HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Tracing hosts file entry modification

 
bharath_hanuma
Regular Advisor

Tracing hosts file entry modification

Hi All,

Two days back some of the entries in the host file got deleted. So I need to know how we can trace this so that we can find who has modified the file at that time.

Need your urgent help regarding the same.

Thanks and Regards
Bharath
11 REPLIES

Re: Tracing hosts file entry modification

The obvious answer is a sysadmin modified the file.
Without auditing, you really can't trace it.
I suppose you could look to see who login to root at that time or look at the shell history files or possibly anyone who did su or sudo.
bharath_hanuma
Regular Advisor

Re: Tracing hosts file entry modification

Hi Dennis,

Is there any command for checking the same. Also let me know how can I enable audut.log and also how frequently it grows.

Thanks and Regards
Bharath
R.O.
Esteemed Contributor

Re: Tracing hosts file entry modification

Yo can see the connection entries with "last" and see in syslog.log if any user did a "su - root". With these data you can guess who could do the change.
To enable auditing you have to convert to "trusted" your system. Yo can do it through SAM. If yo go to the audit zone in SAM it will ask you to convert the system.

Regards,
"When you look into an abyss, the abyss also looks into you"

Re: Tracing hosts file entry modification

>Is there any command for checking the same.

Not after the fact, if you don't have auditing or have sudo.
You can only make some guesses based on the logs.

But it would be far easier just to ask the few sysadmins.
bharath_hanuma
Regular Advisor

Re: Tracing hosts file entry modification

Hi RO/Dennis,

I have checked through SAM regarding adding it as the trusted system. I would like to know if I add as trusted system, is there any impact on network configuration or reachability to customer systems or there will configuration changes on systems side.

Kindly need your suggestions or help regarding the same.

Thanks and Regards
Bharath

Re: Tracing hosts file entry modification

>I have checked through SAM regarding adding it as the trusted system. I would like to know if I add as trusted system, is there any impact on network configuration or reachability to customer systems or there will configuration changes on systems side.

There shouldn't be.
You may have users that think they have passwords longer than 8 chars that won't work.

You still need to turn on auditing and that will require careful monitoring of the massive amount of space used.
R.O.
Esteemed Contributor

Re: Tracing hosts file entry modification

Hi,

Just in case, do not log off root after converting the system. If you have any problem loging into the system as root, you can fix it or even unconvert the system because you are still logged. So, after the conversion, try to log in the system with a new session.
Be sure that you have these lines right defined in your "/etc/nsswitch.conf":

passwd: files
group: files

instead of:

passwd: compat
group: compat

I have recently converted a system and I couldn't login as root because I had these to lines as "compat".

Regards,
"When you look into an abyss, the abyss also looks into you"
irshad ali
Frequent Advisor

Re: Tracing hosts file entry modification

hi bharat,

If /etc/nsswitch.conf file not persent, create it by copying from /etc/nsswitch.compat: then make changes
bharath_hanuma
Regular Advisor

Re: Tracing hosts file entry modification

Hi,

I have below contents under nsswitch.compat

# An example file that could be copied over to /etc/nsswitch.conf; it
# uses NIS (YP) in conjunction with files.
#

passwd: compat
group: compat
hosts: nis [NOTFOUND=return] files
networks: nis [NOTFOUND=return] files
protocols: nis [NOTFOUND=return] files
rpc: nis [NOTFOUND=return] files
publickey: nis [NOTFOUND=return] files
netgroup: nis [NOTFOUND=return] files
automount: files nis
aliases: files nis
services: nis [NOTFOUND=return] files

Kindly let me know what needs to be done in this file.

Regards
R.O.
Esteemed Contributor

Re: Tracing hosts file entry modification

Hi,

As said, create the file "nsswitch.conf" from "nsswitch.compat":

cd /etc
cp -p nsswitch.compat nsswitch.conf

Now, replace the lines for passwd and group for the correct ones (with files instead of compat) in file nsswitch.conf.

Regards,
"When you look into an abyss, the abyss also looks into you"
R.O.
Esteemed Contributor

Re: Tracing hosts file entry modification

Hi,

Also replace in your newly created nsswitch.conf:

hosts: nis [NOTFOUND=return] files

for something like:

hosts: files [NOTFOUND=continue] dns

If you only use "/etc/hosts" for name resolution, put:

hosts: files

You have to configure this entry depending on how are you doing name resolution.

Regards,


"When you look into an abyss, the abyss also looks into you"