HPE Community
Operating System - HP-UX
1833759 Members
2514 Online
110063 Solutions
New Discussion

Strange message from whoami - Intruder Alert

 
SOLVED
Go to solution
Al Miller
Occasional Contributor

‎07-30-2002 10:13 AM

‎07-30-2002 10:13 AM

Strange message from whoami - Intruder Alert

Can someone explain to me under what conditions the whoami command will return Intruder Alert. I am seeing this returned to my logs in some batch processes I am running.
0 Kudos
Reply
7 REPLIES 7
Patrick Wallek
Honored Contributor

‎07-30-2002 10:15 AM

‎07-30-2002 10:15 AM

Re: Strange message from whoami - Intruder Alert

If I remember correctly, this happens when /etc/passwd file is not world readable.

/etc/passwd should be, at a minimum, 444 permissions.
Reply
Kelli Ward
Trusted Contributor

‎07-30-2002 10:16 AM

‎07-30-2002 10:16 AM

Re: Strange message from whoami - Intruder Alert

Hi,
I believe you will see this message if a user attempts to log in but either, is not listed in /etc/passwd or if /etc/passwd is not world readable.
Hope this helps,
Kel
The more I learn, the more I realize how much more I have to learn. Isn't it GREAT!
Reply
Patrick Wallek
Honored Contributor

‎07-30-2002 10:18 AM

‎07-30-2002 10:18 AM

Solution

Re: Strange message from whoami - Intruder Alert

If you need more information, check out TKB document W3449877.

To summarize, /etc/passwd should be at 444 permissions with root:sys as owner and group, and the /etc directory should be at 666 permissions with bin:bin as owner and group.
Reply
S.K. Chan
Honored Contributor

‎07-30-2002 10:19 AM

‎07-30-2002 10:19 AM

Re: Strange message from whoami - Intruder Alert

I can think of 3 conditions ..
1- password file is corrupted
2- password file permission is set to 400
3- wrong NIS domainname
Reply
Martin Johnson
Honored Contributor

‎07-30-2002 10:28 AM

‎07-30-2002 10:28 AM

Re: Strange message from whoami - Intruder Alert

This happened to me last week. The /var file system filled up. This resulted in the ServiceGuard software to terminate and all sorts of weird things happening, including the "Intruder Alert" from whoami. I cleared out some core files from /var.

I was logged in my pseudo root account. I tried to run shutdown. It said I wasn't authorized. I "su-ed" to root. shutdown wouldn't run because it couldn't determine my username. I use "reboot" instead. Everything came up fine after the reboot. whoami worked fine after the reboot.

Weird!
Marty
Reply
Bill Hassell
Honored Contributor

‎07-30-2002 10:48 AM

‎07-30-2002 10:48 AM

Re: Strange message from whoami - Intruder Alert

As you have seen, /var is a critical filesystem and must have lots of empty space available. You can start by eliminating core files completely with the statement:

ulimit -Sc 0

in /etc/profile. This assumes that all your user logins are using /usr/bin/sh as their shell (and root must use /sbin/sh).

Then find out where the big stuff is located--not big files, but big directories! Use du as in:

du -kx /var | sort -rn | /tmp/du.var

Look at the top of the du.var file for hints. In a ServiceGuard environment, you don't want much of anything in /var/mail or /var/spool. /var/adm will be large for 2 reasons: /var/adm logfiles, and /var/adm/sw for installs and patches. /var/adm/sw is a good candidate for it's own lvol.

And also /var/ad,/crash which should empty if you keep up on patches, otherwise, create an lvol for the crash directory. Use symlinks to avoid having to change config files.


Bill Hassell, sysadmin
Reply
Martin Johnson
Honored Contributor

‎07-30-2002 10:57 AM

‎07-30-2002 10:57 AM

Re: Strange message from whoami - Intruder Alert

Thanks Bill!

I usually put /var/adm/sw and /var/adm/crash in their own lvols. On this particular system, it wasn't done as this system was setup by consultants. I'll have to add it to my "todo" list.

Marty
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.