Reporting

Does anyone know how to generate a report of all groups that a unix account is a member of?

vanderaj2
Path Finder

Does anyone know how to get the data into Splunk necessary to produce a report of UNIX user accounts, including whether the account is enabled/disabled and the groups the account is a member of?

Note: I don't have a centralized repository, like LDAP in my UNIX environment, so it would be a local query on each UNIX host.

Here's an example of what I'd be looking to produce:

Host ID Description Status Groups
unixhost1 root root Enabled system,bin,sys,security,cron,audit,lp
unixhost1 jsmith joe smith Enabled staff, unixadm

Thanks!!

Tags (1)
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Hmmm. We're not finding an obvious answer that accomplishes what you are looking for. getent seems to be a one-shot confirmation tool.

We can see that, if such a tool exists, then a black hat could use it to find a list of users to crack. That doesn't prove the tool doesn't exist, but it does mean that (we'd hope) any such tool will be locked up pretty tight.

We'd suggest you have a conversation with your organization's security group, and see what they suggested. You probably are going to need a data dump from whoever has the duty of protecting your system, and they are going to have tough questions for you about what you need the data for and how you are going to protect it if they give it to you. Have your answers ready.

Sounds like you are trying to clean up the Wild West. You had best stop in at the Sheriff's office for a chat before you saddle up.

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Hmmm. We're not finding an obvious answer that accomplishes what you are looking for. getent seems to be a one-shot confirmation tool.

We can see that, if such a tool exists, then a black hat could use it to find a list of users to crack. That doesn't prove the tool doesn't exist, but it does mean that (we'd hope) any such tool will be locked up pretty tight.

We'd suggest you have a conversation with your organization's security group, and see what they suggested. You probably are going to need a data dump from whoever has the duty of protecting your system, and they are going to have tough questions for you about what you need the data for and how you are going to protect it if they give it to you. Have your answers ready.

Sounds like you are trying to clean up the Wild West. You had best stop in at the Sheriff's office for a chat before you saddle up.

0 Karma

vanderaj2
Path Finder

Definitely some good insight! There was such a user account report used on my program in the past, but I believe it must have been developed using custom shell scripting (perhaps utilizing getent), and was not a report that was produced by directly using Splunk.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Splunk can only report on whatever data it has, so if you want the report, then the source of that data needs to be identified, along with any required data plumbing.

For example, you could easily use splunk to COMPILE a list of everyone who had logged onto a particular box over a period of time, and then, given access, you could do a call to the box to identify what the person's groups, and current status are.

That won't get you the names of people who HAVE access and have never used it... unless the creation of the account has also been logged (which it should be).

It's not perfect, but if you have the data -- windows 4720 events, for example, or ubuntu logs containing the term "useradd" -- then you can do it using the data you already administer.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...