Audit Event Investigation in NIOS (3507)
Scenario
The zone younglings.sw stopped working at around 11:50 AM UTC on 7th June 2023. Investigate the issue and find details about this incident.
Estimate Completion Time
15 to 20 minutes
Credentials
Description | Username | Password | URL or IP |
|---|---|---|---|
Grid Manager UI | admin | infoblox |
Course References
3008: Troubleshooting Basics in NIOS
3007: Troubleshooting Methodology
Lab Initiation
Access jump-desktop
Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:
Username: training
Password: infoblox
Initiate lab
To initiate the lab, double-click the Launch Lab icon on the Desktop.
Launch Lab
Choose the lab number from the list and click OK.
After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.
Lab initiation will take a couple of minutes to finish.
Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.
Tasks
For all tasks in this lab, please use the support bundle placed on the desktop of the jump-desktop. It is named 3507-supportBundle.tar.gz.
Task 1: Find details about the incident from the support bundle logs
Who made the change and what changed to cause the issue?
What access method (GUI/API) was used to make the change?
Which user created the user account that made the change?
Solution
Task 1: Find details about the incident from the support bundle logs
Who made the change and what changed to cause the issue?
Answer: Anakin user deleted the Authoritative zone younglings.sw
audit.log
2023-06-07 11:46:43.365Z [anakin]: Deleted AuthZone younglings.sw DnsView=default exclude_subobj=TrueWhat access method (GUI/API) was used to make the change?
Answer: GUI
audit.log
2023-06-07 11:45:01.325Z [anakin]: Login_Allowed - - to=AdminConnector ip=10.35.22.10 auth=LOCAL group=Not\040Master apparently_via=GUIWhich user created the user account that made the change?
Answer: Obiwan
audit.log
2022-09-02 11:18:24.032Z [[Obiwan]: Created AdminMember anakin: Set extensible_attributes=[],auth_type="LOCAL",ca_certificate_issuer=NULL,comment="",disabled=False,email="",groups=[AdminGroup:.Not\040Master],name="anakin",password="******",ssh_keys=[],use_ssh_keys=False