I agree with you that he needs to have more in place to control this, but
having an alert when changes are made is a nice event notification to kick
off any necessary audit/control procedures. I can definitely see the
advantages of having such an event notification in place.
• Harold Ballinger
IT Coordinator
Heritage Healthcare, Inc.
(XXX) XXX-XXXX | helpdesk
(XXX) XXX-XXXX | office
(XXX) XXX-XXXX | fax
Visit our website: www.heritage-healthcare.com
-----Original Message-----
From: Buchan Milne [mailto:user-9b139aff4dec@xymon.invalid]
Sent: Saturday, July 18, 2009 4:54 PM
To: user-ae9b8668bcde@xymon.invalid
Cc: Gavin Leonard
Subject: Re: [hobbit] monitoring etc passwd
On Tuesday 07 July 2009 23:19:58 Gavin Leonard wrote:
Hi All,
I am having a problem where users and groups are being
created without the knowledge of the admin team and its making it
difficult
to know who had access to what systems if they leave the company... is
there a way for hobbit to tell me when the /etc/passwd or /etc/group
files
change? Thanks in Advance..
IMHO, this is not a problem to solve by monitoring, it is a problem to be
solved by:
-authorization for actions/commands (e.g. sudo access to specific
commands,
instead of root shell access)
-accounting/auditing (e.g., in case root shell access is required, the
commands/screen output should be recorded against the user who started
the
root shell session)
-security auditing
Centralised authentication (which implies that the only local accounts
required are for "system" use, not for users) can also help reduce the
amount
of work in picking up and fixing incorrect user/group changes.
If monitoring when changes were made to local files forms one part of
your
process, fine, you can use the 'FILE' monitoring feature with the mtime
check.
However, I would really hope this is not the only thing you are putting
in
place to solve this problem.
Regards,
Buchan