Security

How to audit capability assignment?

afx
Contributor

Hi,

I am looking for real-time events from the aufit trail for capability assignments/changes, but it looks like this is not provided in _audit.
How can I get an alert when someone adds can_delete for example? Or changes roles in other ways.
I know I can query the REST API for the current state, but I am more interested in getting alerts for changes.

Moitoring file changes also will only tell me that user X modifed authorize.conf, but not what was changed.

thx
afx

0 Karma

CarlBecker
Observer

The process of auditing capability assignment is to review the settings and ensuring that the systems, servers, and users have the correct permissions for their needs.

0 Karma

JS400016
New Member

Hello AFX, Good evening. I am also looking for real-time alerts as soon as someone gets an admin or can_delete role. 

Not sure if you were able to create this alert. I was not able to find any useful info online.

I will really appreciate if you can share some insight.

 

Thanks

JS

 

 

0 Karma

afx
Contributor

The links posted do not anser the question (apart from implying NOT POSSIBLE).
As I wrote above, I am looking for a realtime information, so the rest API is useless as it leaves an unmonitored window.
And the audit log still does not provide the information needed, as it only notes a change, but not what was changed. Querying _audit for can_delete after I assigned the role shows nothing, so the information is not available in the audit log at all.

cheers
afx

0 Karma

adonio
Ultra Champion
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...