Security

Audit adding/removing of roles from LDAP groups

the_wolverine
Champion

I'm trying to search for an event that tells me that a role was added or removed for some LDAP group or user. I'd like to know when capabilities have been changed due to addition or removal of a role, particularly, the can_delete role.

Does Splunk currently audit this type of event?

Tags (3)
0 Karma
1 Solution

Simeon
Splunk Employee
Splunk Employee

The audit log (index=_audit) should contain this type of information. Additionally, you could monitor the splunkd_access log for update events or implement file system change monitoring for the authorize.conf file. If you are specifically concerned with the actual change, then indexing the file would also make sense.

View solution in original post

sloshburch
Splunk Employee
Splunk Employee

Alternatively, you could use a REST API call (or the rest command to discover the current roles and capabilities, which you could drop into a lookup, and notify you if anything doesn't match that lookup (because the capabilities changed).

0 Karma

Simeon
Splunk Employee
Splunk Employee

please send a diag

0 Karma

Simeon
Splunk Employee
Splunk Employee

The audit log (index=_audit) should contain this type of information. Additionally, you could monitor the splunkd_access log for update events or implement file system change monitoring for the authorize.conf file. If you are specifically concerned with the actual change, then indexing the file would also make sense.

the_wolverine
Champion

Audit log doesn't appear to provide the degree of information I need. For example, I can see the action=edit_role event occurred for user=tina but it doesn't tell me which roles were added or removed. Sounds like monitoring the authorize.conf file is the solution.

0 Karma

mhenson
Engager

This answer does not seem to apply for Splunk Cloud customers where access to local file system(s) is not available. From what I see in _audit, only role name is captured in the search field. Changes to Inheritance and Indexes are not logged. Are there any other options?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Sorry, I'm not seeing where a limitation of the filesystem comes into play here. Would you elaborate?

Also worth keeping in mind that this was written 8 years ago and therefore was applicable for Splunk 3 or something. We're now on 7.1 - so the approach may be very different.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...