Michael Erdely
5551b8973d
* Add docker.sh and docker_metric.sh for collecting docker events/metrics * Add helper script to extra/ to run the TA commands on systems without a Splunk forwarder. The commands can be sent to a syslog server. This script is useful for systems with small or read-only filesystems that cannot support a Universal Forwarder. * Add syslog_inputs_nix_ta app to extra/ for ingesting the data from syslog
726 lines
19 KiB
Text
726 lines
19 KiB
Text
##
|
|
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
|
|
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
|
|
##
|
|
##
|
|
|
|
[nix_ta_custom_eventtype]
|
|
search = NOT *
|
|
|
|
[nix_ta_data]
|
|
search = eventtype=nix_ta_custom_eventtype OR (sourcetype IN (docker_metric, vmstat_metric, iostat_metric, ps_metric, df_metric, interfaces_metric, cpu_metric, docker, vmstat, iostat, ps, top, netstat, bandwidth, protocol, openPorts, time, lsof, df, who, usersWithLoginPrivs, lastlog, interfaces, cpu, auditd, package, hardware, bash_history, Unix:ListeningPorts, Unix:UserAccounts, Linux:SELinuxConfig, Unix:Service, Unix:SSHDConfig, Unix:Update, Unix:Uptime, Unix:Version, Unix:VSFTPDConfig, config_file, dhcpd, nfsiostat, ignored_type, aix_secure, osx_secure, linux_secure, linux_audit, syslog) OR source IN (/Library/Logs/*, /var/log/*, /var/adm/*, /etc/*))
|
|
|
|
###### Globals ######
|
|
[nix_security]
|
|
search = sourcetype="*_secure"
|
|
#tags = os unix
|
|
|
|
[nix_configs]
|
|
search = eventtype=nix_ta_data AND (source="/etc/*" OR source="*.conf" OR source="*.cfg")
|
|
|
|
[nix_errors]
|
|
search = eventtype=nix_ta_data error OR critical OR failure OR fail OR failed OR fatal
|
|
#tags = error
|
|
|
|
|
|
###### DHCP ######
|
|
[dhcpd_server]
|
|
search = sourcetype=dhcpd (DHCPACK OR DHCPNAK OR DHCPRELEASE)
|
|
#tags = dhcp network session unix
|
|
|
|
[dhcpd_start]
|
|
search = sourcetype=dhcpd signature=DHCPACK
|
|
#tags = start
|
|
|
|
[dhcpd_unable_unexpected]
|
|
search = sourcetype=dhcpd unable OR unexpected
|
|
#tags = error
|
|
|
|
[dhcpd_server_dhcpack]
|
|
search = sourcetype=dhcpd DHCPACK
|
|
|
|
[dhcpd_server_dhcpdiscover]
|
|
search = sourcetype=dhcpd DHCPDISCOVER
|
|
|
|
[dhcpd_server_dhcpoffer]
|
|
search = sourcetype=dhcpd DHCPOFFER
|
|
|
|
[dhcpd_server_dhcprelease]
|
|
search = sourcetype=dhcpd DHCPRELEASE
|
|
#tags = end
|
|
|
|
[dhcpd_server_dhcprequest]
|
|
search = sourcetype=dhcpd DHCPREQUEST
|
|
|
|
|
|
###### Scripted Inputs ######
|
|
## CPU stats
|
|
[cpu]
|
|
search = sourcetype=cpu
|
|
#tags = performance os resource report unix cpu
|
|
|
|
[cpu_anomalous]
|
|
search = sourcetype=cpu PercentSystemTime>90
|
|
#tags = enabled
|
|
|
|
[df]
|
|
search = sourcetype=df
|
|
#tags = df host check success storage performance
|
|
|
|
[iostat]
|
|
search = sourcetype=iostat
|
|
|
|
[nfsiostat]
|
|
search = sourcetype=nfsiostat
|
|
|
|
[lsof]
|
|
search = sourcetype=lsof
|
|
|
|
[hardware]
|
|
search = sourcetype=hardware
|
|
|
|
