- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- IDS/9000 alerts on /etc/passwd
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-14-2004 08:59 PM
тАО07-14-2004 08:59 PM
IDS/9000 alerts on /etc/passwd
I've found that after an user account is removed from the system, alerts like "Details: User 0 renamed/opened/changed a file to "/etc/passwd" executing ..."
would be reported whenever there is another account login to the system.
Is it normal?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-14-2004 11:23 PM
тАО07-14-2004 11:23 PM
Re: IDS/9000 alerts on /etc/passwd
I shouldn't be normal, check the /etc/passwd if there is everything ok (has the user been really deleted, some rest of another entry etc ..)
Are you using NIS ?
br Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-16-2004 03:41 PM
тАО07-16-2004 03:41 PM
Re: IDS/9000 alerts on /etc/passwd
I've checked /etc/passwd, /etc/group & /tcb/files/auth. The user has really been deleted and we are not using NIS.
Anything else I can check.
Thanks,
Herrick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-30-2004 08:38 AM
тАО07-30-2004 08:38 AM
Re: IDS/9000 alerts on /etc/passwd
Please post the commands you are running to produce these alerts along with the alerts themselves so I can see what is going on.
Thanks
Pierre
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-30-2004 08:48 AM
тАО07-30-2004 08:48 AM
Re: IDS/9000 alerts on /etc/passwd
What happens if you start and stop IDS/9000 or restart the system IDS/9000 is running on?
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-15-2004 07:23 PM
тАО09-15-2004 07:23 PM
Re: IDS/9000 alerts on /etc/passwd
/usr/sbin/useradd USERNAME
/usr/lbin/modprpw -k USERNAME
/usr/sbin/userdel -r USERNAME
The following was captured from /var/opt/ids/alert.log
==================================================
SERVER%192.168.1.11%Thu Sep 16 15:05:37 2004%027%01%3%20040916070537%User ID:0 %02:FILESYSTEM %Filesystem change detected %User 0 changed the permissions of "/etc/passwd" executing an unknown program as PID: 4247
SERVER%192.168.1.11%Thu Sep 16 15:05:37 2004%027%01%2%20040916070537%User ID:0 %02:FILESYSTEM %Filesystem change detected %User 0 opened for modification/truncation "/etc/passwd" executing an unknown program as PID: 4247
SERVER%192.168.1.11%Thu Sep 16 15:05:37 2004%027%01%2%20040916070537%User ID:0 %02:FILESYSTEM %Filesystem change detected %User 0 renamed the file "/etc/passwd" executing an unknown program as PID: 4247
==================================================
And the thing that I've done, which seems to to trigger the message, is just a login using ssh (as indicated by the PID:4247)
==================================================
root 659 1 0 Aug 22 ? 0:00 /opt/ssh/sbin/sshd
root 4240 659 0 15:05:34 ? 0:00 sshd: user01 [priv]
user01 4247 4240 0 15:05:37 ? 0:00 sshd: user01@pts/1
user01 4251 4247 0 15:05:37 pts/1 0:00 -ksh
==================================================
Thanks
Herrick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-15-2004 07:29 PM
тАО09-15-2004 07:29 PM
Re: IDS/9000 alerts on /etc/passwd
It is perfectly normal if you enabled "Modification of files/directories " template in IDS. So, when the user account is modified, /etc/passwd will get changed thereby resulting a filesystem change.
You can modify the template to ignore files and directories such as /etc/passwd, /etc/group, /var, /tmp etc., so that you won't get these messages.
-Sri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-15-2004 07:45 PM
тАО09-15-2004 07:45 PM
Re: IDS/9000 alerts on /etc/passwd
However, I don't understand why the ssh login a few hours after the "useradd" & "userdel" actions would also trigger this kind of alert.
Besides, the problem disappears if I restart the IDS/9000.
Thanks
Herrick