|
|
#tags = anomalous
|
|
|
|
## Memory
|
|
[memory]
|
|
search = NOT (sourcetype=WMI:Memory OR sourcetype=Perfmon:Memory) sourcetype=*:Memory
|
|
#tags = performance os avail memory
|
|
|
|
[memory_anomalous]
|
|
search = NOT (sourcetype=WMI:Memory OR sourcetype=Perfmon:Memory) sourcetype=*:Memory mem_free<104857600
|
|
#tags = anomalous
|
|
|
|
## SELinux Config
|
|
[selinuxconfig]
|
|
search = sourcetype=Linux:SELinuxConfig
|
|
#tags = application config selinux
|
|
|
|
## Service
|
|
[service]
|
|
search = (NOT sourcetype=WMI:Service) sourcetype=*:Service (NOT file_hash=*)
|
|
#tags = os config service report
|
|
|
|
[service_runlevel_anomalous]
|
|
search = sourcetype=*:Service (runlevel0=on OR runlevel6=on)
|
|
#tags = anomalous
|
|
|
|
## SSHD Config
|
|
[sshdconfig]
|
|
search = sourcetype=*:SSHDConfig
|
|
#tags = application config ssh
|
|
|
|
[sshd_insecure]
|
|
search = eventtype=nix_ta_data sshd_protocol=*1*
|
|
#tags = insecure
|
|
|
|
## Update
|
|
[update]
|
|
search = sourcetype=*:Update
|
|
#tags = os info update
|
|
|
|
[update_status]
|
|
search = sourcetype=*:Update NOT total_updates
|
|
#tags = status
|
|
|
|
## Uptime
|
|
[uptime]
|
|
search = (NOT sourcetype=WMI:Uptime) sourcetype=*:Uptime
|
|
#tags = os info report uptime performance
|
|
|
|
[uptime_anomalous]
|
|
search = (NOT sourcetype=WMI:Uptime) sourcetype=*:Uptime SystemUpTime>2592000
|
|
#tags = anomalous
|
|
|
|
## User Accounts
|
|
[useraccounts]
|
|
search = sourcetype=*:UserAccounts (NOT file_hash=*)
|
|
#tags = (os) config user inventory
|
|
|
|
[useraccounts_anomalous]
|
|
search = sourcetype=*:UserAccounts NOT password=x NOT password=\* (NOT file_hash=*)
|
|
#tags = anomalous
|
|
|
|
## Version
|
|
[nix_version]
|
|
search = (NOT sourcetype=WMI:Version) sourcetype=*:Version
|
|
#tags = os info report system version inventory
|
|
|
|
## VSFTDP Config
|
|
[vsftpd_config]
|
|
search = sourcetype=*:VSFTPDConfig
|
|
#tags = application config ftp cleartext
|
|
|
|
[vsftpd_config_anonymous]
|
|
search = sourcetype=*:VSFTPDConfig anonymous_enable=YES
|
|
#tags = anonymous
|
|
|
|
###### END FROM TA-deploymentapps ######
|