I agree with you that he needs to have more in place to control this, but having an alert when changes are made is a nice event notification to kick off any necessary audit/control procedures. I can definitely see the advantages of having such an event notification in place.
-
Harold Ballinger
IT Coordinator
Heritage Healthcare, Inc.
(888) 335-2620 | helpdesk
(864) 224-3626 | office
(864) 224-3093 | fax
Visit our website: www.heritage-healthcare.com
-----Original Message-----
From: Buchan Milne [mailto:bgmilne (at) staff.telkomsa.net]
Sent: Saturday, July 18, 2009 4:54 PM
To: hobbit (at) hswn.dk
Cc: Gavin Leonard
Subject: Re: [hobbit] monitoring etc passwd
On Tuesday 07 July 2009 23:19:58 Gavin Leonard wrote:
Hi All,
I am having a problem where users and groups are being
created without the knowledge of the admin team and its making it difficult
to know who had access to what systems if they leave the company... is
there a way for hobbit to tell me when the /etc/passwd or /etc/group files
change? Thanks in Advance..
IMHO, this is not a problem to solve by monitoring, it is a problem to be
solved by:
-authorization for actions/commands (e.g. sudo access to specific commands,
instead of root shell access)
-accounting/auditing (e.g., in case root shell access is required, the
commands/screen output should be recorded against the user who started the
root shell session)
-security auditing
Centralised authentication (which implies that the only local accounts
required are for "system" use, not for users) can also help reduce the amount
of work in picking up and fixing incorrect user/group changes.
If monitoring when changes were made to local files forms one part of your
process, fine, you can use the 'FILE' monitoring feature with the mtime check.
However, I would really hope this is not the only thing you are putting in
place to solve this problem.
Regards,
Buchan
To unsubscribe from the hobbit list, send an e-mail to
hobbit-unsubscribe (at) hswn.dk