Hello,

While checking my logs i found :

SECURITY ALERT: Checksum for /etc/passwd changed!


How would i know what changed in the passwd file?

Thanks

What is the version and name of Unix you are using ?
The change to /etc/passwd file is not possible unless done by root.
But there is a very good chance that the checksum changes if

1. any user is added to the system
(this need not be the sys-admin known one. Some of the applications like imap, ssh, mail
etc., creates its own login for previlidge seperation)
2. Any user's primary group changes
3. Anyone's GECOS field has changed
4. Anyone's shell has changed

Thanks for the reply - I understand that something has changed. My question - is there anyway to find out what changed? what new user has been added or what user group has been modified? etc

OS is rhel4

ANY user can change the passwd file with chsh (and probably a list of other tools). Also, if you install some software it will generate password entries (MySQL and Apache come to mind, but there are MANY more). There isn't a way to know what changed by just looking at the password file (unless you have backup copies from before the change to compare), but if you see something wierd (a non-root user at the top of the list, a non-root user with UID 0, users you don't know, etc.) then there is a problem. The log entry is your IDS telling you that something changed. If you changed something, double check the password file and create a new checksum for that file. If you didn't change anything, it doesn't mean someone broke in, it just means you need to check the file for anomalies. Think of it like your car alarm going off. Just because it goes off doesn't mean someone is trying to steal it, but it does mean you should check things out and reset the alarm when you are satisfied everything is ok.

HTH

Forrest