Security

Audit adding/removing of roles from LDAP groups

Champion

I'm trying to search for an event that tells me that a role was added or removed for some LDAP group or user. I'd like to know when capabilities have been changed due to addition or removal of a role, particularly, the can_delete role.

Does Splunk currently audit this type of event?

Tags (3)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

The audit log (index=_audit) should contain this type of information. Additionally, you could monitor the splunkd_access log for update events or implement file system change monitoring for the authorize.conf file. If you are specifically concerned with the actual change, then indexing the file would also make sense.

View solution in original post

Ultra Champion

Alternatively, you could use a REST API call (or the rest command to discover the current roles and capabilities, which you could drop into a lookup, and notify you if anything doesn't match that lookup (because the capabilities changed).

0 Karma

Splunk Employee
Splunk Employee

please send a diag

0 Karma

Splunk Employee
Splunk Employee

The audit log (index=_audit) should contain this type of information. Additionally, you could monitor the splunkd_access log for update events or implement file system change monitoring for the authorize.conf file. If you are specifically concerned with the actual change, then indexing the file would also make sense.

View solution in original post

Champion

Audit log doesn't appear to provide the degree of information I need. For example, I can see the action=edit_role event occurred for user=tina but it doesn't tell me which roles were added or removed. Sounds like monitoring the authorize.conf file is the solution.

0 Karma

Engager

This answer does not seem to apply for Splunk Cloud customers where access to local file system(s) is not available. From what I see in _audit, only role name is captured in the search field. Changes to Inheritance and Indexes are not logged. Are there any other options?

0 Karma

Ultra Champion

Sorry, I'm not seeing where a limitation of the filesystem comes into play here. Would you elaborate?

Also worth keeping in mind that this was written 8 years ago and therefore was applicable for Splunk 3 or something. We're now on 7.1 - so the approach may be very different.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!