Skip to content
This repository has been archived by the owner on Nov 8, 2021. It is now read-only.

When using FIM monitoring on /etc there's a slew of updates always to groups and passwd and shadow #161

Open
timwelch opened this issue Oct 27, 2020 · 0 comments

Comments

@timwelch
Copy link

timwelch commented Oct 27, 2020

Metadata:

  • amazon linux2 and ubuntu 18/20
  • git clone from master
  • AWS CLI Version: 2

When using a FIM (file integrity monitoring) tool like TrendMicro, which scans OS paths like /etc for file changes for security, every time import_users.sh runs, it will always update the groups the users are in. Regardless of if they are in the group already. This causes tons of FIM alerts to be generated and /etc/groups, /etc/passwd and /etc/shadow are modified every time it runs.

I have a patch that I apply to my servers when I build them now. Here is the patch. It just rolls through the comma delimited list of groups and if it finds any group in the list that username doesn't exist, it then modifies the user include the list of groups.

--- import_users.sh.ORIG	2020-10-27 19:33:59.517983177  0000
    import_users.sh	2020-10-27 20:00:53.462444213  0000
@@ -192,7  192,13 @@
         /bin/chown -R "${username}:${username}" "$(eval echo ~$username)"
         log "Created new user ${username}"
     fi
-    /usr/sbin/usermod -a -G "${localusergroups}" "${username}"
 
     # TAW - 20201027 - only modify groups if we need to. Otherwise, FIM products will alert that
     # we are constantly modifying /etc/groups.XXXXX and /etc/passwd.XXXXX files... 
     for g in $(echo ${localusergroups}|sed 's/,/ /g')
     do
        /bin/groups ${username} | grep $g >/dev/null 2>&1 || /usr/sbin/usermod -a -G "${localusergroups}" "${username}"
     done
 
     # Should we add this user to sudo ?
     if [[ ! -z "${SUDOERS_GROUPS}" ]]

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

2 participants