[Xymon] Xymon Log Retrieval

Vernon Everett everett.vernon at gmail.com
Mon Apr 22 15:20:54 CEST 2013 

Hi guys

There are a number of issue with what you propose.
Firstly, /etc/shadow is readable by root only. Unless you are running
Xymonas root, (which is very bad) or doing some interesting things
with
sudo or wrapper scripts, there is no way Xymon can checksum /etc/shadow.

But lets assume you have overcome the read issue in some way, and are now
doing a check-sum of /etc/shadow.....
Besides picking up new users, it will also alert whenever somebody changes
their password or whenever an account is locked and/or reactivated

I company I worked for (very briefly) used tripwire to monitor /etc/shadow,
"for security" and we had to log in and reset the tripwire every time some
sod changed their password.
Complete waste of time.

If you want to keep tabs on your list of users, you are better off just
checking /etc/passwd, and leave /etc/shadow alone. It's probably the most
protected file in the Unix file system, and probably the least likely to me
modified by a hacker, unless they have access to a userID.

Consider the paradox of /etc/passwd and /etc/shadow.
The most protected file is /etc/shadow, but any user can modify it.
The /etc/passwd file is a very "open" file, readable by all, but writable
by only a very select few.

Trust me, if you have more than a handful of users, doing a checksum on
/etc/shadow will only bring you pain and suffering.

If you don't want to use checksums, have a known list of users and/or
userIDs, then you can always write a quick script to check your list
against the usernames  ( cut -d: -f1 /etc/passwd) or the userIDs ( cut -d:
-f3 /etc/passwd) or both (cut -d: -f1,3 /etc/passwd)
I would suggest you sort both lists first though.

Cheers
Vernon


On 22 April 2013 19:45, Adam Goryachev
<mailinglists at websitemanagers.com.au>wrote:

>  On 22/04/13 20:53, Ralph Mitchell wrote:
>
> You might want to talk to your security people before copying the passed
> file to another system, and you *definitely* should not copy the shadow
> file. There are good reasons that file is readable only by root.
>
> Ralph Mitchell
>  If you want to monitor changes to the passwd/shadow file, one way would
> be to write an ext script. One can get around the OS recording changes to
> users by just editing the files directly, so this would be a bit more
> foolproof.
>  You'd need be to keep a copy of the passwd file somewhere else (say the
> xymon server itself) and then do a diff against it.   Something like:
>
>
> I've been watching this thread, but maybe I missed it...
>
> Doesn't xymon allow to calculate the MD5 of a file and alert if it is
> modified..... I'm pretty sure this is a standard feature. Here it is:
> #             - "MD5=md5sum", "SHA1=sha1sum", "RMD160=rmd160sum" trigger a
> warning
> #               if the file checksum using the MD5, SHA1 or RMD160 message
> digest
> #               algorithms do not match the one configured here. Note: The
> "file"
> #               entry in the client-local.cfg file must specify which
> algorithm to use.
>
> Surely this would generate an appropriate alert if the file is modified...
> and continue to alert until the xymon config was updated with the new
> checksum.
>
> Regards,
> Adam
>
> --
> Adam Goryachev
> Website Managerswww.websitemanagers.com.au
>
>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
>


-- 
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20130422/e9688052/attachment.html>

More information about the Xymon mailing list