# Splunk Process List Whitelisting FedRAMP Notes

***Only Used to Fufill CM-7(5) in [FedRAMP Security Controls Baseline](https://www.fedramp.gov/documents-templates/)***

Notes from talking with Fred
Salt State -> Push cron job + bash script to Minions -> Bash script writes to file -> Splunk UF reads file and indexes it. -> Splunk creates lookup file which compares to a baseline lookup file. Differneces between the two are displayed on a dashboard and can be "approved". the approve button runs a search that will merge the two lookups and updates the baseline. 

Prelinking needs to be turned off according to [Questions about Prelinking in Red Hat Enterprise Linux](https://access.redhat.com/solutions/61691)

proc f


Dashboard is broken needed to fix it. Remove the blacklist variable and it will start working. 

app uses SHA256 hashes

Splunk search containing whitelist
```
|inputlookup ProcessLookup
|inputlookup ProcessLookup | search process=*splunk*
|inputlookup ProcessLookup | search process=*splunk* | dedup file_hash
```

Don't look for salt as a process. It is started with the python process.