[interfaces]
|
|
search = sourcetype=interfaces
|
|
# tags = Inventory Network
|
|
|
|
[lastlog]
|
|
search = sourcetype=lastlog
|
|
|
|
[netstat]
|
|
search = sourcetype=netstat
|
|
# listening port
|
|
|
|
[openPorts]
|
|
search = sourcetype=openPorts
|
|
|
|
[package]
|
|
search = sourcetype=package
|
|
|
|
[protocol]
|
|
search = sourcetype=protocol
|
|
|
|
[ps]
|
|
search = sourcetype=ps
|
|
#tags = process oshost success ps cpu performance
|
|
|
|
[top]
|
|
search = sourcetype=top
|
|
|
|
[time]
|
|
search = sourcetype=time
|
|
|
|
[usersWithLoginPrivs]
|
|
search = sourcetype=usersWithLoginPrivs
|
|
|
|
[docker]
|
|
search = sourcetype=docker
|
|
#tags = performance os avail unix report docker
|
|
|
|
[vmstat]
|
|
search = sourcetype=vmstat
|
|
#tags = performance os avail unix report vmstat resource success memory
|
|
|
|
[who]
|
|
search = sourcetype=who
|
|
|
|
[bandwidth]
|
|
search = sourcetype=bandwidth
|
|
|
|
|
|
###### System Logs ######
|
|
|
|
#### Account Management
|
|
[useradd]
|
|
search = eventtype=nix_ta_data useradd user
|
|
#tags = account management add change
|
|
|
|
# Aug 20 20:21:12 host useradd[12811]: new account added - account=splunk, uid=1003, gid=1000, home=/opt/splunk, shell=/bin/false, by=0
|
|
[useradd-suse]
|
|
search = eventtype=nix_ta_data useradd new account added
|
|
#tags = account management add change
|
|
|
|
[userdel]
|
|
search = eventtype=nix_ta_data userdel user
|
|
#tags = account management delete change
|
|
|
|
[groupadd]
|
|
search = eventtype=nix_ta_data groupadd group
|
|
#tags = account management add change
|
|
|
|
#Aug 20 20:21:12 host useradd[12811]: account added to group - account=splunk, group=services, gid=33, by=0
|
|
[groupadd-suse]
|
|
search = eventtype=nix_ta_data useradd account added group
|
|
#tags = account management add change
|
|
|
|
[groupdel]
|
|
search = eventtype=nix_ta_data (NOT *deleting-user-from*) (groupdel OR userdel) group
|
|
#tags = account management delete change
|
|
|
|
[linux-password-change]
|
|
search = eventtype=nix_ta_data process=passwd password changed
|
|
#tags = account management password modify change
|
|
|
|
#Feb 21 11:24:45 host passwd[17805]: password change failed, pam error 11 - account=root, uid=0, by=0
|
|
[linux-password-change-failed]
|
|
search = eventtype=nix_ta_data process=passwd password change failed
|
|
#tags = account management password modify change
|
|
|
|
|
|
#### acpi
|
|
[nix_acpi]
|
|
search = eventtype=nix_ta_data ACPI:
|
|
#tags = os unix power
|
|
|
|
|
|
#### agpgart
|
|
[nix_agpgart]
|
|
search = eventtype=nix_ta_data agpgart:
|
|
#tags = os unix graphics
|
|
|
|
|
|
#### apm
|
|
[nix_apm]
|
|
search = eventtype=nix_ta_data apm:
|
|
#tags = os unix power
|
|
|
|
|
|
#### auditd
|
|
[auditd]
|
|
search = sourcetype=auditd
|
|
#tags = os unix resource file
|
|
|
|
[auditd_modify]
|
|
search = source=auditd PATH
|
|
#tags = modify
|
|
|
|
|
|
#### Authentication
|
|
|
|
## ksu
|
|
[ksu_authentication]
