Audit adding/removing of roles from LDAP groups

I'm trying to search for an event that tells me that a role was added or removed for some LDAP group or user. I'd like to know when capabilities have been changed due to addition or removal of a role, particularly, the can_delete role.

Does Splunk currently audit this type of event?

asked 15 Sep '10, 20:54

the_wolverine ♦
5.2k●17●20●85
accept rate: 52%

please send a diag

(20 Sep '10, 17:42) Simeon ♦

One Answer:

oldest newest most voted

The audit log (index=_audit) should contain this type of information. Additionally, you could monitor the splunkd_access log for update events or implement file system change monitoring for the authorize.conf file. If you are specifically concerned with the actual change, then indexing the file would also make sense.

link

answered 20 Sep '10, 17:42

Simeon ♦
4.1k●9●10●35
accept rate: 26%

Audit log doesn't appear to provide the degree of information I need. For example, I can see the action=edit_role event occurred for user=tina but it doesn't tell me which roles were added or removed. Sounds like monitoring the authorize.conf file is the solution.

(23 Sep '10, 23:14) the_wolverine ♦

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

roles ×82
audit ×54
capability ×22

Asked: 15 Sep '10, 20:54

Seen: 757 times

Last updated: 20 Sep '10, 17:42

Audit adding/removing of roles from LDAP groups

Follow this question

Splunk Resources

Related questions