[hobbit] monitoring etc passwd
Buchan Milne
bgmilne at staff.telkomsa.net
Sat Jul 18 22:53:45 CEST 2009
On Tuesday 07 July 2009 23:19:58 Gavin Leonard wrote:
> Hi All,
> I am having a problem where users and groups are being
> created without the knowledge of the admin team and its making it difficult
> to know who had access to what systems if they leave the company... is
> there a way for hobbit to tell me when the /etc/passwd or /etc/group files
> change? Thanks in Advance..
IMHO, this is not a problem to solve by monitoring, it is a problem to be
solved by:
-authorization for actions/commands (e.g. sudo access to specific commands,
instead of root shell access)
-accounting/auditing (e.g., in case root shell access is required, the
commands/screen output should be recorded against the user who started the
root shell session)
-security auditing
Centralised authentication (which implies that the only local accounts
required are for "system" use, not for users) can also help reduce the amount
of work in picking up and fixing incorrect user/group changes.
If monitoring when changes were made to local files forms one part of your
process, fine, you can use the 'FILE' monitoring feature with the mtime check.
However, I would really hope this is not the only thing you are putting in
place to solve this problem.
Regards,
Buchan
More information about the Xymon
mailing list