|
|
# NOTE: May want to restrict search `ksu` to `cmd="ksu"` to reduce false positives.
|
|
search = eventtype=nix_ta_data ksu ("authentication failed" OR authenticated OR (Account authorization (failed OR successful)))
|
|
#tags = authentication
|
|
|
|
## login
|
|
[login_authentication]
|
|
search = eventtype=nix_ta_data login: "Login failure on"
|
|
#tags = authentication
|
|
|
|
## pam
|
|
[pam_unix_authentication]
|
|
search = eventtype=nix_ta_data pam_unix (gdm OR sudo OR su) ("authentication failure" OR "session opened")
|
|
#tags = authentication
|
|
|
|
## passwd
|
|
#Oct 2 20:45:29 host passwd[15323]: User admin: Authentication failure
|
|
[passwd-auth-failure]
|
|
search = eventtype=nix_ta_data process=passwd Authentication failure punct="*__::_*_[]:__:__"
|
|
#tags = application authentication
|
|
|
|
## rlogin
|
|
[rlogin_too_many_failures]
|
|
search = eventtype=nix_ta_data "general syslog msg" "TOO MANY LOGIN TRIES"
|
|
#tags = application attack watchlist
|
|
|
|
## Detects a failed user login via Telnet or Rlogin (except root) on Linux Red Hat 6.2 or 7 server.
|
|
[remote_login_failure]
|
|
search = eventtype=nix_ta_data "pam_rhosts_auth" AND ("denied to" OR "access not allowed")
|
|
#tags = application authentication remote
|
|
|
|
## Detects a allowed user login via Telnet or Rlogin (except root) on Linux Red Hat 6.2 or 7 server.
|
|
[remote_login_allowed]
|
|
search = eventtype=nix_ta_data "pam_rhosts_auth" AND "allowed to"
|
|
#tags = application authentication remote
|
|
|
|
## sshd
|
|
[sshd_authentication]
|
|
# osx sshd authentication error
|
|
# Jul 16 11:10:45 mycomputer sshd[34666]: error: PAM: authentication error for xxx from localhost via ::1
|
|
# Apr 2 12:42:08 mycomputer sshd[15578]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=host
|
|
search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT")
|
|
#tags = authentication remote
|
|
|
|
[ssh_login_postponed]
|
|
search = eventtype=nix_ta_data punct="*_::_*_[]:____*_...___" sshd Postponed
|
|
# no tags assigned to this eventtype
|
|
|
|
[ssh_open]
|
|
search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from)
|
|
#tags = communicate connect
|
|
|
|
# example = Dec 17 15:15:12 domU-12-31-39-03-01-11 sshd[24912]: Connection closed by 195.43.9.246
|
|
[ssh_close]
|
|
search = eventtype=nix_ta_data punct="*__::_*_[]:____*..." OR punct="*__::_*_[]:_(:):_____" OR punct="*__::_*_()[]:_____" sshd (Closing connection to) OR (Connection closed by) OR (session closed)
|
|
#tags = access stop logoff
|
|
|
|
# example = Dec 17 18:31:44 domU-12-31-39-03-01-11 sshd[31792]: Received disconnect from 74.53.187.50: 11: Bye Bye
|
|
[ssh_disconnect]
|
|
search = eventtype=nix_ta_data punct="*__::_*_[]:___*...:_:__" Bye Received disconnect
|
|
#tags = access stop logoff
|
|
|
|
[ssh_check_pass]
|
|
search = eventtype=nix_ta_data sshd check pass user unknown (punct="__*::_*_()[]:__;__" OR punct="*__::_*_[]:_(:):__;__")
|
|
#no tags assigned to this eventtype
|
|
|
|
## su
|
|
[su_authentication]
|
|
# Example event, from su on CentOS7
|
|
# type=USER_AUTH msg=audit(1611753517.687:2310): pid=10012 uid=0 auid=2024 ses=181 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_rootok acct="root" exe="/usr/bin/su" hostname=so1 addr=? terminal=pts/1 res=success'
|
|
|
|
search = eventtype=nix_ta_data NOT "USER_CMD" ((from to) OR succeeded OR success OR successful OR failed OR failure) (cmd="su" OR ("USER_AUTH" AND exe=*/su*) OR ((NOT BAD) su: from to at))
|
|
#tags = authentication
