topic Re: Find out who deleted a user in Linux in Splunk Search

How to find out who deleted a user in Linux?

neerajs_81 — Mon, 18 Sep 2023 22:02:16 GMT

Hi All, just wondering if anyone has a search that shows which user deleted another user in Linux ?

Typically in the linux syslog messages, when we check for userdel messages , it only shows the name of the user account that was deleted. There isn't any mention of which user performed this action.
Whereas in Windows events, we see both src and target user for deletion Event IDs.

How to get this info ? I know one can manually login to host and verify the ./bash_history but how do you accomplish this from Splunk itself ?

Re: Find out who deleted a user in Linux

yuanliu — Mon, 18 Sep 2023 07:38:43 GMT

You need to read up Linux user management, or ask your SysAdmin how to determine such matters.

Understandably, Windows user management is totally different Unix and Linux user management. Unless your system uses some uncommon admin overlay (which only your SysAdmin can tell you), userdel command can only be executed by root (uid 0). A non-root user may have sudo privileges to execute commands as root, but this can only be executed as sudo usserdel. Alternatively, if unprivileged user is allowed root shell, such a user can first use sudo su <shell name> to gain a root shell, then execute userdel in this shell as if it is user root.

Most modern Linux systems log full command history. You didn't say which Linux OS you are using. You say "(syslog) only shows the name of the user account that was deleted," but without any context like which source file are you looking at. In Unix-like systems, "syslog" is a OS facility that can be organized in many different ways, i.e., various messages (events) can go to various places. (If you are unsure, ask your SysAdmin.) You didn't even illustrate a sample log entry. (You can always anonymize; but make sure to preserve formatting and other characteristics.) Volunteers cannot possibly help with all these ambiguities.

Re: Find out who deleted a user in Linux

neerajs_81 — Mon, 18 Sep 2023 11:21:00 GMT

Hi,

I am myself a sysadmin and if you read my entire post with open eyes , i myself wrote that this information is available in /bash_history to check but that is manually after ssh into the server. If i wasn't aware how to check this, i wouldn't have mentioned about checking user's history.

It doesn't matter which ever flavor of Linux you take be it Ubuntu or RHEL family anybody who is familiar with user deletion activity will know this issue because its same for any linux flavor.

We are on RHEL 7.9 and under /var/log/secure all we see is following type of messages when someone runs userdel command:

There is no further message or record in /var/log/secure of who ran this command. That's my use case and that is why i drew parallel with Windows Event Viewer logs to see how others are doing for similar use cases.

Re: Find out who deleted a user in Linux

yuanliu — Tue, 19 Sep 2023 23:54:28 GMT

Command history is logged in LOCAL7 facility, NOTICE level. You may want to examine /etc/rsyslog.conf (and related conf files) to find out which log file(s) contain local7.notice.

According to https://github.com/rsyslog/rsyslog/blob/master/platform/redhat/rsyslog.conf, RedHat default is to send local7.* into /var/log/boot.log. But your system may have customized settings. Normally, /var/log/secure is used for authpriv.*, thus it does not contain command history.

If the file that contains local7.notice is not ingested, you will need to ingest it.

Hope this helps.