Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Audit adding/removing of roles from LDAP groups

the_wolverine
Champion
‎09-15-2010 08:54 PM

I'm trying to search for an event that tells me that a role was added or removed for some LDAP group or user. I'd like to know when capabilities have been changed due to addition or removal of a role, particularly, the can_delete role.

Does Splunk currently audit this type of event?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎09-20-2010 05:42 PM

The audit log (index=_audit) should contain this type of information. Additionally, you could monitor the splunkd_access log for update events or implement file system change monitoring for the authorize.conf file. If you are specifically concerned with the actual change, then indexing the file would also make sense.

View solution in original post

Reply
Solved! Jump to solution

sloshburch
Ultra Champion
‎05-04-2018 09:32 AM

Alternatively, you could use a REST API call (or the rest command to discover the current roles and capabilities, which you could drop into a lookup, and notify you if anything doesn't match that lookup (because the capabilities changed).

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎09-20-2010 05:42 PM

please send a diag

0 Karma
Reply
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎09-20-2010 05:42 PM

The audit log (index=_audit) should contain this type of information. Additionally, you could monitor the splunkd_access log for update events or implement file system change monitoring for the authorize.conf file. If you are specifically concerned with the actual change, then indexing the file would also make sense.

Reply
Solved! Jump to solution

the_wolverine
Champion
‎09-23-2010 11:14 PM

Audit log doesn't appear to provide the degree of information I need. For example, I can see the action=edit_role event occurred for user=tina but it doesn't tell me which roles were added or removed. Sounds like monitoring the authorize.conf file is the solution.

0 Karma
Reply
Solved! Jump to solution

mhenson
Engager
‎04-20-2018 07:04 AM

This answer does not seem to apply for Splunk Cloud customers where access to local file system(s) is not available. From what I see in _audit, only role name is captured in the search field. Changes to Inheritance and Indexes are not logged. Are there any other options?

0 Karma
Reply
Solved! Jump to solution

sloshburch
Ultra Champion
‎05-04-2018 09:32 AM

Sorry, I'm not seeing where a limitation of the filesystem comes into play here. Would you elaborate?

Also worth keeping in mind that this was written 8 years ago and therefore was applicable for Splunk 3 or something. We're now on 7.1 - so the approach may be very different.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...