|
|
|
|
[su_failed]
|
|
search = eventtype=nix_ta_data (("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR ("BAD SU "))
|
|
#tags = authentication
|
|
|
|
[su_session]
|
|
search = eventtype=nix_ta_data su: session
|
|
#tags = session
|
|
|
|
[su_root_session]
|
|
search = eventtype=nix_ta_data su: session root
|
|
#tags = session privileged
|
|
|
|
## Telnet
|
|
[wksh_authentication]
|
|
search = eventtype=nix_ta_data wksh "HANDLING TELNET CALL"
|
|
# no tags assigned to this eventtype
|
|
|
|
#### automount
|
|
[nix_automount]
|
|
search = eventtype=nix_ta_data automount punct="::__::_*:_*"
|
|
#tags = os unix
|
|
|
|
|
|
#### Config
|
|
[nix_config_change]
|
|
search = eventtype=nix_ta_data Configuration changed
|
|
#tags = os unix host configuration modify
|
|
|
|
|
|
#### Console
|
|
[nix_console]
|
|
search = eventtype=nix_ta_data Console:
|
|
#tags = os unix
|
|
|
|
|
|
#### cron
|
|
[nix_cron]
|
|
search = eventtype=nix_ta_data cron OR crond punct="::__::_*:_*" NOT Install: NOT Updated: NOT Erased:
|
|
#tags = os unix
|
|
|
|
|
|
#### CUPS
|
|
[nix_cups_access]
|
|
search = eventtype=nix_ta_data punct="_-_-_[//:::_-]_\"_//._/.\"___-_-"
|
|
#tags = os unix access printer
|
|
|
|
[nix_cups_error]
|
|
search = eventtype=nix_ta_data punct="_[//:::_-]_*"
|
|
#tags = os unix printer
|
|
|
|
[nix_cups_page]
|
|
search = eventtype=nix_ta_data punct="___[//:::_-]___-_"
|
|
#tags = os unix printer
|
|
|
|
|
|
#### dhclient
|
|
[nix_dhclient]
|
|
search = eventtype=nix_ta_data dhclient punct="__::_*:_*" NOT punct="//_::_*:_*." NOT punct="\"///*\"" NOT Rule NOT Name
|
|
#tags = os unix
|
|
|
|
|
|
#### DMA
|
|
[nix_dma]
|
|
search = eventtype=nix_ta_data DMA zone:
|
|
#tags = os unix memory access
|
|
|
|
|
|
#### Firewall
|
|
# These firewall accept and deny rules are based on iptables logs. For additional firewalls the user must develop a device add
|
|
# on and tag their events with these tags
|
|
[iptables_firewall_accept]
|
|
search = eventtype=nix_ta_data signature=firewall action=PASS OR action=permit
|
|
#tags = os unix host firewall communicate success
|
|
|
|
[iptables_firewall_deny]
|
|
search = eventtype=nix_ta_data signature=firewall action=BLOCK OR action=dropped
|
|
#tags = os unix host firewall communicate failure
|
|
|
|
|
|
#### FTP
|
|
[nix_ftp_xferlog]
|
|
search = eventtype=nix_ta_data punct="___*::___...__///*"
|
|
#tags = os unix ftp transfer
|
|
|
|
[nix_ncftpd_logins]
|
|
search = eventtype=nix_ta_data ncftpd punct="*__::_*:_*"
|
|
#tags = os unix ftp authentication
|
|
|
|
|
|
#### Fingerprinting
|
|
[nix_fingerprinting]
|
|
search = eventtype=nix_ta_data Client OS detected:
|
|
#tags = os unix
|
|
|
|
|
|
#### gconfd
|
|
[nix_gconfd]
|
|
search = eventtype=nix_ta_data gconfd
|
|
#tags = os unix
|
|
|
|
[nix_gconfd_error]
|
|
search = eventtype=nix_ta_data gconfd Error
|
|
#tags = error
|
|
|
|
[nix_gconfd_exiting]
|
|
search = eventtype=nix_ta_data gconfd Exiting OR signal
|
|
#tags = stop
|
|
|
|
[nix_gconfd_resolved_address]
|
|
search = eventtype=nix_ta_data gconfd Resolved address
|
|
|
|
[nix_gconfd_starting]
|
|
search = eventtype=nix_ta_data gconfd starting
|
|
#tags = start
|
|
|
|
|
|
#### gdm
|
|
[nix_gdm]
|
|
search = eventtype=nix_ta_data gdm punct="*__::_*:_*" NOT scrollkeeper NOT Updated: NOT Installed: NOT Erased: NOT pam*
|
|
#tags = os unix
|
|
|
|
|
|
#### gpm
|
|
[nix_gpm]
|
|
search = eventtype=nix_ta_data gpm NOT Installed: NOT Updated: NOT Erased: NOT user NOT *.rpm punct="*__::_*:_*."
