FIM Cool Trick: Identify new, removed, or modified OS-level user accounts or groups

Problem: You need to know when users or groups are added or taken away on any of your systems.

FIM (File Integrity Monitoring) for Halo can identify if a file has been changed.

Create a FIM policy that will monitored for changes on “passwd” and “group” located in “/etc”. Any changes to these files will be a indication that a user or group has changed, either through adding, removing or changing a user or group.

Note: this won’t work if the system is using a central authentication system such as LDAP.

Step 1
Under “Policies” select “File Integrity Policies”. Select “Add a New File Integrity Policy” to create the policy.

Step 2
Add the files we wish to monitor; “/etc/passwd” and “/etc/group”. Make sure you mark “Enable Scan”, and check the box to be alerted. Once you save the new policy you will need to generate a new baseline. Select the server to baseline against and wait for the baseline to complete.


Step 3
Make sure alerting is configured so that Halo will send you a email once it detects one or more of the files has changed. Policies->Alert Profiles->(add your email address here)

Now we’re done. Anytime a user or group is added, changed or deleted from the system an alert will be generated and sent to you notifying you of the change.

Stay up to date

Get the latest news and tips on protecting critical business assets.

Related Posts