[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [hobbit] monitoring etc passwd



On Tuesday 07 July 2009 23:19:58 Gavin Leonard wrote:
> Hi All,
>                 I am having a problem where users and groups are being
> created without the knowledge of the admin team and its making it difficult
> to know who had access to what systems if they leave the company... is
> there a way for hobbit to tell me when the /etc/passwd or /etc/group files
> change? Thanks in Advance..

IMHO, this is not a problem to solve by monitoring, it is a problem to be 
solved by:
-authorization for actions/commands (e.g. sudo access to specific commands, 
instead of root shell access)
-accounting/auditing (e.g., in case root shell access is required, the 
commands/screen output should be recorded against the user who started the 
root shell session)
-security auditing

Centralised authentication (which implies that the only local accounts 
required are for "system" use, not for users) can also help reduce the amount 
of work in picking up and fixing incorrect user/group changes.

If monitoring when changes were made to local files forms one part of your 
process, fine, you can use the 'FILE' monitoring feature with the mtime check.

However, I would really hope this is not the only thing you are putting in 
place to solve this problem.

Regards,
Buchan