|
|
#tags = os unix
|
|
|
|
|
|
#### FreeBSD
|
|
[freebsd_refresh_na_answer]
|
|
search = eventtype=nix_ta_data refresh named punct="*__::_*_[]:__./:_:_-____...#_(_...#)"
|
|
#tags = os unix
|
|
|
|
[freebsd_refresh_retry_exceeded]
|
|
search = eventtype=nix_ta_data refresh named punct="*__::_*_[]:__./:_:_____...#__(_...#)"
|
|
#tags = os unix
|
|
|
|
|
|
#### hald
|
|
[nix_hald]
|
|
search = eventtype=nix_ta_data hald punct="*__::_*:_*"
|
|
#tags = os unix
|
|
|
|
|
|
#### hpiod
|
|
[hpiod_Linux_syslog]
|
|
search = eventtype=nix_ta_data hpiod punct="*__::_*:_*"
|
|
#tags = os unix
|
|
|
|
|
|
#### kernel
|
|
[nix_kernel_attached]
|
|
search = eventtype=nix_ta_data kernel
|
|
#tags = os unix kernel
|
|
|
|
|
|
#### kill
|
|
[nix_process_kill]
|
|
search = eventtype=nix_ta_data exiting signal 15
|
|
#tags = os unix process stop
|
|
|
|
|
|
#### mDNSResponder
|
|
[nix_mDNSResponder]
|
|
search = eventtype=nix_ta_data mDNSResponder punct="*__::_*:_*"
|
|
#tags = os unix dns
|
|
|
|
|
|
#### named
|
|
[nix_named1]
|
|
search = eventtype=nix_ta_data named punct="*__::_/_[]:__*" OR punct="*__::_..._[]:_*"
|
|
#tags = os unix dns
|
|
|
|
[nix_named2]
|
|
search = eventtype=nix_ta_data named punct="*__::_*_[]:__*" NOT punct="__::_*_[]:_____..."
|
|
#tags = os unix dns
|
|
|
|
|
|
#### OSX Crash Log
|
|
[osx_crash_log]
|
|
search = eventtype=nix_ta_data Host Name Date/Time
|
|
#tags = os unix error
|
|
|
|
|
|
#### Netlabel
|
|
[nix_netlabel]
|
|
search = eventtype=nix_ta_data NetLabel:
|
|
#tags = os unix kernel
|
|
|
|
|
|
#### PCI
|
|
[nix_pci]
|
|
search = eventtype=nix_ta_data PCI: NOT BIOS
|
|
#tags = os unix
|
|
|
|
|
|
#### Plug-n-play
|
|
[nix_pnp]
|
|
search = eventtype=nix_ta_data pnp:
|
|
#tags = os unix
|
|
|
|
|
|
#### POP3
|
|
[nix_popper]
|
|
search = eventtype=nix_ta_data popper
|
|
#tags = os unix mail
|
|
|
|
|
|
#### postfix
|
|
[nix_postfix]
|
|
search = eventtype=nix_ta_data postfix punct="*__::_*:_*"
|
|
#tags = os unix
|
|
|
|
|
|
#### Prelink
|
|
[nix_prelink]
|
|
search = eventtype=nix_ta_data /usr/sbin/prelink: OR Prelinking
|
|
#tags = os unix
|
|
|
|
|
|
#### RPC
|
|
[nix_rpc_statd]
|
|
search = eventtype=nix_ta_data rpc.statd
|
|
#tags = os unix
|
|
|
|
|
|
#### RPM
|
|
[nix_rpm]
|
|
search = eventtype=nix_ta_data *.rpm punct="*-*.*."
