topic Re: /etc/group modified in Operating System - HP-UX

/etc/group modified

Rafael Mendonça Braga — Thu, 22 Sep 2005 12:38:57 GMT

Hello experts!!!

I'm running HP-UX 11i.

I would like to know if is there a way to be alerted every time a file is modified...
For example:

When /etc/group is modified, an e-mail is sent to me telling me this.

Do you know how can I do it?

Thanks a lot!!!

Rafael M. Braga

Re: /etc/group modified

Bill Hassell — Thu, 22 Sep 2005 12:46:34 GMT

Not possible without some script watching the timestamp and generating an email whenever the modification time changes. For /etc/group, it's easy to know who did it: only root can modify the /etc/group file, so change the root password and don't give it to anybody. Install sudo (so other root users will no longer use su) and now every command issued by a non-root user will be logged.

Re: /etc/group modified

Robert-Jan Goossens — Thu, 22 Sep 2005 12:55:08 GMT

Hi,

tripwire could do this for you. I don't know if the default auditing tool inside HPUX will go that far.

# man -k audit

http://www.utexas.edu/its/sds/products/tripwire.html

Hope this helps,
Robert-Jan

Re: /etc/group modified

Zigor Buruaga — Thu, 22 Sep 2005 12:59:21 GMT

Hi,

I use HIDS ( free Host Intrusion Detection System from HP ) for such things.
You can write your own simple script, put it on the response directory, to be executed any time the event is rised, so you can i.e. send a mail to your mailbox, etc. I'm using HIDS 2.2 ( think that the version 3.0 was already developed ), I receive an email whenever somebody changes something under /etc/rc.config.d, the passwd or group file, etc or whenever somebody enter a wrong passwd 3 times,
unsuccesful su's, etc, etc, ok ... I love this tool ;-)

Only an idea ...
Regards,
Zigor

Re: /etc/group modified

Zigor Buruaga — Thu, 22 Sep 2005 13:17:07 GMT

Just visited software.hp.com, looks like the version 3.1 already exists ( IT world is too fast to me ).
One of the threats that can detect, as mentioned before:

files

Modification of critical system files and directories
Creation of world writable files
Creation and modification of privileged "setuid" files
File additions and deletions

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS

Regards,
Zigor

Re: /etc/group modified

Raj D. — Thu, 22 Sep 2005 15:00:16 GMT

Hi Rafael ,

Here is a sample script , that will monitor the /etc/group file for any modification. And if modifies it will send an email to you: Can be run through cron.

#########################################
# Script for checking modification for group file: /etc/group
# File Name: grpck.sh Ver:1.0 # Raj.D
#########################################

i=0
while true
do

ORG_TM_STMP="`ls -l /etc/group | awk '{print $6$7$8}'`"
TODAYS_TM_STMP="`date | awk '{print $2$3 substr($4,1,5)}'`"

if [ "$ORG_TM_STMP" = "$TODAYS_TM_STMP" ]
then
echo " Alert!! /etc/group has modified today . !!! at `date` " > /dev/null

i="`expr $i + 1`"
else
echo " No problem.. no /etc/group modification ..." > /dev/null
fi

if [ "$i" = "1" ]
then
#echo " File /etc/group modified at `date` " | mailx -s "Alert! /etc/group" rafael@your_domain.com

echo " Group file /etc/group modified " > /dev/console
echo " Email sent to: Rafael MendonÃ§a Braga . "
fi

if [ "$ORG_TM_STMP" != "$TODAYS_TM_STMP" ]
then
i=0
fi

done
#########################################

It will check every one minute for any modification , and if happens sends one email for each modification.

Enjoy,
Cheers,
Raj.

Re: /etc/group modified

Q4you — Thu, 22 Sep 2005 16:23:50 GMT

if you have HP ITO openview ( mostly you may have ), have your monitoring staff modify the OpenView client template with your email need and push it to the server. That will do it.

-Q

Re: /etc/group modified

VEL_1 — Thu, 22 Sep 2005 23:55:47 GMT

Hi,

Use the following script in crontab OR create startup script using the following contents:

#!/sbin/sh

current_time_modification=`ls -l /etc/group | awk '{ print $6 $7 $8 }'`
cksum_size=`cksum /etc/group | awk '{ print $1 " " $2 }'`

i=1

while [ $i -eq 1 ]
do
new_time_modification=`ls -l /etc/group | awk '{ print $6 $7 $8 }'`
new_cksum_size=`cksum /etc/group | awk '{ print $1 " " $2 }'`

if [ "$current_time_modification" != "$new_time_modification" ] && [ "$cksum_size != $new_cksum_size" ]
then
echo "/etc/group file has been modified"

# send messgae to /var/adm/syslog/syslog.log
/usr/bin/logger -p 5 "Alert: /etc/group file modified"

# If mail works, uncomment the follwing & replace the test@test.com
#echo "/etc/group file has been modified" | mailx -s "Alert: /etc/group file modified" test@test.com

current_time_modification=$new_time_modification
cksum_size=$new_cksum_size
fi
done