HPE Community
Operating System - HP-UX
1849975 Members
1544 Online
104049 Solutions
New Discussion

/etc/group modified

 
Rafael Mendonça Braga
Regular Advisor

‎09-22-2005 05:38 AM

‎09-22-2005 05:38 AM

/etc/group modified

Hello experts!!!

I'm running HP-UX 11i.

I would like to know if is there a way to be alerted every time a file is modified...
For example:

When /etc/group is modified, an e-mail is sent to me telling me this.

Do you know how can I do it?

Thanks a lot!!!

Rafael M. Braga
0 Kudos
Reply
7 REPLIES 7
Bill Hassell
Honored Contributor

‎09-22-2005 05:46 AM

‎09-22-2005 05:46 AM

Re: /etc/group modified

Not possible without some script watching the timestamp and generating an email whenever the modification time changes. For /etc/group, it's easy to know who did it: only root can modify the /etc/group file, so change the root password and don't give it to anybody. Install sudo (so other root users will no longer use su) and now every command issued by a non-root user will be logged.


Bill Hassell, sysadmin
0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

‎09-22-2005 05:55 AM

‎09-22-2005 05:55 AM

Re: /etc/group modified

Hi,

tripwire could do this for you. I don't know if the default auditing tool inside HPUX will go that far.

# man -k audit

http://www.utexas.edu/its/sds/products/tripwire.html

Hope this helps,
Robert-Jan
0 Kudos
Reply
Zigor Buruaga
Esteemed Contributor

‎09-22-2005 05:59 AM

‎09-22-2005 05:59 AM

Re: /etc/group modified

Hi,

I use HIDS ( free Host Intrusion Detection System from HP ) for such things.
You can write your own simple script, put it on the response directory, to be executed any time the event is rised, so you can i.e. send a mail to your mailbox, etc. I'm using HIDS 2.2 ( think that the version 3.0 was already developed ), I receive an email whenever somebody changes something under /etc/rc.config.d, the passwd or group file, etc or whenever somebody enter a wrong passwd 3 times,
unsuccesful su's, etc, etc, ok ... I love this tool ;-)

Only an idea ...
Regards,
Zigor
0 Kudos
Reply
Zigor Buruaga
Esteemed Contributor

‎09-22-2005 06:17 AM

‎09-22-2005 06:17 AM

Re: /etc/group modified

Just visited software.hp.com, looks like the version 3.1 already exists ( IT world is too fast to me ).
One of the threats that can detect, as mentioned before:

files

Modification of critical system files and directories
Creation of world writable files
Creation and modification of privileged "setuid" files
File additions and deletions

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS

Regards,
Zigor
0 Kudos
Reply
Raj D.
Honored Contributor

‎09-22-2005 08:00 AM

‎09-22-2005 08:00 AM

Re: /etc/group modified

Hi Rafael ,

Here is a sample script , that will monitor the /etc/group file for any modification. And if modifies it will send an email to you: Can be run through cron.



#########################################
# Script for checking modification for group file: /etc/group
# File Name: grpck.sh Ver:1.0 # Raj.D
#########################################

i=0
while true
do

ORG_TM_STMP="`ls -l /etc/group | awk '{print $6$7$8}'`"
TODAYS_TM_STMP="`date | awk '{print $2$3 substr($4,1,5)}'`"


if [ "$ORG_TM_STMP" = "$TODAYS_TM_STMP" ]
then
echo " Alert!! /etc/group has modified today . !!! at `date` " > /dev/null

i="`expr $i + 1`"
else
echo " No problem.. no /etc/group modification ..." > /dev/null
fi

if [ "$i" = "1" ]
then
#echo " File /etc/group modified at `date` " | mailx -s "Alert! /etc/group" rafael@your_domain.com

echo " Group file /etc/group modified " > /dev/console
echo " Email sent to: Rafael Mendonça Braga . "
fi

if [ "$ORG_TM_STMP" != "$TODAYS_TM_STMP" ]
then
i=0
fi

done
#########################################


It will check every one minute for any modification , and if happens sends one email for each modification.



Enjoy,
Cheers,
Raj.
" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
Reply
Q4you
Regular Advisor

‎09-22-2005 09:23 AM

‎09-22-2005 09:23 AM

Re: /etc/group modified

if you have HP ITO openview ( mostly you may have ), have your monitoring staff modify the OpenView client template with your email need and push it to the server. That will do it.

-Q
0 Kudos
Reply
VEL_1
Valued Contributor

‎09-22-2005 04:55 PM

‎09-22-2005 04:55 PM

Re: /etc/group modified

Hi,

Use the following script in crontab OR create startup script using the following contents:

#!/sbin/sh

current_time_modification=`ls -l /etc/group | awk '{ print $6 $7 $8 }'`
cksum_size=`cksum /etc/group | awk '{ print $1 " " $2 }'`

i=1


while [ $i -eq 1 ]
do
new_time_modification=`ls -l /etc/group | awk '{ print $6 $7 $8 }'`
new_cksum_size=`cksum /etc/group | awk '{ print $1 " " $2 }'`

if [ "$current_time_modification" != "$new_time_modification" ] && [ "$cksum_size != $new_cksum_size" ]
then
echo "/etc/group file has been modified"

# send messgae to /var/adm/syslog/syslog.log
/usr/bin/logger -p 5 "Alert: /etc/group file modified"

# If mail works, uncomment the follwing & replace the test@test.com
#echo "/etc/group file has been modified" | mailx -s "Alert: /etc/group file modified" test@test.com

current_time_modification=$new_time_modification
cksum_size=$new_cksum_size
fi
done

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.