|
|
#tags = os update
|
|
|
|
|
|
#### Runlevel
|
|
[nix_runlevel_change]
|
|
search = eventtype=nix_ta_data init: punct="*__::_*:_*"
|
|
#tags = os unix configuration modify
|
|
|
|
|
|
#### SNMPD
|
|
[snmpd]
|
|
search = eventtype=nix_ta_data snmpd
|
|
#tags = os unix snmp
|
|
|
|
[snmpd_failure]
|
|
search = eventtype=nix_ta_data snmpd SNMPD_*_FAILURE
|
|
#tags = failure
|
|
|
|
|
|
#### scrollkeeper
|
|
[nix_scrollkeeper]
|
|
search = eventtype=nix_ta_data scrollkeeper punct="__::__*"
|
|
#tags = os unix
|
|
|
|
|
|
## Shutdown
|
|
[nix_halt]
|
|
search = eventtype=nix_ta_data shutdown: system halt
|
|
#tags = os unix stop
|
|
|
|
[nix_restart]
|
|
search = eventtype=nix_ta_data shutdown: system reboot
|
|
#tags = os unix stop
|
|
|
|
|
|
#### smartd
|
|
[nix_smartd]
|
|
search = eventtype=nix_ta_data smartd punct="*__::_*:_*"
|
|
#tags = os unix
|
|
|
|
|
|
#### Time
|
|
[nix_timesync]
|
|
search = eventtype=nix_ta_data (ntpd OR ntpdate OR xntpd OR xntpdate OR "MS Name/IP address") (("LastRx" AND "stratum") OR "Adjusting system clock" OR "synchronized to" OR "step time server" OR "adjust time server")
|
|
#tags = report time synchronize success
|
|
|
|
[nix_timesync_failure]
|
|
search = eventtype=nix_ta_data (ntpd OR ntpdate OR xntpd OR xntpdate OR 506) ("NTP Server Unreachable" OR "Cannot talk to daemon")
|
|
#tags = report time synchronize failure
|
|
|
|
|
|
#### Update
|
|
[nix_yum_update]
|
|
search = eventtype=nix_ta_data yum Updated
|
|
#tags = report update success
|
|
|
|
|
|
#### udevd
|
|
[nix_udevd]
|
|
search = eventtype=nix_ta_data udevd
|
|
#tags = os unix kernel
|
|
|
|
|
|
#### USB
|
|
[nix_usb]
|
|
search = eventtype=nix_ta_data usb*: NOT punct="<>:__*"
|
|
#tags = os unix usb
|
|
|
|
|
|
#### userhelper
|
|
[nix_userhelper]
|
|
search = eventtype=nix_ta_data userhelper* NOT punct="__*::_*:_*"
|
|
#tags = os unix
|
|
|
|
|
|
###### ADDED FROM UNIX APP ######
|
|
[failed_login]
|
|
search = eventtype=nix_ta_data "failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for"
|
|
#tags = authentication
|
|
|
|
[Failed_SU]
|
|
search = eventtype=nix_ta_data ("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR (exe="/bin/su" AND res="failed") OR (FAILED su for) OR (source="/var/adm/sulog" SU " - ") OR ("BAD SU ")
|
|
#tags = authentication
|
|
|
|
[nix-all-logs]
|
|
search = eventtype=nix_ta_data AND (source="*.log" OR source="*.log.*" OR source="*/log/*" OR source="/var/adm/*" OR source="access*" OR source="*error*" OR sourcetype="syslo*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog)
|
|
|
|
###### END FROM UNIX APP ######
|
|
|
|
###### ADDED FROM TA-deploymentapps ######
|
|
|
|
###### Scripted Inputs ######
|
|
|
|
## Global
|
|
[aix_scripted_input]
|
|
search = sourcetype=AIX:*
|
|
#tags = check report
|
|
|
|
[hpux_scripted_input]
|
|
search = sourcetype=HPUX:*
|
|
#tags = check report
|
|
|
|
[linux_scripted_input]
|
|
search = sourcetype=Linux:*
|
|
#tags = check report
|
|
|
|
[osx_scripted_input]
|
|
search = sourcetype=OSX:*
|
|
#tags = check report
|
|
|
|
[solaris_scripted_input]
|
|
search = sourcetype=Solaris:*
|
|
#tags = check report
|
|
|
|
[unix_scripted_input]
|
|
search = sourcetype=Unix:*
|
|
#tags = check report
|
|
|
|
## CPUTime
|
|
[cputime]
|
|
