Security

Audit adding/removing of roles from LDAP groups

the_wolverine
Champion

I'm trying to search for an event that tells me that a role was added or removed for some LDAP group or user. I'd like to know when capabilities have been changed due to addition or removal of a role, particularly, the can_delete role.

Does Splunk currently audit this type of event?

Tags (3)
0 Karma
1 Solution

Simeon
Splunk Employee
Splunk Employee

The audit log (index=_audit) should contain this type of information. Additionally, you could monitor the splunkd_access log for update events or implement file system change monitoring for the authorize.conf file. If you are specifically concerned with the actual change, then indexing the file would also make sense.

View solution in original post

sloshburch
Splunk Employee
Splunk Employee

Alternatively, you could use a REST API call (or the rest command to discover the current roles and capabilities, which you could drop into a lookup, and notify you if anything doesn't match that lookup (because the capabilities changed).

0 Karma

Simeon
Splunk Employee
Splunk Employee

please send a diag

0 Karma

Simeon
Splunk Employee
Splunk Employee

The audit log (index=_audit) should contain this type of information. Additionally, you could monitor the splunkd_access log for update events or implement file system change monitoring for the authorize.conf file. If you are specifically concerned with the actual change, then indexing the file would also make sense.

the_wolverine
Champion

Audit log doesn't appear to provide the degree of information I need. For example, I can see the action=edit_role event occurred for user=tina but it doesn't tell me which roles were added or removed. Sounds like monitoring the authorize.conf file is the solution.

0 Karma

mhenson
Engager

This answer does not seem to apply for Splunk Cloud customers where access to local file system(s) is not available. From what I see in _audit, only role name is captured in the search field. Changes to Inheritance and Indexes are not logged. Are there any other options?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Sorry, I'm not seeing where a limitation of the filesystem comes into play here. Would you elaborate?

Also worth keeping in mind that this was written 8 years ago and therefore was applicable for Splunk 3 or something. We're now on 7.1 - so the approach may be very different.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...