This repository was archived by the owner on Nov 8, 2021. It is now read-only.
This repository was archived by the owner on Nov 8, 2021. It is now read-only.
When using FIM monitoring on /etc there's a slew of updates always to groups and passwd and shadow #161
Description
Metadata:
- amazon linux2 and ubuntu 18/20
- git clone from master
- AWS CLI Version: 2
When using a FIM (file integrity monitoring) tool like TrendMicro, which scans OS paths like /etc for file changes for security, every time import_users.sh runs, it will always update the groups the users are in. Regardless of if they are in the group already. This causes tons of FIM alerts to be generated and /etc/groups, /etc/passwd and /etc/shadow are modified every time it runs.
I have a patch that I apply to my servers when I build them now. Here is the patch. It just rolls through the comma delimited list of groups and if it finds any group in the list that username doesn't exist, it then modifies the user include the list of groups.
--- import_users.sh.ORIG 2020-10-27 19:33:59.517983177 +0000
+++ import_users.sh 2020-10-27 20:00:53.462444213 +0000
@@ -192,7 +192,13 @@
/bin/chown -R "${username}:${username}" "$(eval echo ~$username)"
log "Created new user ${username}"
fi
- /usr/sbin/usermod -a -G "${localusergroups}" "${username}"
+
+ # TAW - 20201027 - only modify groups if we need to. Otherwise, FIM products will alert that
+ # we are constantly modifying /etc/groups.XXXXX and /etc/passwd.XXXXX files...
+ for g in $(echo ${localusergroups}|sed 's/,/ /g')
+ do
+ /bin/groups ${username} | grep $g >/dev/null 2>&1 || /usr/sbin/usermod -a -G "${localusergroups}" "${username}"
+ done
# Should we add this user to sudo ?
if [[ ! -z "${SUDOERS_GROUPS}" ]]