|
|
@@ -1,12 +1,11 @@
|
|
|
# Splunk Process List Whitelisting FedRAMP Notes
|
|
|
|
|
|
-***Only Used to Fufill CM-7(5)***
|
|
|
+***Only Used to Fufill CM-7(5) in [FedRAMP Security Controls Baseline](https://www.fedramp.gov/documents-templates/)***
|
|
|
|
|
|
Notes from talking with Fred
|
|
|
Salt State -> Push cron job + bash script to Minions -> Bash script writes to file -> Splunk UF reads file and indexes it. -> Splunk creates lookup file which compares to a baseline lookup file. Differneces between the two are displayed on a dashboard and can be "approved". the approve button runs a search that will merge the two lookups and updates the baseline.
|
|
|
|
|
|
-Prelinking needs to be turned off
|
|
|
-https://access.redhat.com/solutions/61691
|
|
|
+Prelinking needs to be turned off according to [Questions about Prelinking in Red Hat Enterprise Linux](https://access.redhat.com/solutions/61691)
|
|
|
|
|
|
proc f
|
|
|
|
|
|
@@ -16,9 +15,11 @@ Dashboard is broken needed to fix it. Remove the blacklist variable and it will
|
|
|
app uses SHA256 hashes
|
|
|
|
|
|
Splunk search containing whitelist
|
|
|
+```
|
|
|
|inputlookup ProcessLookup
|
|
|
|inputlookup ProcessLookup | search process=*splunk*
|
|
|
|inputlookup ProcessLookup | search process=*splunk* | dedup file_hash
|
|
|
+```
|
|
|
|
|
|
Don't look for salt as a process. It is started with the python process.
|
|
|
|
Jeremy Cooper [AFS MBP]