Privilege Management for Unix & Linux – Splunk Application...of Splunk is its ability to rapidly ingest, index, and clearly present very large amounts of data. While Privilege Management

Privilege Management for Unix & Linux – Splunk Application

SERVER LEAST PRIVILEGE USING SPLUNK’S ENTERPRISE AUDIT DATA CONSUMPTION

SOLUTION BRIEF

2

CONTENTS

SOLUTION BENEFITS ..................................................................................................................................... 3

KEY FEATURES ............................................................................................................................................... 4

USAGE DASHBOARD .................................................................................................................................... 4 EVENT STATISTICS ........................................................................................................................................ 4 REJECTED COMMANDS ................................................................................................................................ 5 COMMAND AUDIT ....................................................................................................................................... 5 USER ACTIVITY ............................................................................................................................................. 5 HOST ACTIVITY ............................................................................................................................................. 6

INTEGRATION REQUIREMENTS ..................................................................................................................... 6

ABOUT BEYONDTRUST .................................................................................................................................. 7

3

SOLUTION BENEFITS Privilege Management for Unix & Linux’s primary functions are to control what a user can and cannot do when working on a Unix or Linux system—this may or may not include the elevation of a user’s credentials. The other key function of the product is to audit user activity, even down to the session level—which includes system level activity beyond just what the user has typed on the command line. This function by itself generates extremely large amounts of audit data, and one of the most powerful features of Splunk is its ability to rapidly ingest, index, and clearly present very large amounts of data. While Privilege Management for Unix & Linux ships with its own log file indexing system (SOLR) and centralized reporting system (BeyondInsight), many organizations opt for consolidating all of their security information into one SIEM, such as Splunk. Privilege Management for Unix & Linux has long supported (and will continue to support) all common SIEM platforms by leveraging the syslog facility and allowing users to pick and choose what variable information from each event type would be sent to the SIEM. T0 address the needs of Splunk users, we offer native and out-of-the-box integration between Privilege Management for Unix & Linux and Splunk, for fast, simplified data sharing and synthesis.

4

KEY FEATURES USAGE DASHBOARD At a glance, see the most active system, users, and commands. Additionally, you can see how many commands are being approved or blocked, along with a high-level summary of the actions being performed within recorded sessions.

EVENT STATISTICS Choose your desired timespan (Hour, Day, Week, or Month) and then view the number of accepted and rejected Privilege Management for Unix & Linux requests within, or over, a timeframe of your choosing.

5

REJECTED COMMANDS Quickly and easily see what commands requested by users and admins are being rejected, and how often they are being rejected. This enables you to fine tune your privilege control policies, and/or investigate potential bad behaviors to put additional controls in place, if required.

SESSION AUDIT All session data is indexed and sent to Splunk. The session data included with Privilege Management for Unix & Linux leverages an industry-exclusive technology to collect and report on ALL actions the system performs, beyond what the user or admin types at the command line.

COMMAND AUDIT The app provides a simple view into the event log to see what commands are being actioned and rejected within your enterprise. You can perform standard filtering, such as hostname, username, command, event status, and risk rating. You can also include advanced system level data along with the event log data, for an unparalleled view into the actions that are being performed within your Unix and Linux environment.

USER ACTIVITY Provides a view of all, or a filtered list, of user activities. The activities list can be filtered by common event data variables such as date, time, host, command, and result.

6

HOST ACTIVITY Provides a view of all, or a filtered list, of activities on a particular host. The activities list can be filtered by common event data variables such as date, time, user, command, and result.

CUSTOMIZATION Both event and session data can easily be customized to send additional data to Splunk. INTEGRATION REQUIREMENTS Privilege Management for Unix & Linux 10.0.1 or higher Privilege Management for Unix & Linux App for Splunk v1.0 or higher (available from the Splunk App Store) Please refer to the standard Privilege Management for Unix & Linux Admin Guide for detailed configuration information.

7

ABOUT BEYONDTRUST BeyondTrust is the worldwide leader in Privileged Access Management, offering the most seamless approach to preventing data breaches related to stolen credentials, misused privileges, and compromised remote access. Our extensible platform empowers organizations to easily scale privilege security as threats evolve across endpoint, server, cloud, DevOps, and network device environments. BeyondTrust unifies the industry’s broadest set of privileged access capabilities with centralized management, reporting, and analytics, enabling leaders to take decisive and informed actions to defeat attackers. Our holistic platform stands out for its flexible design that simplifies integrations, enhances user productivity, and maximizes IT and security investments. BeyondTrust gives organizations the visibility and control they need to reduce risk, achieve compliance objectives, and boost operational performance. We are trusted by 20,000 customers, including half of the Fortune 500, and a global partner network. Learn more at www.beyondtrust.com

V2019_03_ENG