Hi guys

There are a number of issue with what you propose. Firstly, /etc/shadow is readable by root only. Unless you are running Xymonas root, (which is very bad) or doing some interesting things with sudo or wrapper scripts, there is no way Xymon can checksum /etc/shadow.

But lets assume you have overcome the read issue in some way, and are now doing a check-sum of /etc/shadow..... Besides picking up new users, it will also alert whenever somebody changes their password or whenever an account is locked and/or reactivated

I company I worked for (very briefly) used tripwire to monitor /etc/shadow, "for security" and we had to log in and reset the tripwire every time some sod changed their password. Complete waste of time.

If you want to keep tabs on your list of users, you are better off just checking /etc/passwd, and leave /etc/shadow alone. It's probably the most protected file in the Unix file system, and probably the least likely to me modified by a hacker, unless they have access to a userID.

Consider the paradox of /etc/passwd and /etc/shadow. The most protected file is /etc/shadow, but any user can modify it. The /etc/passwd file is a very "open" file, readable by all, but writable by only a very select few.

Trust me, if you have more than a handful of users, doing a checksum on /etc/shadow will only bring you pain and suffering.

If you don't want to use checksums, have a known list of users and/or userIDs, then you can always write a quick script to check your list against the usernames ( cut -d: -f1 /etc/passwd) or the userIDs ( cut -d: -f3 /etc/passwd) or both (cut -d: -f1,3 /etc/passwd) I would suggest you sort both lists first though.

Cheers Vernon

On 22 April 2013 19:45, Adam Goryachev <mailinglists at websitemanagers.com.au>wrote:

On 22/04/13 20:53, Ralph Mitchell wrote:

You might want to talk to your security people before copying the passed file to another system, and you *definitely* should not copy the shadow file. There are good reasons that file is readable only by root.

Ralph Mitchell If you want to monitor changes to the passwd/shadow file, one way would be to write an ext script. One can get around the OS recording changes to users by just editing the files directly, so this would be a bit more foolproof. You'd need be to keep a copy of the passwd file somewhere else (say the xymon server itself) and then do a diff against it. Something like:

I've been watching this thread, but maybe I missed it...

Doesn't xymon allow to calculate the MD5 of a file and alert if it is modified..... I'm pretty sure this is a standard feature. Here it is:

- "MD5=md5sum", "SHA1=sha1sum", "RMD160=rmd160sum" trigger a

warning

if the file checksum using the MD5, SHA1 or RMD160 message

digest

algorithms do not match the one configured here. Note: The

"file"

entry in the client-local.cfg file must specify which

algorithm to use.

Surely this would generate an appropriate alert if the file is modified... and continue to alert until the xymon config was updated with the new checksum.

Regards, Adam

-- Adam Goryachev Website Managerswww.websitemanagers.com.au

---

Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon

-- "Accept the challenges so that you can feel the exhilaration of victory"

• General George Patton