Reputation: 590
Simulating security breach using Splunk
I am a newbie of Splunk. Installed splunk on a single EC2 instance and I have another Linux EC2 from which I need some data to be transported. Basically using Splunk I am trying to simulate security breach.
What I am trying to achieve:
In the linux machine, I have a file inside /home/ec2-user/splunk-test/secret-file. I have changed the owner of this file to be user1 who is in group user1g. I have created another user - user2 with no permissions to any apart from his home folder. Now, when I try to access (read/change permissions with or without sudo) this file using user2, I should get a security threat in Splunk.
After research I could know that this can be achieved by enabling auditd function in linux machine, which then needs to be sent to splunk server using universal forwarder. So, I have installed and configured (inputs and outputs) of universal forwarder for Splunk.
After all these I am not able to see: 1. any entries on auditd in Linux machine 2. any threats in Splunk web dashboard.
Can someone please help me at the earliest.?
Upvotes: 0
Views: 162
Answers (1)
Reputation: 590
Here are some of the comments which I recieved for the same question:
https://answers.splunk.com/answers/525729/simulating-security-breach-using-splunk.html
Upvotes: 0
Related Questions
- Alerting in splunk for different thresholds
- how to set up splunk stand alone environment
- Data Analysis in Splunk
- Splunk Alert Creation
- How can I provide metrics to Splunk via HTTP?
- Finding brute force attacks with splunk
- Production grade methodology for alerts
- Public read only Splunk data for testing
- Splunk: setting up real time alerts
- Spring Integration with Splunk