[hobbit] monitoring etc passwd
dOCtoR MADneSs
doctor at makelofine.org
Mon Jul 20 19:16:21 CEST 2009
Harold J. Ballinger a écrit :
> I agree with you that he needs to have more in place to control this, but having an alert when changes are made is a nice event notification to kick off any necessary audit/control procedures. I can definitely see the advantages of having such an event notification in place.
>
> -
>
> Harold Ballinger
> IT Coordinator
> Heritage Healthcare, Inc.
> (888) 335-2620 | helpdesk
> (864) 224-3626 | office
> (864) 224-3093 | fax
>
> Visit our website: www.heritage-healthcare.com
>
>
>
>
> -----Original Message-----
> From: Buchan Milne [mailto:bgmilne at staff.telkomsa.net]
> Sent: Saturday, July 18, 2009 4:54 PM
> To: hobbit at hswn.dk
> Cc: Gavin Leonard
> Subject: Re: [hobbit] monitoring etc passwd
>
> On Tuesday 07 July 2009 23:19:58 Gavin Leonard wrote:
>> Hi All,
>> I am having a problem where users and groups are being
>> created without the knowledge of the admin team and its making it difficult
>> to know who had access to what systems if they leave the company... is
>> there a way for hobbit to tell me when the /etc/passwd or /etc/group files
>> change? Thanks in Advance..
>
> IMHO, this is not a problem to solve by monitoring, it is a problem to be
> solved by:
> -authorization for actions/commands (e.g. sudo access to specific commands,
> instead of root shell access)
> -accounting/auditing (e.g., in case root shell access is required, the
> commands/screen output should be recorded against the user who started the
> root shell session)
> -security auditing
>
> Centralised authentication (which implies that the only local accounts
> required are for "system" use, not for users) can also help reduce the amount
> of work in picking up and fixing incorrect user/group changes.
>
> If monitoring when changes were made to local files forms one part of your
> process, fine, you can use the 'FILE' monitoring feature with the mtime check.
>
> However, I would really hope this is not the only thing you are putting in
> place to solve this problem.
>
> Regards,
> Buchan
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
>
>
I think almost same, using md5 verification is strong (imho), and does
not dispense of using other security audit tools.
More information about the Xymon
mailing list