Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to identify unauthorized access to crontab in a Splunk search?

TheJagoff
Communicator
‎06-17-2016 08:10 AM

Hello (again)

I am doing the following Linux command testing who has access to crontab.
For a non privileged user, I do the following under the user name "unauth":
mysearchhead> crontab -l
and receive the following:

You (unauth) are not allowed to use this program (crontab)
See crontab(1) for more information

In Splunk, I can see the attempt using:

host="mysearchhead" sourcetype=linux_audit a0=crontab  type=EXECVE

Resulting event is:

6/17/16 2:33:54.039 PM  
type=EXECVE msg=audit(1466174034.039:787184230): argc=2 a0="crontab" a1="-l"
host = mysearchhead     source = /var/log/audit/audit.log    sourcetype = linux_audit

My question is; where is the message stored that user "unauth" is not allowed to use this program?

Many thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

TheJagoff
Communicator
‎06-20-2016 07:24 AM

Found that I would need to ingest the cron log on any server that this condition is required.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

TheJagoff
Communicator
‎06-20-2016 07:24 AM

Found that I would need to ingest the cron log on any server that this condition is required.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...