HPE Community
Operating System - HP-UX
1753481 Members
4062 Online
108794 Solutions
New Discussion юеВ

Tracing hosts file entry modification

 
bharath_hanuma
Regular Advisor

тАО04-26-2010 02:39 AM

тАО04-26-2010 02:39 AM

Tracing hosts file entry modification

Hi All,

Two days back some of the entries in the host file got deleted. So I need to know how we can trace this so that we can find who has modified the file at that time.

Need your urgent help regarding the same.

Thanks and Regards
Bharath
0 Kudos
Reply
11 REPLIES 11
Dennis Handly
Acclaimed Contributor

тАО04-26-2010 02:44 AM

тАО04-26-2010 02:44 AM

Re: Tracing hosts file entry modification

The obvious answer is a sysadmin modified the file.
Without auditing, you really can't trace it.
I suppose you could look to see who login to root at that time or look at the shell history files or possibly anyone who did su or sudo.
0 Kudos
Reply
bharath_hanuma
Regular Advisor

тАО04-26-2010 02:49 AM

тАО04-26-2010 02:49 AM

Re: Tracing hosts file entry modification

Hi Dennis,

Is there any command for checking the same. Also let me know how can I enable audut.log and also how frequently it grows.

Thanks and Regards
Bharath
0 Kudos
Reply
R.O.
Esteemed Contributor

тАО04-26-2010 02:59 AM

тАО04-26-2010 02:59 AM

Re: Tracing hosts file entry modification

Yo can see the connection entries with "last" and see in syslog.log if any user did a "su - root". With these data you can guess who could do the change.
To enable auditing you have to convert to "trusted" your system. Yo can do it through SAM. If yo go to the audit zone in SAM it will ask you to convert the system.

Regards,
"When you look into an abyss, the abyss also looks into you"
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО04-26-2010 03:10 AM

тАО04-26-2010 03:10 AM

Re: Tracing hosts file entry modification

>Is there any command for checking the same.

Not after the fact, if you don't have auditing or have sudo.
You can only make some guesses based on the logs.

But it would be far easier just to ask the few sysadmins.
0 Kudos
Reply
bharath_hanuma
Regular Advisor

тАО04-27-2010 10:32 PM

тАО04-27-2010 10:32 PM

Re: Tracing hosts file entry modification

Hi RO/Dennis,

I have checked through SAM regarding adding it as the trusted system. I would like to know if I add as trusted system, is there any impact on network configuration or reachability to customer systems or there will configuration changes on systems side.

Kindly need your suggestions or help regarding the same.

Thanks and Regards
Bharath
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО04-28-2010 12:06 AM

тАО04-28-2010 12:06 AM

Re: Tracing hosts file entry modification

>I have checked through SAM regarding adding it as the trusted system. I would like to know if I add as trusted system, is there any impact on network configuration or reachability to customer systems or there will configuration changes on systems side.

There shouldn't be.
You may have users that think they have passwords longer than 8 chars that won't work.

You still need to turn on auditing and that will require careful monitoring of the massive amount of space used.
0 Kudos
Reply
R.O.
Esteemed Contributor

тАО04-28-2010 12:17 AM

тАО04-28-2010 12:17 AM

Re: Tracing hosts file entry modification

Hi,

Just in case, do not log off root after converting the system. If you have any problem loging into the system as root, you can fix it or even unconvert the system because you are still logged. So, after the conversion, try to log in the system with a new session.
Be sure that you have these lines right defined in your "/etc/nsswitch.conf":

passwd: files
group: files

instead of:

passwd: compat
group: compat

I have recently converted a system and I couldn't login as root because I had these to lines as "compat".

Regards,
"When you look into an abyss, the abyss also looks into you"
0 Kudos
Reply
irshad ali
Frequent Advisor

тАО04-28-2010 02:31 AM

тАО04-28-2010 02:31 AM

Re: Tracing hosts file entry modification

hi bharat,

If /etc/nsswitch.conf file not persent, create it by copying from /etc/nsswitch.compat: then make changes
0 Kudos
Reply
bharath_hanuma
Regular Advisor

тАО04-28-2010 02:42 AM

тАО04-28-2010 02:42 AM

Re: Tracing hosts file entry modification

Hi,

I have below contents under nsswitch.compat

# An example file that could be copied over to /etc/nsswitch.conf; it
# uses NIS (YP) in conjunction with files.
#

passwd: compat
group: compat
hosts: nis [NOTFOUND=return] files
networks: nis [NOTFOUND=return] files
protocols: nis [NOTFOUND=return] files
rpc: nis [NOTFOUND=return] files
publickey: nis [NOTFOUND=return] files
netgroup: nis [NOTFOUND=return] files
automount: files nis
aliases: files nis
services: nis [NOTFOUND=return] files

Kindly let me know what needs to be done in this file.

Regards
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.