Splunk Search

Need help forming my search query for linux_secure sourcetype

jcorkey
Explorer

I am receiving the /var/log/secure logs from my linux forwarder I am trying to create a search string that can detect when a user has added any user to sudo access. For example, I'd like to be able to detect when user1 adds user2 to the wheel group in order to give user2 sudo access.

0 Karma

mattymo
Splunk Employee
Splunk Employee

I used this to find my user using visudo to add a user to wheel. I am sure there a few different conditions that you'd hunt for...

index=* host=* source=/var/log/secure visudo OR usermod

alt text

Replace with your commands or logic accordingly.

I use the nix TA found here to ensure my field extractions (Splunk PS configs, you can use whatever you like): https://bitbucket.org/SPLServices/splunk_ta_nix/src

While on the topic of authentication and privilege, check out this wicked auth app by @dshpritz

https://splunkbase.splunk.com/app/3639/

- MattyMo
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...