Security
Highlighted

app or macro to summarize unix user and group permissions

Explorer

We are indexing the unix /etc/passwd /etc/group and /etc/sudoers in splunk. Now we have to create reports and dashboards that summarize and list all the users, groups and their respective rights.

Are there already existing macros, searches oder even apps that do this or help doing this so we would not have to write custom regex code?

Example Inputs:

/etc/passwd
05.10.18 06:16:11,000   host passwd-file: www-data:x:33:33::/home/www-data:/bin/bash

/etc/group
05.10.18 06:16:26,000   host group-file: printadmin:x:396:

/etc/sudoers *
05.10.18 06:16:50,000   host sudoers-file: %zabbix ALL=NOPASSWD:/usr/bin/diff * *
05.10.18 06:16:50,000   host sudoers-file: %zabbix ALL=NOPASSWD:/sbin/hpasmcli

Output: parsed tables /indices of the passwd group and sudoers files.

We found https://splunkbase.splunk.com/app/833/ that parses passwd and group files, but not sudoer files (there can be many different sudoers files)

Final Output:
once parsed, all the permissions of the users / groups should be in a flat table
As there can be several sudoer files

0 Karma
Highlighted

Re: app or macro to summarize unix user and group permissions

SplunkTrust
SplunkTrust

Could you be more specific about your use case? What "rights" are you trying to find? A sample of the desired output would be helpful.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: app or macro to summarize unix user and group permissions

Explorer

@richgalloway - I did

0 Karma
Highlighted

Re: app or macro to summarize unix user and group permissions

Ultra Champion

Sounds like it doesn't exist, but if you right the regex (copy from the passwd and group inputs within the Unix TA) be sure to share it back here for others!

0 Karma
Highlighted

Re: app or macro to summarize unix user and group permissions

Ultra Champion

I was looking into this a bit more and I realized there are some related items already defined that might be compelling for your question.

I infer that the files themselves are probably best indexed with a scripted input rather than a monitor stanza. That is because the insertion of rows is handled more gracefully (folks don't always make edits or additions at the bottom of the file) and also variations among OSes are taken into account.

The inspiration for that is the usersWithLoginPrivs sourcetype. See Source types for the Splunk Add-on for Unix and Linux.

While thinking about it further, I realized that there's two scenarios here:

  1. auditing what users, groups, and sudoers exist in the infrastructure and if there are deviations from standards
  2. security monitoring and knowing is users are running commands that are naughty

If it's the first one, we can explore that more but I'll focus on the second since it leverages stuff you already have at your disposal.

My hunch is that we have some sourcetypes that can provide security insights here:

  • bash_history - users and the commands they run
  • lastlog - when users were logged into the system
  • Unix:UserAccounts - users with ID and group info
  • usersWithLoginPrivs - who can even do stuff on the machine
  • who - who is currently logged on

While some of those data points might be redundant, I expect a security use case could be solved with those alone. Like, using the bash_history to see who ran any command with the term 'sudo' in it:

index=os sourcetype=bash_history bash_command="* sudo *"
| table _time host user_name bash_command

As mentioned, if this is more for audit, let us know and we can dig deeper.

Highlighted

Re: app or macro to summarize unix user and group permissions

Explorer

thanks, this is a good input. we ended up writing a custom unix shell script and insert the data into splunk. quite an endevaour

0 Karma
Highlighted

Re: app or macro to summarize unix user and group permissions

Ultra Champion

Oh, so said another way, did you create a new scripted input?

0 Karma
Highlighted

Re: app or macro to summarize unix user and group permissions

New Member

So I am not aware of exactly the method you are asking. The Unix/Linux technical addon will output users with Nologin vs. not. SO the method is there but as scripted input. I work in the Security research team at Splunk. Feel free to drop us a line a research{at}splunk.com as this usecase could interesting to us. Also would love to know other usecases you have for linux systems.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.