Splunk Search

How to find out who deleted a user in Linux?

neerajs_81
Builder

Hi All, just wondering if anyone has a search that shows which user deleted another user in Linux  ?

Typically in the linux syslog messages, when we check for userdel messages ,  it only shows the name of the user account that was deleted.  There isn't any mention of which user performed this action. 
 Whereas in Windows events, we see both src and target user for deletion Event IDs. 

How to get this info ? I know one can manually login to host and verify the ./bash_history but how do you accomplish this from Splunk itself ?

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Command history is logged in LOCAL7 facility, NOTICE level.  You may want to examine /etc/rsyslog.conf (and related conf files) to find out which log file(s) contain local7.notice.

According to https://github.com/rsyslog/rsyslog/blob/master/platform/redhat/rsyslog.conf, RedHat default is to send local7.* into /var/log/boot.log.  But your system may have customized settings.  Normally, /var/log/secure is used for authpriv.*, thus it does not contain command history.

If the file that contains local7.notice is not ingested, you will need to ingest it.

Hope this helps.

View solution in original post

Tags (1)

yuanliu
SplunkTrust
SplunkTrust

You need to read up Linux user management, or ask your SysAdmin how to determine such matters.

Understandably, Windows user management is totally different Unix and Linux user management.  Unless your system uses some uncommon admin overlay (which only your SysAdmin can tell you), userdel command can only be executed by root (uid 0).  A non-root user may have sudo privileges to execute commands as root, but this can only be executed as sudo usserdel.  Alternatively, if unprivileged user is allowed root shell, such a user can first use sudo su <shell name> to gain a root shell, then execute userdel in this shell as if it is user root.

Most modern Linux systems log full command history.  You didn't say which Linux OS you are using.  You say "(syslog) only shows the name of the user account that was deleted," but without any context like which source file are you looking at.  In Unix-like systems, "syslog" is a OS facility that can be organized in many different ways, i.e., various messages (events) can go to various places. (If you are unsure, ask your SysAdmin.)  You didn't even illustrate a sample log entry. (You can always anonymize; but make sure to preserve formatting and other characteristics.)  Volunteers cannot possibly help with all these ambiguities.

0 Karma

neerajs_81
Builder

Hi,

I am myself a sysadmin and  if you read my entire post with open eyes ,  i myself wrote that this information is available in /bash_history to check but that is manually after ssh into the server. If i wasn't aware how to check this, i wouldn't have mentioned about checking user's history.

It doesn't matter which ever flavor of Linux you take be it Ubuntu or RHEL family anybody who is familiar with user deletion activity will know this issue because its same for any linux flavor.

We are on RHEL 7.9 and under /var/log/secure  all we see is following type of messages when someone runs userdel command: 

neerajs_81_0-1695035795460.png

There is no further message or record in /var/log/secure of who ran this command. That's my use case and that is why i drew parallel with Windows Event Viewer logs to see how others are doing for similar use cases. 

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Command history is logged in LOCAL7 facility, NOTICE level.  You may want to examine /etc/rsyslog.conf (and related conf files) to find out which log file(s) contain local7.notice.

According to https://github.com/rsyslog/rsyslog/blob/master/platform/redhat/rsyslog.conf, RedHat default is to send local7.* into /var/log/boot.log.  But your system may have customized settings.  Normally, /var/log/secure is used for authpriv.*, thus it does not contain command history.

If the file that contains local7.notice is not ingested, you will need to ingest it.

Hope this helps.

Tags (1)
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...