Scenario: The buffer overflow attack dubbed Baron Samedit can result in privilege escalations on some of the most modern and widely used Linux operating systems. An unprivileged user can exploit this vulnerability to gain root privileges on a host by using a default sudo configuration. You have Linux and Unix machines in your network and those machines have the sudo command. You need a proactive way to interrogate your servers and make a data-driven response to manage your threat surface.
To succeed in implementing this use case, you need the following dependencies, resources, and information.
How to use Splunk software for this use case
Depending on what information you have available, you might find it useful to identify some or all of the following:
These searches give you a proactive way to interrogate your servers and make a data-driven response to manage your threat surface.
The content in this use case comes from a previously published blog, one of the thousands of Splunk resources available to help users succeed. These additional Splunk resources might help you understand and implement this specific use case: