HPE Community
Operating System - HP-UX
1753877 Members
7415 Online
108809 Solutions
New Discussion юеВ

IDS/9000 alerts on /etc/passwd

 
Herrick_2
New Member

тАО07-14-2004 08:59 PM

тАО07-14-2004 08:59 PM

IDS/9000 alerts on /etc/passwd

I am using IDS 9000 A.02.02 on a server running HP-UX 11.00.

I've found that after an user account is removed from the system, alerts like "Details: User 0 renamed/opened/changed a file to "/etc/passwd" executing ..."
would be reported whenever there is another account login to the system.

Is it normal?

Thanks.
0 Kudos
Reply
7 REPLIES 7
Jan Sladky
Trusted Contributor

тАО07-14-2004 11:23 PM

тАО07-14-2004 11:23 PM

Re: IDS/9000 alerts on /etc/passwd

hi,
I shouldn't be normal, check the /etc/passwd if there is everything ok (has the user been really deleted, some rest of another entry etc ..)

Are you using NIS ?

br Jan
GSM, Intelligent Networks, UNIX
0 Kudos
Reply
Herrick_2
New Member

тАО07-16-2004 03:41 PM

тАО07-16-2004 03:41 PM

Re: IDS/9000 alerts on /etc/passwd

Hi Jan,

I've checked /etc/passwd, /etc/group & /tcb/files/auth. The user has really been deleted and we are not using NIS.

Anything else I can check.

Thanks,
Herrick
0 Kudos
Reply
Pierre Pasturel
Respected Contributor

тАО07-30-2004 08:38 AM

тАО07-30-2004 08:38 AM

Re: IDS/9000 alerts on /etc/passwd

Herrick -

Please post the commands you are running to produce these alerts along with the alerts themselves so I can see what is going on.

Thanks
Pierre



0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО07-30-2004 08:48 AM

тАО07-30-2004 08:48 AM

Re: IDS/9000 alerts on /etc/passwd

Sure looks like IDS/9000 may have cached some data from the system, probably /etc/passwd

What happens if you start and stop IDS/9000 or restart the system IDS/9000 is running on?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Herrick_2
New Member

тАО09-15-2004 07:23 PM

тАО09-15-2004 07:23 PM

Re: IDS/9000 alerts on /etc/passwd

The problem happens again after I've performed the following commands last night:
/usr/sbin/useradd USERNAME
/usr/lbin/modprpw -k USERNAME
/usr/sbin/userdel -r USERNAME

The following was captured from /var/opt/ids/alert.log
==================================================
SERVER%192.168.1.11%Thu Sep 16 15:05:37 2004%027%01%3%20040916070537%User ID:0 %02:FILESYSTEM %Filesystem change detected %User 0 changed the permissions of "/etc/passwd" executing an unknown program as PID: 4247
SERVER%192.168.1.11%Thu Sep 16 15:05:37 2004%027%01%2%20040916070537%User ID:0 %02:FILESYSTEM %Filesystem change detected %User 0 opened for modification/truncation "/etc/passwd" executing an unknown program as PID: 4247
SERVER%192.168.1.11%Thu Sep 16 15:05:37 2004%027%01%2%20040916070537%User ID:0 %02:FILESYSTEM %Filesystem change detected %User 0 renamed the file "/etc/passwd" executing an unknown program as PID: 4247
==================================================

And the thing that I've done, which seems to to trigger the message, is just a login using ssh (as indicated by the PID:4247)
==================================================
root 659 1 0 Aug 22 ? 0:00 /opt/ssh/sbin/sshd
root 4240 659 0 15:05:34 ? 0:00 sshd: user01 [priv]
user01 4247 4240 0 15:05:37 ? 0:00 sshd: user01@pts/1
user01 4251 4247 0 15:05:37 pts/1 0:00 -ksh
==================================================

Thanks
Herrick
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

тАО09-15-2004 07:29 PM

тАО09-15-2004 07:29 PM

Re: IDS/9000 alerts on /etc/passwd

Hi Herrick,

It is perfectly normal if you enabled "Modification of files/directories " template in IDS. So, when the user account is modified, /etc/passwd will get changed thereby resulting a filesystem change.

You can modify the template to ignore files and directories such as /etc/passwd, /etc/group, /var, /tmp etc., so that you won't get these messages.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Herrick_2
New Member

тАО09-15-2004 07:45 PM

тАО09-15-2004 07:45 PM

Re: IDS/9000 alerts on /etc/passwd

I've also expected alerts about /etc/passwd would be triggered when I "useradd" & "userdel".

However, I don't understand why the ssh login a few hours after the "useradd" & "userdel" actions would also trigger this kind of alert.

Besides, the problem disappears if I restart the IDS/9000.

Thanks
Herrick
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.