Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Audit adding/removing of roles from LDAP groups

the_wolverine
Champion
‎09-15-2010 08:54 PM

I'm trying to search for an event that tells me that a role was added or removed for some LDAP group or user. I'd like to know when capabilities have been changed due to addition or removal of a role, particularly, the can_delete role.

Does Splunk currently audit this type of event?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎09-20-2010 05:42 PM

The audit log (index=_audit) should contain this type of information. Additionally, you could monitor the splunkd_access log for update events or implement file system change monitoring for the authorize.conf file. If you are specifically concerned with the actual change, then indexing the file would also make sense.

View solution in original post

Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎05-04-2018 09:32 AM

Alternatively, you could use a REST API call (or the rest command to discover the current roles and capabilities, which you could drop into a lookup, and notify you if anything doesn't match that lookup (because the capabilities changed).

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎09-20-2010 05:42 PM

please send a diag

0 Karma
Reply
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎09-20-2010 05:42 PM

The audit log (index=_audit) should contain this type of information. Additionally, you could monitor the splunkd_access log for update events or implement file system change monitoring for the authorize.conf file. If you are specifically concerned with the actual change, then indexing the file would also make sense.

Reply
Solved! Jump to solution

the_wolverine
Champion
‎09-23-2010 11:14 PM

Audit log doesn't appear to provide the degree of information I need. For example, I can see the action=edit_role event occurred for user=tina but it doesn't tell me which roles were added or removed. Sounds like monitoring the authorize.conf file is the solution.

0 Karma
Reply
Solved! Jump to solution

mhenson
Engager
‎04-20-2018 07:04 AM

This answer does not seem to apply for Splunk Cloud customers where access to local file system(s) is not available. From what I see in _audit, only role name is captured in the search field. Changes to Inheritance and Indexes are not logged. Are there any other options?

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎05-04-2018 09:32 AM

Sorry, I'm not seeing where a limitation of the filesystem comes into play here. Would you elaborate?

Also worth keeping in mind that this was written 8 years ago and therefore was applicable for Splunk 3 or something. We're now on 7.1 - so the approach may be very different.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...