Ad Widget

Collapse

See who changed etc/passwd file

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Dolyak
    Junior Member
    • Jan 2014
    • 8
    #1

    See who changed etc/passwd file

    Hello, I am still pretty new to zabbix but I have a question for you guys.


    I need to have my zabbix server, email alert, contain the user that changed the etc/passwd file when it runs. Right know I have the stock:

    /etc/passwd has been changed on {HOST.NAME}
    {Template OS Linux:vfs.file.cksum[/etc/passwd].diff(0)}>0

    and this works great!!! But I would like for it to have the ability to tell me in the email WHO made the change. I don’t want to spend my time fixing a problem that was made by my approved coworker.

    Thank you in advance. I didn’t see any threads talking about this I am sorry if I missed the information.
    Tags: emails, password, trigger, user information
    • jan.garaj
      Senior Member
      Zabbix Certified Specialist
      • Jan 2010
      • 506
      #2
      Question, which is not related to Zabbix:
      How can you identify last editor of /etc/passwd?
      If you have good answer for this question, then you can use feature user parameter, which will check last editor and will send it to Zabbix server.
      4 User parameters
      https://www.zabbix.com/documentation/2.2/manual/config/items/userparameters

      IMHO this question is not a piece of cake, because usually you need root write permission for editing /etc/passwd so every editing will be made by root.
      Devops Monitoring Expert advice: Dockerize/automate/monitor all the things.
      My DevOps stack: Docker / Kubernetes / Mesos / ECS / Terraform / Elasticsearch / Zabbix / Grafana / Puppet / Ansible / Vagrant

        Comment

        • steveboyson
          Senior Member
          • Jul 2013
          • 582
          #3
          So, get the timestamp from the fired trigger and grep your { /var/log/messages | /var/log/authlog | var/log/syslog | $WHATEVER } from now back in time to that timestep to check who changed the passwd file.

          You could even parse lastlog's output.

          Code:
          LASTLOG(8)                                   System Management Commands                                   LASTLOG(8)

NAME
       lastlog - reports the most recent login of all users or of a given user

            Comment

            • jan.garaj
              Senior Member
              Zabbix Certified Specialist
              • Jan 2010
              • 506
              #4
              Yes, I thought about lastlog concept too, but there will be problem if:
              - more than one user will be logged during edit time
              - if editing was made by non-logged user (eg. someone hacked your web server - so user apache/httpd with escalated permissions was used for editing)
              Devops Monitoring Expert advice: Dockerize/automate/monitor all the things.
              My DevOps stack: Docker / Kubernetes / Mesos / ECS / Terraform / Elasticsearch / Zabbix / Grafana / Puppet / Ansible / Vagrant

                Comment

                • steveboyson
                  Senior Member
                  • Jul 2013
                  • 582
                  #5
                  For sure. Even writes to a world-writeable and NFS-exported /etc directory will not be detected ...

                    Comment

                    • Dolyak
                      Junior Member
                      • Jan 2014
                      • 8
                      #6
                      @ jan.garaj -- Your solution sounds like a great way to do this. I will have to have this run a few commands to see who made the changes, but i think this can be done.

                      @ steveboyson -- I dont have lastlog on my OS flavor but i get it added and will play with that. I didnt know this command excisted!!!

                      Will post again when I get stuck or have a working solution

                      Thank you

                        Comment

                        • mahsa
                          Junior Member
                          • Feb 2016
                          • 4
                          #7
                          etc/passwd has been changed on zabbix server

                          This statement has been shown for me, recently. It has nothing to do with changing in Zabbix server Passwd. this is shown for me because I have changed my firewall zone in internet connection setting from default into trusted. I would recommend you, check your internet connection setting carefully.

                            Comment

                            Previous template Next
                            Working...