Hello Splunkers!
I have a question, i really need to monitor etc/shadow file and be able to read the information about password´s users. i have the follow script that i loaded in splunk but it does not showing the information i think that root password needed to be indexed, is there a way to read this file in splunk without root password?
script: "account in $(cut -f1 -d: /etc/passwd); do echo "ACCOUNT: $account , EXPIRES: chage -l $account | grep 'Account expires' | awk '{print $4, $5, $6}' , CHANGED: chage -l $account | grep 'Last password change' | awk '{print $5, $6, $7}' "; done"
... View more