Skip to main content
Question

sudo logging for CIS compliance - Additional log filtering

  • February 17, 2022
  • 1 reply
  • 1 view

kyndi-roy
Forum|alt.badge.img+3

Jamf Protect allows you to collect logging information via analytics. We worked with Jamf Support team and they gave me a custom predicate to build my analytics. 

$event.type == 1 AND $event.process.signingInfo.appid == "com.apple.sudo"

While this seems to capture all sudo activity, it's capturing too much and need a way to adjust this further to filter out some of the noise. The issue is that we are also using Jamf Pro policies with scripts to control CIS controls. Many of those controls require sudo commands so it gets pretty chatty. We are not ready to use Splunk just yet but it's getting closer if I can't find a good filtering solution. Would love to hear from the community. Thanks in advance! 

1 reply

MattT
Forum|alt.badge.img+12
  • Employee
  • 29 replies
  • April 29, 2022

Hi @kyndi-roy you may wish to try using this custom analytic predicate from the Jamf Protect GitHub repository: https://github.com/jamf/jamfprotect/blob/main/custom_analytic_detections/all_sudo_command_line_activity

It has an additional criteria that will narrow down alerts to only the activity which has an associated TTY, found when the process was spawned through an interactive shell session (such as via Terminal.app).

Let me know how this goes!


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings