Security

app or macro to summarize unix user and group permissions

wfskmoney
Explorer

We are indexing the unix /etc/passwd /etc/group and /etc/sudoers in splunk. Now we have to create reports and dashboards that summarize and list all the users, groups and their respective rights.

Are there already existing macros, searches oder even apps that do this or help doing this so we would not have to write custom regex code?

Example Inputs:

/etc/passwd
05.10.18 06:16:11,000   host passwd-file: www-data:x:33:33::/home/www-data:/bin/bash

/etc/group
05.10.18 06:16:26,000   host group-file: printadmin:x:396:

/etc/sudoers *
05.10.18 06:16:50,000   host sudoers-file: %zabbix ALL=NOPASSWD:/usr/bin/diff * *
05.10.18 06:16:50,000   host sudoers-file: %zabbix ALL=NOPASSWD:/sbin/hpasmcli

Output: parsed tables /indices of the passwd group and sudoers files.

We found https://splunkbase.splunk.com/app/833/ that parses passwd and group files, but not sudoer files (there can be many different sudoers files)

Final Output:
once parsed, all the permissions of the users / groups should be in a flat table
As there can be several sudoer files

0 Karma

pbryant_splunk
Splunk Employee
Splunk Employee

So I am not aware of exactly the method you are asking. The Unix/Linux technical addon will output users with Nologin vs. not. SO the method is there but as scripted input. I work in the Security research team at Splunk. Feel free to drop us a line a research{at}splunk.com as this usecase could interesting to us. Also would love to know other usecases you have for linux systems.

0 Karma

sloshburch
Ultra Champion

I was looking into this a bit more and I realized there are some related items already defined that might be compelling for your question.

I infer that the files themselves are probably best indexed with a scripted input rather than a monitor stanza. That is because the insertion of rows is handled more gracefully (folks don't always make edits or additions at the bottom of the file) and also variations among OSes are taken into account.

The inspiration for that is the usersWithLoginPrivs sourcetype. See Source types for the Splunk Add-on for Unix and Linux.

While thinking about it further, I realized that there's two scenarios here:

  1. auditing what users, groups, and sudoers exist in the infrastructure and if there are deviations from standards
  2. security monitoring and knowing is users are running commands that are naughty

If it's the first one, we can explore that more but I'll focus on the second since it leverages stuff you already have at your disposal.

My hunch is that we have some sourcetypes that can provide security insights here:

  • bash_history - users and the commands they run
  • lastlog - when users were logged into the system
  • Unix:UserAccounts - users with ID and group info
  • usersWithLoginPrivs - who can even do stuff on the machine
  • who - who is currently logged on

While some of those data points might be redundant, I expect a security use case could be solved with those alone. Like, using the bash_history to see who ran any command with the term 'sudo' in it:

index=os sourcetype=bash_history bash_command="* sudo *"
| table _time host user_name bash_command

As mentioned, if this is more for audit, let us know and we can dig deeper.

wfskmoney
Explorer

thanks, this is a good input. we ended up writing a custom unix shell script and insert the data into splunk. quite an endevaour

0 Karma

robert_miller
Path Finder

@wfskmoneyCan you share the script you created? We need to do the same.

Thanks

0 Karma

sloshburch
Ultra Champion

Oh, so said another way, did you create a new scripted input?

0 Karma

sloshburch
Ultra Champion

Sounds like it doesn't exist, but if you right the regex (copy from the passwd and group inputs within the Unix TA) be sure to share it back here for others!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Could you be more specific about your use case? What "rights" are you trying to find? A sample of the desired output would be helpful.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

wfskmoney
Explorer

@richgalloway - I did

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!