Hi guys,
I'm trying to monitor command execution over certain directories in linux. To do that, I've made a report that displays that data in a table format, something like this...
USER COMMAND PWD _time
usr1 cat /opt time1
usr2 less /example1 time2
usr3 visudo /example2 time3
But now, I wan't something more complex. I've created a whitelist (CSV file) with user, allowedCommands, directory(PWD) to alert not only when a user outside this whitelist is executing something, but also whitelisted users outside their allowed commands by directory.
I've been playing with lookups/inputlookups, but I couldn't make it work.
Any ideas ?
KR.
Try something like this
Step1: Add a field, say flag="Y" in your whitelist lookup file. This will used as return value for matches.
Step2: update your search like this
Your current search giving table with fields USER COMMAND PWD _time | lookup YourWhitelistTable user as USER allowedCommands as COMMAND OUTPUT flag as commandFlag | lookup YourWhitelistTable user as USER directory as PWD OUTPUT flag as pwdFlag | where commandFlag!="Y" OR pwdFlag!="Y"
Try something like this
Step1: Add a field, say flag="Y" in your whitelist lookup file. This will used as return value for matches.
Step2: update your search like this
Your current search giving table with fields USER COMMAND PWD _time | lookup YourWhitelistTable user as USER allowedCommands as COMMAND OUTPUT flag as commandFlag | lookup YourWhitelistTable user as USER directory as PWD OUTPUT flag as pwdFlag | where commandFlag!="Y" OR pwdFlag!="Y"
It's working!
Any idea why "commandFlag" field ends up with more than one "Y" per event in some cases?
Thx mate.