Blog

FIM Cool Trick: Identify new, removed, or modified OS-level user accounts or groups

Problem: You need to know when users or groups are added or taken away on any of your systems.

FIM (File Integrity Monitoring) for Halo can identify if a file has been changed.


Create a FIM policy that will monitored for changes on “passwd” and “group” located in “/etc”. Any changes to these files will be a indication that a user or group has changed, either through adding, removing or changing a user or group.

Note: this won’t work if the system is using a central authentication system such as LDAP.

Step 1
Under “Policies” select “File Integrity Policies”. Select “Add a New File Integrity Policy” to create the policy.


Step 2
Add the files we wish to monitor; “/etc/passwd” and “/etc/group”. Make sure you mark “Enable Scan”, and check the box to be alerted. Once you save the new policy you will need to generate a new baseline. Select the server to baseline against and wait for the baseline to complete.

 

Step 3
Make sure alerting is configured so that Halo will send you a email once it detects one or more of the files has changed. Policies->Alert Profiles->(add your email address here)


Now we’re done. Anytime a user or group is added, changed or deleted from the system an alert will be generated and sent to you notifying you of the change.

Related Posts