Thursday, January 27, 2011

Linux: Checking the date a group was created

Is there a way I can check the date that a linux group was created and/or modified? It would be even better if I could pull the last user to modify the group.

From serverfault Bob

  • Assuming we're talking local files here (not LDAP) and no additional auditing software, you're pretty much limited to the metadata of /etc/group; you can see when the file was last modified, but not by whom or which group(s) was affected.

    Urgoll : James, Prix, you are assuming that the groupadd / groupdel commands are used. /etc/group format is trivial, and this file is often simply edited by hand. Also, process accounting is a heavyweight solution as it will have a system-wide performance impact. If complete group auditing is required, it might be better to implement LDAP and using the auditing facilities of the LDAP server. Then use an automated process such as tripwire to ensure the /etc/group isn't modified.
    From Urgoll

  • You can see the last commands using the lastcomm for that you must have acct enabled, by adding the follow to your init script:

    # Turn process accounting on. 
if [ -x /sbin/accton ]
then 
        /sbin/accton /var/log/pacct 
        echo "Process accounting turned on." 
fi

    To create the accounting record file:

    touch /var/log/pacct
chown root /var/log/pacct
chmod 0644 /var/log/pacct

    One thing i can recommend you to do is to alter both your groupadd and groupdel, move it somewhere else and create 2 bash scripts that will store the user that summoned it, the time and the command and after that it will call the actual scripts to create the groups or deleted them.

    A small sample: mv /usr/sbin/groupadd /usr/sbin/new_groupadd

    Now create a new /usr/sbin/groupadd with the follow content (dont forget to chmod it after youre done):

    #!/bin/bash

echo "`date` - $USER - /usr/sbin/new_groupadd $@" >> /var/log/group_log
/usr/sbin/new_groupadd $@

    Create the record file:

    touch /var/log/groupadd_log
chown root /var/log/groupadd_log
chmod 0644 /var/log/groupadd_log

    Well pointed by James Lawrie look in /var/log/secure and all it is rotated files (if the entry is too old already) to find out about when it was last changed, but it will not list if you give users other then root access to add groups.

    From Prix

  • Just look in /var/log/secure, I created and modified a group as an example. Please note that the command may not relate to the last session opened, so could be difficult to tell who actually did it:
    Aug 30 20:38:09 aladdin su: pam_unix(su-l:session): session opened for user root by james(uid=0)
    Aug 30 20:38:15 aladdin groupadd[2442]: group added to /etc/group: name=test, GID=501
    Aug 30 20:38:15 aladdin groupadd[2442]: group added to /etc/gshadow: name=test
    Aug 30 20:38:15 aladdin groupadd[2442]: new group: name=test, GID=501
    Aug 30 20:39:03 aladdin groupmod[2450]: group changed in /etc/group (group test/501, new gid: 502)
    Aug 30 20:39:03 aladdin groupmod[2450]: group changed in /etc/passwd (group test/501, new gid: 502)     And yes, my machine is called aladdin - what of it?

    Dennis Williamson : And your password is "opensesame"! ;)
    From James Lawrie
Posted by Mu Cat at 6:51 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)