Warn if a revoked user account exists on any checked systems

Here’s another entry in our series of examples on how to use the new string presence check in Halo: how to verify account and sudo access has been removed for a user that has left the organization.  For an introduction to this new feature, please see our previous Introduction to Search Expressions post.

Jamie Parker has gone off to a new job and should no longer have access to our servers.  Let’s kick off an alert if that account has not been removed (or is recreated later):

/etc/passwd Does not contain ^jparker:

/etc/shadow Does not contain ^jparker:

We’ll also directly check that jparker no longer has any sudo privileges.  While /etc/passwd and /etc/shadow separate the user account name from the rest of the line with a “:”, /etc/sudoers uses a space or tab so we’ll use “s” to match either as whitespace:

/etc/sudoers Does not contain ^jparkers

While this blog post is focusing on the new String Presence check, we can use the the “File Presence” check to also make sure that jparker’s home directory no longer exists as well:

/home/jparker Should not be present

Related Posts