All Apps and Add-ons
Highlighted

etc/shadow Logs

Explorer

Hello Splunkers!

I have a question, i really need to monitor etc/shadow file and be able to read the information about password´s users. i have the follow script that i loaded in splunk but it does not showing the information i think that root password needed to be indexed, is there a way to read this file in splunk without root password?

script: "account in $(cut -f1 -d: /etc/passwd); do echo "ACCOUNT: $account , EXPIRES: chage -l $account | grep 'Account expires' | awk '{print $4, $5, $6}', CHANGED: chage -l $account | grep 'Last password change' | awk '{print $5, $6, $7}'"; done"

0 Karma