You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 8, 2021. It is now read-only.
When using a FIM (file integrity monitoring) tool like TrendMicro, which scans OS paths like /etc for file changes for security, every time import_users.sh runs, it will always update the groups the users are in. Regardless of if they are in the group already. This causes tons of FIM alerts to be generated and /etc/groups, /etc/passwd and /etc/shadow are modified every time it runs.
I have a patch that I apply to my servers when I build them now. Here is the patch. It just rolls through the comma delimited list of groups and if it finds any group in the list that username doesn't exist, it then modifies the user include the list of groups.
--- import_users.sh.ORIG 2020-10-27 19:33:59.517983177 0000
import_users.sh 2020-10-27 20:00:53.462444213 0000
@@ -192,7 192,13 @@
/bin/chown -R "${username}:${username}" "$(eval echo ~$username)"
log "Created new user ${username}"
fi
- /usr/sbin/usermod -a -G "${localusergroups}" "${username}"
# TAW - 20201027 - only modify groups if we need to. Otherwise, FIM products will alert that
# we are constantly modifying /etc/groups.XXXXX and /etc/passwd.XXXXX files...
for g in $(echo ${localusergroups}|sed 's/,/ /g')
do
/bin/groups ${username} | grep $g >/dev/null 2>&1 || /usr/sbin/usermod -a -G "${localusergroups}" "${username}"
done
# Should we add this user to sudo ?
if [[ ! -z "${SUDOERS_GROUPS}" ]]
The text was updated successfully, but these errors were encountered:
Metadata:
When using a FIM (file integrity monitoring) tool like TrendMicro, which scans OS paths like /etc for file changes for security, every time import_users.sh runs, it will always update the groups the users are in. Regardless of if they are in the group already. This causes tons of FIM alerts to be generated and /etc/groups, /etc/passwd and /etc/shadow are modified every time it runs.
I have a patch that I apply to my servers when I build them now. Here is the patch. It just rolls through the comma delimited list of groups and if it finds any group in the list that username doesn't exist, it then modifies the user include the list of groups.
The text was updated successfully, but these errors were encountered: