[hobbit] monitoring etc passwd
kenneth.langford at siemens.com
Mon Jul 20 20:55:49 CEST 2009
The bad news is that a simple user changing his password on the system would cause an event notification if you are not using NIS/NIS+ or LDAP for your users and the /etc/passwd file was for local accounts only.
Kenneth W. Langford
From: dOCtoR MADneSs [mailto:doctor at makelofine.org]
Sent: Monday, July 20, 2009 1:16 PM
To: hobbit at hswn.dk
Subject: Re: [hobbit] monitoring etc passwd
Harold J. Ballinger a écrit :
> I agree with you that he needs to have more in place to control this, but having an alert when changes are made is a nice event notification to kick off any necessary audit/control procedures. I can definitely see the advantages of having such an event notification in place.
> Harold Ballinger
> IT Coordinator
> Heritage Healthcare, Inc.
> (888) 335-2620 | helpdesk
> (864) 224-3626 | office
> (864) 224-3093 | fax
> Visit our website: www.heritage-healthcare.com
> -----Original Message-----
> From: Buchan Milne [mailto:bgmilne at staff.telkomsa.net]
> Sent: Saturday, July 18, 2009 4:54 PM
> To: hobbit at hswn.dk
> Cc: Gavin Leonard
> Subject: Re: [hobbit] monitoring etc passwd
> On Tuesday 07 July 2009 23:19:58 Gavin Leonard wrote:
>> Hi All,
>> I am having a problem where users and groups are being
>> created without the knowledge of the admin team and its making it difficult
>> to know who had access to what systems if they leave the company... is
>> there a way for hobbit to tell me when the /etc/passwd or /etc/group files
>> change? Thanks in Advance..
> IMHO, this is not a problem to solve by monitoring, it is a problem to be
> solved by:
> -authorization for actions/commands (e.g. sudo access to specific commands,
> instead of root shell access)
> -accounting/auditing (e.g., in case root shell access is required, the
> commands/screen output should be recorded against the user who started the
> root shell session)
> -security auditing
> Centralised authentication (which implies that the only local accounts
> required are for "system" use, not for users) can also help reduce the amount
> of work in picking up and fixing incorrect user/group changes.
> If monitoring when changes were made to local files forms one part of your
> process, fine, you can use the 'FILE' monitoring feature with the mtime check.
> However, I would really hope this is not the only thing you are putting in
> place to solve this problem.
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
I think almost same, using md5 verification is strong (imho), and does
not dispense of using other security audit tools.
To unsubscribe from the hobbit list, send an e-mail to
hobbit-unsubscribe at hswn.dk
More information about the Xymon