How to monitor role changes?

sjaworski · ‎11-05-2014

I would like to monitor changes made to roles. Most specifically I want to create an alert when the can_delete role is added as an inheritance to a role or assigned to a user. However, I am struggling with finding what logs show when and what changes were made to role. I have reviewed the _audit and _internal logs and can see when a role is accessed, but not the change made. Are those changes logged and where?

kpclear · ‎01-10-2025

I might have an update for this one as I was after the same thing as the original question suggest and I did not want to use REST for this. You might want to try following if that works for you.

index=_audit sourcetype=audittrail (action=edit_roles_grantable OR action=edit_role) (TERM(object) OR TERM(role)) (operation=create OR operation=edit OR action=edit_role) info=granted

Basically this search will find 2 types of logs within _audit index. First is
"edit_roles_grantable" which should be logged any time when someone edit role (create counts as edit too). Second is "edit_role" which will also show what was changed (this part is not perfect as I was able to see what capability was changed, but I could not find changes regards to what index can the role search). Anyway you can play around with the search and get what you need in some cases.

isoutamo · ‎01-11-2025

Is this working if roles are updated by installing app which contains those definitions in conf files or only if those are edited with GUI?

kpclear · ‎01-13-2025

Valid point. No its quite limited and logs only GUI edits (still could be useful in cloud). Just tested editing authorize.conf in system and via new and existing app. Everything can be seen in _configtracker with following simple search

index="_configtracker" data.path="*authorize.conf"

GUI Edits to existing role are as expected logged under configtracker.

isoutamo · ‎01-13-2025

_configtracker index is currently excellent place to found those changes. It logging those even those are done when splunk is down. Just add changes when splunk is starting.
Unfortunately there could be some differences on SCP side? At least earlier it didn't log all SCP platform changes or at least even sc_admin cannot see those, but I suppose that Splunk own SREs can see also those.

PickleRick · ‎01-13-2025

It will also not work if your inheritance is nested.

Unfortunately, there is no good way of tracking all inheritances for a role except for listing effective capabilities for a given user.

isoutamo · ‎01-13-2025

What you are meaning with this "It will also not work if your inheritance is nested." ?

PickleRick · ‎01-13-2025

If I create a role test_role which inherits from the can_delete role, it will show in configtracker - I created a test_role inheriting from can_delete. But if I now create a test2_role which inherits from test_role, the configtracker entry will only show that it inherits from test_role but it won't show the underlying inheritance from can_delete.

Jeremiah · ‎03-08-2016

There are two ways I think you could do this:

Setup a monitor input for your authorize.conf file, so that when changes are made to the file you re-index the entire file. Then you can use a search against that data to see if any capabilities or inheritance settings have been changed.

OR

Setup a scheduled search to index (ie, summarize) the authorization rest endpoint and search for the can_delete capability.

| rest services/authorization/roles | search capabilities=delete_by_keyword

To discover which users have the capability, setup a scheduled to search to index the user REST endpoint and search for the capability.

| rest services/authorization/roles | search capabilities=delete_by_keyword

I think the REST queries are a better option, because they'll give you the consolidated configuration and are nicely split into rows and columns.

jarjoh42 · ‎05-06-2016

amendment: this is the search i used for a distributed environment.

| rest splunk_server=* /services/authorization/roles | search capabilities=delete_by_keyword OR imported_capabilities=delete* title!=can_delete title!=system title!=splunk-system-role
| table title,splunk_server | rename title as Role

brettwilliams · ‎08-01-2018

Bit of a blind spot here if you use SAML authentication. If a role is directly mapped to a SAML group, I can't find an endpoint in REST which shows this. If you hit /services/authentication/users, you will see the mapping there, but only if a user has logged in since the capability was granted. So it seems the only way to get visibility into SAML mappings is btool authentication list | grep can_delete.

cborgal · ‎03-09-2016

Thank you, this worked perfectly, and it has opened up other Auditing use cases for me.

JS400016 · ‎10-20-2020

Good evening. I am also looking for real-time alerts as soon as someone gets an admin or can_delete role.

Not sure if you were able to create this alert. I was not able to find any useful info online.

I will really appreciate if you can share some insight.

Thanks

JS

cborgal · ‎03-08-2016

Bump. I'm also struggling with this. I've tried to increase the verbosity of the AuditLogger to DEBUG, but still no joy. Any ideas on this?

How to monitor role changes?

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk