[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [hobbit] monitoring etc passwd
- To: "'hobbit (at) hswn.dk'" <hobbit (at) hswn.dk>
- Subject: RE: [hobbit] monitoring etc passwd
- From: "Langford, Kenneth" <kenneth.langford (at) siemens.com>
- Date: Mon, 20 Jul 2009 14:55:49 -0400
- Accept-language: en-US
- Acceptlanguage: en-US
- References: <C76DE1C678818B4E9D7722DA7D47897BA77F80BF6C (at) OMAHA.pgx.local> <200907182153.45424.bgmilne (at) staff.telkomsa.net> <833FE11B4A07FD4789F720B6F915124F0786CA34DA (at) HHCGVL-COMM01> <4A64A665.6000308 (at) makelofine.org>
- Thread-index: AcoJXmc+uecwEQM9STm8hwPdUkpqvQADLg7A
- Thread-topic: [hobbit] monitoring etc passwd
The bad news is that a simple user changing his password on the system would cause an event notification if you are not using NIS/NIS+ or LDAP for your users and the /etc/passwd file was for local accounts only.
Ken,
----
Kenneth W. Langford
Systems Engineer
-----Original Message-----
From: dOCtoR MADneSs [mailto:doctor (at) makelofine.org]
Sent: Monday, July 20, 2009 1:16 PM
To: hobbit (at) hswn.dk
Subject: Re: [hobbit] monitoring etc passwd
Harold J. Ballinger a écrit :
> I agree with you that he needs to have more in place to control this, but having an alert when changes are made is a nice event notification to kick off any necessary audit/control procedures. I can definitely see the advantages of having such an event notification in place.
>
> -
>
> Harold Ballinger
> IT Coordinator
> Heritage Healthcare, Inc.
> (888) 335-2620 | helpdesk
> (864) 224-3626 | office
> (864) 224-3093 | fax
>
> Visit our website: www.heritage-healthcare.com
>
>
>
>
> -----Original Message-----
> From: Buchan Milne [mailto:bgmilne (at) staff.telkomsa.net]
> Sent: Saturday, July 18, 2009 4:54 PM
> To: hobbit (at) hswn.dk
> Cc: Gavin Leonard
> Subject: Re: [hobbit] monitoring etc passwd
>
> On Tuesday 07 July 2009 23:19:58 Gavin Leonard wrote:
>> Hi All,
>> I am having a problem where users and groups are being
>> created without the knowledge of the admin team and its making it difficult
>> to know who had access to what systems if they leave the company... is
>> there a way for hobbit to tell me when the /etc/passwd or /etc/group files
>> change? Thanks in Advance..
>
> IMHO, this is not a problem to solve by monitoring, it is a problem to be
> solved by:
> -authorization for actions/commands (e.g. sudo access to specific commands,
> instead of root shell access)
> -accounting/auditing (e.g., in case root shell access is required, the
> commands/screen output should be recorded against the user who started the
> root shell session)
> -security auditing
>
> Centralised authentication (which implies that the only local accounts
> required are for "system" use, not for users) can also help reduce the amount
> of work in picking up and fixing incorrect user/group changes.
>
> If monitoring when changes were made to local files forms one part of your
> process, fine, you can use the 'FILE' monitoring feature with the mtime check.
>
> However, I would really hope this is not the only thing you are putting in
> place to solve this problem.
>
> Regards,
> Buchan
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe (at) hswn.dk
>
>
I think almost same, using md5 verification is strong (imho), and does
not dispense of using other security audit tools.
To unsubscribe from the hobbit list, send an e-mail to
hobbit-unsubscribe (at) hswn.dk