Scenario: Privileged user account behavior can cause problems on any business system and must be carefully managed. Your *nix systems are often critical to manage in this way as they tend to host important services. Part of your role is to ensure best practices on your systems when it comes to user accounts. This involves actively managing accounts and passwords, implementing least privilege, and controlling account access. You want to use your Splunk deployment to track actions and events that are important for user account behavior management. This will allow you to understand if user error is the cause of malfunctions or if security has been compromised.
How Splunk software can help
You can use Splunk software to monitor everything on your *nix systems, from basic logon behavior to privileged behavior, such as the use of sudo commands.
What you need
To succeed in implementing this use case, you need the following dependencies, resources, and information.
The best person to implement this use case is a system administrator who is familiar with Linux user account commands and company policy for user access controls. This person might come from your team, a Splunk partner, or Splunk OnDemand Services.
Managing *nix system user behavior using Splunk software can last up to a few hours to set up but will be an ongoing monitoring task.
The following technologies, data, and integrations are useful in successfully implementing this use case:
- Splunk Enterprise or Splunk Cloud
- Data sources onboarded
- *nix security data such as Linux_secure, OSX_secure, AIX_secure, radius, etc.
- Splunk Add on for Unix and Linux
How to use Splunk software for this use case
You can run many searches with Splunk software to manage *nix system user behavior. Depending on what information you have available, you might find it useful to identify some or all of the following:
Other steps you can take
To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case:
- Authentications that need to be tracked for compliance and security reasons
- Visibility to success and failed logons for your help desk center
These additional Splunk resources might help you understand and implement this use case:
How to assess your results
Measuring impact and benefit is critical to assessing the value of IT operations. The following are example metrics that can be useful to monitor when implementing this use case:
- Failed authentications over time
- Authentications by privileged users
- Authentications by privileged users on critical assets