topic Re: Strange message from whoami - Intruder Alert in Operating System - HP-UX

Strange message from whoami - Intruder Alert

Al Miller — Tue, 30 Jul 2002 17:13:02 GMT

Can someone explain to me under what conditions the whoami command will return Intruder Alert. I am seeing this returned to my logs in some batch processes I am running.

Re: Strange message from whoami - Intruder Alert

Patrick Wallek — Tue, 30 Jul 2002 17:15:08 GMT

If I remember correctly, this happens when /etc/passwd file is not world readable.

/etc/passwd should be, at a minimum, 444 permissions.

Re: Strange message from whoami - Intruder Alert

Kelli Ward — Tue, 30 Jul 2002 17:16:49 GMT

Hi,
I believe you will see this message if a user attempts to log in but either, is not listed in /etc/passwd or if /etc/passwd is not world readable.
Hope this helps,
Kel

Re: Strange message from whoami - Intruder Alert

Patrick Wallek — Tue, 30 Jul 2002 17:18:41 GMT

If you need more information, check out TKB document W3449877.

To summarize, /etc/passwd should be at 444 permissions with root:sys as owner and group, and the /etc directory should be at 666 permissions with bin:bin as owner and group.

Re: Strange message from whoami - Intruder Alert

S.K. Chan — Tue, 30 Jul 2002 17:19:21 GMT

I can think of 3 conditions ..
1- password file is corrupted
2- password file permission is set to 400
3- wrong NIS domainname

Re: Strange message from whoami - Intruder Alert

Martin Johnson — Tue, 30 Jul 2002 17:28:45 GMT

This happened to me last week. The /var file system filled up. This resulted in the ServiceGuard software to terminate and all sorts of weird things happening, including the "Intruder Alert" from whoami. I cleared out some core files from /var.

I was logged in my pseudo root account. I tried to run shutdown. It said I wasn't authorized. I "su-ed" to root. shutdown wouldn't run because it couldn't determine my username. I use "reboot" instead. Everything came up fine after the reboot. whoami worked fine after the reboot.

Weird!
Marty

Re: Strange message from whoami - Intruder Alert

Bill Hassell — Tue, 30 Jul 2002 17:48:20 GMT

As you have seen, /var is a critical filesystem and must have lots of empty space available. You can start by eliminating core files completely with the statement:

ulimit -Sc 0

in /etc/profile. This assumes that all your user logins are using /usr/bin/sh as their shell (and root must use /sbin/sh).

Then find out where the big stuff is located--not big files, but big directories! Use du as in:

du -kx /var | sort -rn | /tmp/du.var

Look at the top of the du.var file for hints. In a ServiceGuard environment, you don't want much of anything in /var/mail or /var/spool. /var/adm will be large for 2 reasons: /var/adm logfiles, and /var/adm/sw for installs and patches. /var/adm/sw is a good candidate for it's own lvol.

And also /var/ad,/crash which should empty if you keep up on patches, otherwise, create an lvol for the crash directory. Use symlinks to avoid having to change config files.

Re: Strange message from whoami - Intruder Alert

Martin Johnson — Tue, 30 Jul 2002 17:57:19 GMT

Thanks Bill!

I usually put /var/adm/sw and /var/adm/crash in their own lvols. On this particular system, it wasn't done as this system was setup by consultants. I'll have to add it to my "todo" list.

Marty