Member Removed from Group

Linux Ubuntu

Flynn Weeks

Flynn Weeks

February 4, 2022

Enabled by default

Service: syslog

Log type: auth.log

Group membership change can indicate a user removing themselves from an admin group in an effort to clean up after an attack. It is important to monitor the groups that have escalated permissions.

Due to the limitations of the GNOME Logs app, we do not currently have a GUI way to view this log. We recommend using the command line. The auth.log tracks when a user is added to a group. To see the logs of a user being added to a group, enter the command grep usermod /var/log/auth.log | grep delete.

View Logs
grep usermod /var/log/auth.log | grep delete
Check Logging Status
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Disable Logging
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Enable Logging
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Language: bash
View Log Pile