search = NOT (sourcetype=WMI:CPUTime OR sourcetype=Perfmon:CPUTime) sourcetype=*:CPUTime
|
|
#tags = performance os avail cpu
|
|
|
|
[cputime_anomalous]
|
|
search = NOT (sourcetype=WMI:CPUTime OR sourcetype=Perfmon:CPUTime) sourcetype=*:CPUTime PercentSystemTime>90
|
|
#tags = anomalous
|
|
|
|
## Disk
|
|
[freediskspace]
|
|
search = NOT (sourcetype=WMI:FreeDiskSpace OR sourcetype=Perfmon:FreeDiskSpace) sourcetype=*:FreeDiskSpace
|
|
#tags = performance os avail disk storage
|
|
|
|
[freediskspace_anomalous]
|
|
search = NOT (sourcetype=WMI:FreeDiskSpace OR sourcetype=Perfmon:FreeDiskSpace) sourcetype=*:FreeDiskSpace PercentFreeSpace<10
|
|
#tags = anomalous
|
|
|
|
## Listening Ports
|
|
[listeningports]
|
|
search = (NOT sourcetype=WMI:ListeningPorts) sourcetype=*:ListeningPorts (NOT file_hash=*)
|
|
#tags = os config report
|
|
|
|
## Local Processes
|
|
[localprocesses]
|
|
search = (NOT sourcetype=WMI:LocalProcesses) sourcetype=*:LocalProcesses
|
|
#tags = os avail process
|
|
|
|
[localprocesses_anomalous]
|
|
search = (NOT sourcetype=WMI:LocalProcesses) sourcetype=*:LocalProcesses (PercentSystemTime>50 OR PercentMemory>50) NOT app=Total
|
|
#tags = anomalous
|
|
|
|
## Memory
|
|
[memory]
|
|
search = NOT (sourcetype=WMI:Memory OR sourcetype=Perfmon:Memory) sourcetype=*:Memory
|
|
#tags = performance os avail memory
|
|
|
|
[memory_anomalous]
|
|
search = NOT (sourcetype=WMI:Memory OR sourcetype=Perfmon:Memory) sourcetype=*:Memory mem_free<104857600
|
|
#tags = anomalous
|
|
|
|
## SELinux Config
|
|
[selinuxconfig]
|
|
search = sourcetype=Linux:SELinuxConfig
|
|
#tags = application config selinux
|
|
|
|
## Service
|
|
[service]
|
|
search = (NOT sourcetype=WMI:Service) sourcetype=*:Service (NOT file_hash=*)
|
|
#tags = os config service report
|
|
|
|
[service_runlevel_anomalous]
|
|
search = sourcetype=*:Service (runlevel0=on OR runlevel6=on)
|
|
#tags = anomalous
|
|
|
|
## SSHD Config
|
|
[sshdconfig]
|
|
search = sourcetype=*:SSHDConfig
|
|
#tags = application config ssh
|
|
|
|
[sshd_insecure]
|
|
search = eventtype=nix_ta_data sshd_protocol=*1*
|
|
#tags = insecure
|
|
|
|
## Update
|
|
[update]
|
|
search = sourcetype=*:Update
|
|
#tags = os info update
|
|
|
|
[update_status]
|
|
search = sourcetype=*:Update NOT total_updates
|
|
#tags = status
|
|
|
|
## Uptime
|
|
[uptime]
|
|
search = (NOT sourcetype=WMI:Uptime) sourcetype=*:Uptime
|
|
#tags = os info report uptime performance
|
|
|
|
[uptime_anomalous]
|
|
search = (NOT sourcetype=WMI:Uptime) sourcetype=*:Uptime SystemUpTime>2592000
|
|
#tags = anomalous
|
|
|
|
## User Accounts
|
|
[useraccounts]
|
|
search = sourcetype=*:UserAccounts (NOT file_hash=*)
|
|
#tags = (os) config user inventory
|
|
|
|
[useraccounts_anomalous]
|
|
search = sourcetype=*:UserAccounts NOT password=x NOT password=\* (NOT file_hash=*)
|
|
#tags = anomalous
|
|
|
|
## Version
|
|
[nix_version]
|
|
search = (NOT sourcetype=WMI:Version) sourcetype=*:Version
|
|
#tags = os info report system version inventory
|
|
|
|
## VSFTDP Config
|
|
[vsftpd_config]
|
|
search = sourcetype=*:VSFTPDConfig
|
|
#tags = application config ftp cleartext
|
|
|
|
[vsftpd_config_anonymous]
|
|
search = sourcetype=*:VSFTPDConfig anonymous_enable=YES
|
|
#tags = anonymous
|
|
|
|
###### END FROM TA-deploymentapps ######
|