Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

app or macro to summarize unix user and group permissions

wfskmoney
Path Finder
‎10-22-2018 05:20 AM

We are indexing the unix /etc/passwd /etc/group and /etc/sudoers in splunk. Now we have to create reports and dashboards that summarize and list all the users, groups and their respective rights.

Are there already existing macros, searches oder even apps that do this or help doing this so we would not have to write custom regex code?

Example Inputs:

/etc/passwd
05.10.18 06:16:11,000   host passwd-file: www-data:x:33:33::/home/www-data:/bin/bash

/etc/group
05.10.18 06:16:26,000   host group-file: printadmin:x:396:

/etc/sudoers *
05.10.18 06:16:50,000   host sudoers-file: %zabbix ALL=NOPASSWD:/usr/bin/diff * *
05.10.18 06:16:50,000   host sudoers-file: %zabbix ALL=NOPASSWD:/sbin/hpasmcli

Output: parsed tables /indices of the passwd group and sudoers files.

We found https://splunkbase.splunk.com/app/833/ that parses passwd and group files, but not sudoer files (there can be many different sudoers files)

Final Output:
once parsed, all the permissions of the users / groups should be in a flat table
As there can be several sudoer files

0 Karma
Reply

pbryant_splunk
Splunk Employee
Splunk Employee
‎01-09-2019 10:47 AM

So I am not aware of exactly the method you are asking. The Unix/Linux technical addon will output users with Nologin vs. not. SO the method is there but as scripted input. I work in the Security research team at Splunk. Feel free to drop us a line a research{at}splunk.com as this usecase could interesting to us. Also would love to know other usecases you have for linux systems.

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎01-04-2019 08:04 AM

I was looking into this a bit more and I realized there are some related items already defined that might be compelling for your question.

I infer that the files themselves are probably best indexed with a scripted input rather than a monitor stanza. That is because the insertion of rows is handled more gracefully (folks don't always make edits or additions at the bottom of the file) and also variations among OSes are taken into account.

The inspiration for that is the usersWithLoginPrivs sourcetype. See Source types for the Splunk Add-on for Unix and Linux.

While thinking about it further, I realized that there's two scenarios here:

  1. auditing what users, groups, and sudoers exist in the infrastructure and if there are deviations from standards
  2. security monitoring and knowing is users are running commands that are naughty

If it's the first one, we can explore that more but I'll focus on the second since it leverages stuff you already have at your disposal.

My hunch is that we have some sourcetypes that can provide security insights here:

  • bash_history - users and the commands they run
  • lastlog - when users were logged into the system
  • Unix:UserAccounts - users with ID and group info
  • usersWithLoginPrivs - who can even do stuff on the machine
  • who - who is currently logged on

While some of those data points might be redundant, I expect a security use case could be solved with those alone. Like, using the bash_history to see who ran any command with the term 'sudo' in it:

index=os sourcetype=bash_history bash_command="* sudo *"
| table _time host user_name bash_command

As mentioned, if this is more for audit, let us know and we can dig deeper.

Reply

wfskmoney
Path Finder
‎06-25-2019 07:40 AM

thanks, this is a good input. we ended up writing a custom unix shell script and insert the data into splunk. quite an endevaour

0 Karma
Reply

robert_miller
Path Finder
‎12-24-2020 07:43 AM

@wfskmoneyCan you share the script you created? We need to do the same.

Thanks

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎07-16-2019 08:35 AM

Oh, so said another way, did you create a new scripted input?

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎01-03-2019 02:01 PM

Sounds like it doesn't exist, but if you right the regex (copy from the passwd and group inputs within the Unix TA) be sure to share it back here for others!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-22-2018 05:53 AM

Could you be more specific about your use case? What "rights" are you trying to find? A sample of the desired output would be helpful.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

wfskmoney
Path Finder
‎10-22-2018 06:15 AM

@richgalloway - I did

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...