topic Re: root user profile corrupted in Operating System - HP-UX

root user profile corrupted

Ajin_1 — Thu, 03 Jan 2013 13:45:18 GMT

Experts

$ grep root /etc/passwd

root:XXXXXXXX:0:3::u:/sbin/sh

root:XXXXXXXX:0:3::/:/sbin/sh

Home Directory was / ,instead of / It modified as u .

My doubt is any command will overrude this or somebody edit the passwd file ?

Re: root user profile corrupted

Ken Grabowski — Thu, 03 Jan 2013 14:21:58 GMT

smh can be used to call the sam user tool, or usermod can be used to modify a user account. However, both of these should refuse to work on the root account. I would guess that somebody edited the passwd file. Make sure the file is owned root:sys and is set to 444 permissions. Check the shell history for root. Make sure only trained authorized administrators have access to the root password. Better yet, force the use of RBAC or sudo to perform administrative tasks.

Re: root user profile corrupted

Ajin_1 — Thu, 03 Jan 2013 15:14:34 GMT

Hi ken

Thanks for mail

How can I Check the shell history for root.

Re: root user profile corrupted

Ken Grabowski — Thu, 03 Jan 2013 15:42:44 GMT

Normally it would be in the root home directory /.sh_history, if it was configured. If it wasn't configured, then you may not have one.

Re: root user profile corrupted

Patrick Wallek — Thu, 03 Jan 2013 15:43:34 GMT

Check in roots home directory, / in this case, for a file like .sh_history or .history. The file can be viewed via 'cat' or 'more'.

Re: root user profile corrupted

Ajin_1 — Fri, 04 Jan 2013 13:00:15 GMT

I checked the history file .I thing it was not configured .

I understood someone edit the password file .But root only do this .I didnt find any oneone do su at that time Period .Is any other way to find this whom do vi like vi logs or the logs captured other than syslog wtmp and su log

Re: root user profile corrupted

Ken Grabowski — Fri, 04 Jan 2013 13:21:32 GMT

Did you verify that /etc/passwd was owned root:sys and set to 444 mode? If permissions are not restricted, then others might be able to edit. There should be tight control of the root account. In some shops I've worked, only the security team had the password and even HP-UX Engineers had to use RBAC or sudo to do administrative tasks. At a minimum only one or two experienced administrators should have it and you should configure the shell history. The vi editor does not have a history or log function. I doubt that you can determine the offender at this time. Even with shell history and system auditing enabled, you might have a hard time determining who did it. If you force administrators to use RBAC and sudo to gain root privilege and add the base UID to the root .sh_history.$UID file, you might be able to see who had vi'ed the passwd file in the future.