WJS
CYBERSECURITY | LINUX LOVER | NETWORKING | ATTACK-DEFEND MINDSET

/var/log/BLOGS

The Permissions Problem Report

Activity COMPLETED: May 24, 2023

Scenario

You're just getting started at StackFull Software. Alice, a Level 2 SOC Analyst, has been assigned as your mentor to help you learn the ropes at your new company. She's educating you on the various business units you'll be working with, such as software engineering, human resources, business development, and of course, IT. Your department, the cybersecurity department, falls under the IT business unit.

You continue to get more familiar with StackFull Software, thanks to Alice. She lets you know about all of the log files from the various business units that feed into the Splunk SIEM. This includes firewall logs, Windows Event logs, Jira logs, software engineering logs, and so much more. As a cyber professional, this is good practice as it allows SOC analysts to view anything and everything that may be important when it comes to resolving a cyber incident. Proper logging is crucial for handling cyber incidents.

Alice grants you access to Splunk where you can view all of these various logs. Unfortunately, it appears that you were unable to search anything due to some odd configuration issue within Splunk. She establishes an SSH connection to the Splunk server to see what's wrong. 

It looks like James, another Level 1 SOC Analyst has inadvertently changed a configuration file named config.conf that is preventing you from looking at logs. You don’t know exactly where the file is, but you know that Splunk stores all of its files within the /opt/splunk directory. You will need to modify the configuration file so that you can properly view logs within Splunk.

Your manager, Jamar, would like you to write a report that will be shared with executive leadership describing:

  • The problem

  • How you solved the problem

  • How StackFull Software can improve the confidentiality of the Splunk configuration file so only authorized users can modify it

  • How the md5sum command can be used to monitor the integrity of the file

Problem

  1. Log in to your machine.

  2. Locate the file named config.conf. You can do this in a number of ways, but make sure you’re editing the correct config.conf file!

  3. Change your directory into the location where the file exists.

  4. Check the file permissions of the config.conf file. What do you notice about its file permissions?

  5. Check the MD5 hash of the file.

  6. Edit the file by adding the following lines to the end. You can use vi or nano for this. Be sure to save the file after making the changes.

    [admin]        
   ─ AliceAdmin1
   ─ [YourName]Admin2

  7. Check the MD5 hash of the file one more time. How does it compare to the MD5 hash before you edited the file?

  8. Create a backup of the file into your home directory by copying the file into the /home/fstack directory.

Read the Full Incident Report

William Schmidt