<div dir="ltr"><div><div><div><div><div><div><div><div><div>Hi guys<br><br></div>There are a number of issue with what you propose.<br></div>Firstly, /etc/shadow is readable by root only. Unless you are running <span style="background:none repeat scroll 0% 0% yellow" class="">Xymon</span> as root, (which is very bad) or doing some interesting things with <span style="background:none repeat scroll 0% 0% yellow" class="">sudo</span> or wrapper scripts, there is no way <span style="background:none repeat scroll 0% 0% yellow" class="">Xymon</span> can <span style="background:none repeat scroll 0% 0% yellow" class="">checksum</span> /etc/shadow.<br>
<br></div>But lets assume you have overcome the read issue in some way, and are now doing a check-sum of /etc/shadow.....<br></div>Besides picking up new users, it will also alert whenever somebody changes their password or whenever an account is locked and/or reactivated<br>
<br></div></div></div></div>I company I worked for (very briefly) used tripwire to monitor /etc/shadow, "for security" and we had to log in and reset the tripwire every time some sod changed their password. <br>
</div>Complete waste of time.<br><div><div><div><div><div><div><div><div><div><br></div><div>If you want to keep tabs on your list of users, you are better off just checking /etc/<span style="background:none repeat scroll 0% 0% yellow" class="">passwd</span>, and leave /etc/shadow alone. It's probably the most protected file in the Unix file system, and probably the least likely to me modified by a hacker, unless they have access to a <span style="background:none repeat scroll 0% 0% yellow" class="">userID</span>.<br>
<br></div><div>Consider the paradox of /etc/<span style="background:none repeat scroll 0% 0% yellow" class="">passwd</span> and /etc/shadow.<br></div><div>The most protected file is /etc/shadow, but any user can modify it.<br>
</div><div>The /etc/<span style="background:none repeat scroll 0% 0% yellow" class="">passwd</span> file is a very "open" file, readable by all, but writable by only a very select few. <br><br></div><div>Trust me, if you have more than a handful of users, doing a <span style="background:none repeat scroll 0% 0% yellow" class="">checksum</span> on /etc/shadow will only bring you pain and suffering.<br>
</div><div><br></div><div>If you don't want to use checksums, have a known list of users and/or userIDs, then you can always write a quick script to check your list against the usernames ( cut -d: -f1 /etc/passwd) or the userIDs ( cut -d: -f3 /etc/passwd) or both (cut -d: -f1,3 /etc/passwd)<br>
</div><div>I would suggest you sort both lists first though.<br><br></div><div>Cheers<br></div><div>Vernon<br></div></div></div></div></div></div></div></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On 22 April 2013 19:45, Adam Goryachev <span dir="ltr"><<a href="mailto:mailinglists@websitemanagers.com.au" target="_blank">mailinglists@websitemanagers.com.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><div class="im">
<div>On 22/04/13 20:53, Ralph Mitchell
wrote:<br>
</div>
<blockquote type="cite">
<p dir="ltr">You might want to talk to your security people before
copying the passed file to another system, and you *definitely*
should not copy the shadow file. There are good reasons that
file is readable only by root.</p>
<p dir="ltr">Ralph Mitchell</p>
<div style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="MARGIN:4px 4px 1px;FONT:10pt Tahoma">
<div>If you want to monitor changes to the passwd/shadow file,
one way would be to write an ext script. One can get around
the OS recording changes to users by just editing the files
directly, so this would be a bit more foolproof. <br>
</div>
<div>You'd need be to keep a copy of the passwd file somewhere
else (say the xymon server itself) and then do a diff
against it. Something like:</div>
<br>
</div>
</div>
</blockquote>
<br></div>
I've been watching this thread, but maybe I missed it...<br>
<br>
Doesn't xymon allow to calculate the MD5 of a file and alert if it
is modified..... I'm pretty sure this is a standard feature. Here it
is:<br>
# - "MD5=md5sum", "SHA1=sha1sum", "RMD160=rmd160sum"
trigger a warning<br>
# if the file checksum using the MD5, SHA1 or RMD160
message digest<br>
# algorithms do not match the one configured here.
Note: The "file"<br>
# entry in the client-local.cfg file must specify
which algorithm to use.<br>
<br>
Surely this would generate an appropriate alert if the file is
modified... and continue to alert until the xymon config was updated
with the new checksum.<br>
<br>
Regards,<br>
Adam<span class="HOEnZb"><font color="#888888"><br>
<br>
<pre cols="72">--
Adam Goryachev
Website Managers
<a href="http://www.websitemanagers.com.au" target="_blank">www.websitemanagers.com.au</a>
</pre>
</font></span></div>
<br>_______________________________________________<br>
Xymon mailing list<br>
<a href="mailto:Xymon@xymon.com">Xymon@xymon.com</a><br>
<a href="http://lists.xymon.com/mailman/listinfo/xymon" target="_blank">http://lists.xymon.com/mailman/listinfo/xymon</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><span>"Accept the challenges so that you can feel the exhilaration of victory"</span><div><span>- General George Patton</span></div>
</div>