Member Removed from Group

Linux UbuntuAuth LogGroup ActivityUser Account

Enabled by default

Service: syslog

Log type: auth.log

Group membership change can indicate a user removing themselves from an admin group in an effort to clean up after an attack. It is important to monitor the groups that have escalated permissions.

View Logs
grep usermod /var/log/auth.log | grep delete
Check Logging Status
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Disable Logging
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Enable Logging
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Language: bash
Back to Linux Ubuntu

Compliance

HIPAA

Level: Recommended

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf?language=es

NSA Event Forwarding

Level: Recommended

https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events

Due to the limitations of the GNOME Logs app, we do not currently have a GUI way to view this log. We recommend using the command line. The auth.log tracks when a user is added to a group. To see the logs of a user being added to a group, enter the command grep usermod /var/log/auth.log | grep delete.

Additional References