Problem: You need to know when users or groups are added or taken away on any of your systems.
FIM (File Integrity Monitoring) for Halo can identify if a file has been changed.
Create a FIM policy that will monitored for changes on “passwd” and “group” located in “/etc”. Any changes to these files will be a indication that a user or group has changed, either through adding, removing or changing a user or group.
Note: this won’t work if the system is using a central authentication system such as LDAP.
Under “Policies” select “File Integrity Policies”. Select “Add a New File Integrity Policy” to create the policy.
Add the files we wish to monitor; “/etc/passwd” and “/etc/group”. Make sure you mark “Enable Scan”, and check the box to be alerted. Once you save the new policy you will need to generate a new baseline. Select the server to baseline against and wait for the baseline to complete.
Make sure alerting is configured so that Halo will send you a email once it detects one or more of the files has changed. Policies->Alert Profiles->(add your email address here)