Linux user & Group out put Relevance

veluri · March 18, 2024, 6:18am

Hi Guys,

I am trying to fetch splunkfwd UID and GID using BigFix by writing below relevance but looks this is not correct can some one suggest me

(concatenation " " of (name of it; sid of it as string) of users of groups whose (name of it = “splunkfwd”))

When I checked manually on the server using Linux command i am getting like this and similar output I would like to fetch using BigFix relevance

============================================================
[splunkfwd@XXXXX splunkforwarder]$ id splunkfwd |awk ‘{print $1,$2}’

output : uid=6350(splunkfwd) gid=9309(splunkfwd)

====================================================

[splunkfwd@XXXX splunkforwarder]$ groups splunkfwd

output : splunkfwd : splunkfwd users

===================================================

vk.khurava · March 18, 2024, 1:12pm

I might be mistaken, but I don’t believe there is a direct inspector available to retrieve this information. However, since all UID and GID values are stored in ‘/etc/passwd’, you can use the following relevance to fetch this information.

I don’t have access to ‘splunkfwd’ to test, but I used my test ID and was able to retrieve values in the following format.

Q: "UID:" & (preceding text of first ":" of following text of first "x:" of lines whose (it contains "TestUser") of file "/etc/passwd"), "GID:" & (following text of first ":" of following text of first ":" of following text of first ":" of preceding text of first ":TestUser" of lines whose (it contains "TestUser") of file "/etc/passwd")
A: UID:1000, GID:1000
T: 460

If you encounter any issues, simply extract the line containing ‘splunkfwd’ from the file ‘/etc/passwd’, and someone will be able to assist you

vk.khurava · March 18, 2024, 3:13pm

I found this (source fixlet ID # 126441, CIS Checklist RHEL 7) one as well, its amazing, it give you more power & fetch any desired result from the lines.

(regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") : This applies a regular expression pattern to each line to capture different fields (such as username, UID, GID, etc.).

(parenthesized part 3 of it) : This extracts the third parenthesized part of the regular expression match, you can change these numeric value to fetch any result from the lines.

Q: (parenthesized part 1 of first matches (regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") of lines whose (it contains "vkhurava") of (if exists file "/etc/passwd" then file "/etc/passwd" else error "no file: /etc/passwd")) as string, "UID: " & (parenthesized part 3 of first matches (regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") of lines whose (it contains "vkhurava") of (if exists file "/etc/passwd" then file "/etc/passwd" else error "no file: /etc/passwd")) as string, "GID: " & (parenthesized part 4 of first matches (regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") of lines whose (it contains "vkhurava") of (if exists file "/etc/passwd" then file "/etc/passwd" else error "no file: /etc/passwd")) as string
A: vkhurava, UID: 1000, GID: 1000
T: 640