sudo logging for CIS compliance - Additional log filtering

kyndi-roy
New Contributor II

Jamf Protect allows you to collect logging information via analytics. We worked with Jamf Support team and they gave me a custom predicate to build my analytics. 

$event.type == 1 AND $event.process.signingInfo.appid == "com.apple.sudo"

While this seems to capture all sudo activity, it's capturing too much and need a way to adjust this further to filter out some of the noise. The issue is that we are also using Jamf Pro policies with scripts to control CIS controls. Many of those controls require sudo commands so it gets pretty chatty. We are not ready to use Splunk just yet but it's getting closer if I can't find a good filtering solution. Would love to hear from the community. Thanks in advance! 

1 REPLY 1

MattT
New Contributor III

Hi @kyndi-roy you may wish to try using this custom analytic predicate from the Jamf Protect GitHub repository: https://github.com/jamf/jamfprotect/blob/main/custom_analytic_detections/all_sudo_command_line_activ...

It has an additional criteria that will narrow down alerts to only the activity which has an associated TTY, found when the process was spawned through an interactive shell session (such as via Terminal.app).

Let me know how this goes!