Audit modifications to a user account

tjohnston2 · ‎08-02-2010

How do I tell when a user modifies another user and what they modified (ie added a role to the user)

adamw · ‎08-19-2010

I actually filed an enhancement request for this exact thing at the conference, but the more you file, the more attention it gets :). Also put in your business case when you put it in, it helps them know what it is used for.

Genti · ‎08-03-2010

Another thing you can try is use fschange on /splunkhome/etc/users/ directory. This way you could use the DIFF command for the files within to see what changed. I doubt you would be able to tell WHO changed it though.

So, by the first reply, you can possibly see who changed user privileges, and by the second one you can tracked what was changed.

I think this is as far as we can presently go with splunk.

Genti · ‎08-02-2010

See if this other thread helps you out: http://answers.splunk.com/questions/2286/search-for-deleted-splunk-users/3346#3346

Granted deleted vs modified is a bit different but im assuming it could be done in a similar way?

Genti · ‎08-03-2010

i think that is all the logs will be able to tell you. If you want more info you can file an enhancement request.

tjohnston2 · ‎08-03-2010

Yes, this tells me that a particular user modified another user but it doesn't seem to tell me what was modified.

Dan · ‎08-03-2010

Yeah, probably a POST instead of DELETE to the endpoint

Audit modifications to a user account

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases