/etc/passwd was truncated

linux redhat

Today I received a call from security officer telling me that the /etc/passwd file of one machine was truncated (0 byte). The same happened with /etc/group a couple of days before.

I tried to trace the cause but I had no success... can someone please give me a clue where should I look for?

I'm running Red Hat 5.7 x86_64.


Solution 1:

If you think you've been hacked, I strongly recommend How do I deal with a compromised server? .

Otherwise, check root's .bash_history, looking for things like output redirection onto /etc/passwd. If you use sudo to control root access, check the sudo logs around the time (the modification time on the file will tell you when it was zeroed out, most likely).

And, for goodness' sake, get off Red Hat 5.7. You're running an OS that's nearly a year's worth of patches out-of-date, and there's no sane reason to. Red Hat's patching policy is that no version of any package is ever bumped inside a major version of the OS; patches are backported instead. The whole point of this is that you should be able to keep your RHEL5 constantly in patch without endangering any functionality.

In many ways, there isn't even any such thing as "Red Hat 5.7"; RHEL 5.7 isn't really an OS release version, it's simply a line drawn through the current state of patch of RHEL5 on 12/3/2012. When you say "I'm running RHEL 5.7" what you're really saying is "I'm running RHEL 5 and I'm a year out of date".

Solution 2:

It will be a lot easier to find out the cause, if you have auditd daemon properly configured to watch on critical files. In addition to the suggestions forwarded by others, you can try to look for hints in the /var/log/audit/audit.log file and use the aureport and ausearch commands.

For instance, you can run ausearch -f passwd to list all audit information related to the passwd file.

In the future, you might need to follow the security guidelines set in the CIS Red Hat Enterprise Linux 5 Benchmark on how to configure audit daemon to watch (-w ) certain files. Here are some lines you need to add to /etc/audit/audit.rules -

Things that affect identity:

   -w /etc/group -p wa -k identity
   -w /etc/passwd -p wa -k identity
   -w /etc/gshadow -p wa -k identity
   -w /etc/shadow -p wa -k identity
   -w /etc/security/opasswd -p wa -k identity

Solution 3:

@MadHatter offers a good start. Beyond that, here's a trick I keep in my toolbelt for days like these:

find /filesystem1 /filesystem2 -xdev -printf '%T@ %t %p\n' | sort

%T@ Modification time, epoch seconds (for sorting)

%t Modification time, human readable

%p Full file path

Season to taste. Run on one mounted filesystem at a time or as many as you think is relevant.

What this does is give you a timestamp sorted audit of the most recent modifications to files. This can occasionally give you insight into other things that were happening at the time of the unknown event. It's certainly not bulletproof, and may not reveal anything at all, but I occasionally find this extremely useful in identifying what work was being performed at the time that the unknown event happened. (say, a someone performing a rm -Rf on /lib instead of Tomcat's lib...)

Related

Windows Server in UTC, need Task Scheduler to shift tasks with summer time
SQLServer Express Single or Multiple Instance Installation
Nginx subdomain configuration not working
How to block IP addresses from port 25 [closed]
Is there a keyboard shortcut to switch the cursor between panels of iPad split screen?
After updating to Big Sur the process "opendirectoryd" is using 70% cpu
Slow Transfer Between External Drives
Spotlight Recursive Search in Finder
Applescript for specific System Preferences pane
"Other" storage macOS [duplicate]
How to add access to the camera to one app which doesn't appears in the system preferences ->privacy menu?
How to increase keyboard light with Touch Bar not working