[hobbit] monitoring etc passwd

Langford, Kenneth kenneth.langford at siemens.com
Mon Jul 20 20:55:49 CEST 2009

The bad news is that a simple user changing his password on the system would cause an event notification if you are not using NIS/NIS+ or LDAP for your users and the /etc/passwd file was for local accounts only.


Kenneth W. Langford
Systems Engineer

-----Original Message-----
From: dOCtoR MADneSs [mailto:doctor at makelofine.org] 
Sent: Monday, July 20, 2009 1:16 PM
To: hobbit at hswn.dk
Subject: Re: [hobbit] monitoring etc passwd

Harold J. Ballinger a écrit :
> I agree with you that he needs to have more in place to control this, but having an alert when changes are made is a nice event notification to kick off any necessary audit/control procedures. I can definitely see the advantages of having such an event notification in place.
> -
> Harold Ballinger
> IT Coordinator
> Heritage Healthcare, Inc. 
>  (888) 335-2620  | helpdesk
>  (864) 224-3626  | office
>  (864) 224-3093  | fax
> Visit our website: www.heritage-healthcare.com 
> -----Original Message-----
> From: Buchan Milne [mailto:bgmilne at staff.telkomsa.net] 
> Sent: Saturday, July 18, 2009 4:54 PM
> To: hobbit at hswn.dk
> Cc: Gavin Leonard
> Subject: Re: [hobbit] monitoring etc passwd
> On Tuesday 07 July 2009 23:19:58 Gavin Leonard wrote:
>> Hi All,
>>                 I am having a problem where users and groups are being
>> created without the knowledge of the admin team and its making it difficult
>> to know who had access to what systems if they leave the company... is
>> there a way for hobbit to tell me when the /etc/passwd or /etc/group files
>> change? Thanks in Advance..
> IMHO, this is not a problem to solve by monitoring, it is a problem to be 
> solved by:
> -authorization for actions/commands (e.g. sudo access to specific commands, 
> instead of root shell access)
> -accounting/auditing (e.g., in case root shell access is required, the 
> commands/screen output should be recorded against the user who started the 
> root shell session)
> -security auditing
> Centralised authentication (which implies that the only local accounts 
> required are for "system" use, not for users) can also help reduce the amount 
> of work in picking up and fixing incorrect user/group changes.
> If monitoring when changes were made to local files forms one part of your 
> process, fine, you can use the 'FILE' monitoring feature with the mtime check.
> However, I would really hope this is not the only thing you are putting in 
> place to solve this problem.
> Regards,
> Buchan
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
I think almost same, using md5 verification is strong (imho), and does 
not dispense of using other security audit tools.

To unsubscribe from the hobbit list, send an e-mail to
hobbit-unsubscribe at hswn.dk

More information about the Xymon mailing list