Open Directory, Patent-Ed

illustrated Splunk server configuration steps

I put Splunk server scripts for dispersing here

Splunk >> bin >> scripts

sudo nano /Applications/Splunk/bin/scripts/Example_OD.sh

Script input:

#!/bin/bash
sudo log stream –level info –style syslog

# trying json

sudo log stream –level info –style syslog

Forwarder Management:

Settings >> Forwarder management

Screen Shot 2019-09-21 at 7.59.06 AM.png

Settings >> Forwarder management >> Clients

B2019-09-21 at 8.05.33 AM.png Settings >> Forwarder management >> Server Classes

Screen Shot 2019-09-21 at 8.00.03 AM.png

New Server Class

Screen Shot 2019-09-21 at 8.00.29 AM.png

Data >> Data Inputs

Screen Shot 2019-09-21 at 8.01.03 AM.png

Data >> Data Inputs >> Forwarded Inputs >> Scripts

Screen Shot 2019-09-21 at 8.10.52 AM.png

Change the sourcetype to json c2019-09-21 at 8.13.14 AM.png

Once everything is in place you should be able to search and find information in this example I created am account “teddyboy” in OPen Directory, the following shows a query from the script which stream the slapd, and opendirectoryd data

D09-21 at 8.41.17 AM.png

Change/check the local inputs.conf files from the scripts running on the Open Directory server.

sudo nano /Applications/SplunkForwarder/etc/apps/_server_app_OD_Servers/local/inputs.conf

reads:

GNU nano 2.0.6 File: …ps/_server_app_OD_Servers/local/inputs.conf

[script://$SPLUNK_HOME/etc/apps/_server_app_OD_Servers/bin/ScriptName_OD.sh]

disabled = 0

index = default

interval = 60.0

sourcetype = linux_messages_syslog

Trying this

sourcetype = oracle:audit:xml

or this

sourcetype = _json

Change/check the local inputs.conf files from the forwarder running on the Open Directory server.

sudo nano /Applications/SplunkForwarder/etc/system/local/inputs.conf

reads:

[monitor:///var/audit/]

[default]

host = ClientMachineHostName.local

Change/check the local output.conf files from the forwarder running on the Open Directory server.

[tcpout]

defaultGroup = default-autolb-group

[tcpout:default-autolb-group]

server = 10.1.2.3:9997

[tcpout-server://10.1.2.3:9997]

To search and find OD account creation success, I query from the json sourcetype

ODNodeCreateRecord request

—–

This records barbie account record getting created: dsAttrTypeStandard:RecordName\” = (\n barbie\n

{ “category” : “session“, “processImageUUID” : “DB3-0037-332C-8D8E-8C7350E88A01“, “processUniqueID” : 85, “threadID” : 1383910, “timestamp” : “2019-09-22 06:24:07.668536-0400“, “traceID” : 2065501346005252, “messageType” : “Info“, “activityID” : 854237, “processID” : 85, “machTimestamp” : 394733628137612, “timezoneName” : “”, “subsystem” : “com.apple.opendirectoryd“, “senderProgramCounter” : 65579, “eventMessage” : “ODNodeCreateRecord request, NodeID: 0A1D-30AA-4FA7-B1C1-12E9F78DFF20, RecordType: dsRecTypeStandard:Users, RecordName: <private>, Attributes: {\n \“dsAttrTypeStandard:Comment\” = (\n );\n \“dsAttrTypeStandard:EMailAddress\” = (\n );\n \“dsAttrTypeStandard:FirstName\” = (\n );\n \“dsAttrTypeStandard:HomeDirectory\” = (\n );\n \“dsAttrTypeStandard:HomeDirectoryQuota\” = (\n 0\n );\n \“dsAttrTypeStandard:Keywords\” = (\n );\n \“dsAttrTypeStandard:LastName\” = (\n barbie\n );\n \“dsAttrTypeStandard:NFSHomeDirectory\” = (\n \“\/Users\/barbie\“\n );\n \“dsAttrTypeStandard:PrimaryGroupID\” = (\n 20\n );\n \“dsAttrTypeStandard:RealName\” = (\n barbie\n );\n \“dsAttrTypeStandard:RecordName\” = (\n barbie\n );\n \“dsAttrTypeStandard:UniqueID\” = (\n 1006\n );\n \“dsAttrTypeStandard:UserShell\” = (\n \“\/bin\/bash\“\n );\n}”, “senderImageUUID” : “D350A9B3-0037-332C-8D8E-8C7350E88A01“, “processImagePath” : “\/usr\/libexec\/opendirectoryd“, “senderImagePath” : “\/usr\/libexec\/opendirectoryd” }

____

Delete a record, “eventMessage” : “Delete a record“, “processImagePath” : “\/Applications\/Server.app\/Contents\/MacOS\/Server“,

{ “processImageUUID” : “388D1B12-E930-3D81-AB34-6EFAA44E12EF“, “processUniqueID” : 28164, “threadID” : 1386945, “timestamp” : “2019-09-22 06:32:34.581205-0400“, “traceID” : 1181143700349387010, “eventType” : “OSActivityCreateEvent“, “activityID” : 857809, “processID” : 28164, “machTimestamp” : 395240545174841, “timezoneName” : “”, “senderProgramCounter” : 56111, “eventMessage” : “Delete a record“, “senderImageUUID” : “29F55F7B-379F-3053-8FF3-5C6675A3DD4D“, “processImagePath” : “\/Applications\/Server.app\/Contents\/MacOS\/Server“, “senderImagePath” : “\/System\/Library\/Frameworks\/OpenDirectory.framework\/Versions\/A\/Frameworks\/CFOpenDirectory.framework\/Versions\/A\/CFOpenDirectory” }

Screen Shot 2019-09-22 at 6.28.36 AM

Tag: Open Directory

Open Directory audit log data into Splunk