Skip to main content

Managing *nix system user account behavior

  • Updated

Scenario: Privileged user account behavior can cause problems on any business system and must be carefully managed. Your *nix systems are often critical to manage in this way as they tend to host important services. Part of your role is to ensure best practices on your systems when it comes to user accounts. This involves actively managing accounts and passwords, implementing least privilege, and controlling account access. You want to use your Splunk deployment to track actions and events that are important for user account behavior management. This will allow you to understand if user error is the cause of malfunctions or if security has been compromised.

How Splunk software can help

You can use Splunk software to monitor everything on your *nix systems, from basic logon behavior to privileged behavior, such as the use of sudo commands.

What you need 

To succeed in implementing this use case, you need the following dependencies, resources, and information.

People

The best person to implement this use case is a system administrator who is familiar with Linux user account commands and company policy for user access controls. This person might come from your team, a Splunk partner, or Splunk OnDemand Services.

Time

Managing *nix system user behavior using Splunk software can last up to a few hours to set up but will be an ongoing monitoring task. 

Technologies 

The following technologies, data, and integrations are useful in successfully implementing this use case: 

  • Splunk Enterprise or Splunk Cloud
  • Data sources onboarded
    • *nix security data such as Linux_secure, OSX_secure, AIX_secure, radius, etc.
  • Splunk Add on for Unix and Linux

How to use Splunk software for this use case

You can run many searches with Splunk software to manage *nix system user behavior. Depending on what information you have available, you might find it useful to identify some or all of the following: 

Other steps you can take

To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

  • Authentications that need to be tracked for compliance and security reasons 
  • Visibility to success and failed logons for your help desk center

Related resources 

These additional Splunk resources might help you understand and implement this use case:

How to assess your results

Measuring impact and benefit is critical to assessing the value of IT operations. The following are example metrics that can be useful to monitor when implementing this use case:

  • Failed authentications over time
  • Authentications by privileged users 
  • Authentications by privileged users on critical assets

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.