Why was /etc/passwd updated automatically?
-
"I noticed that the checksum of /etc/passwd had changed"
How did you happen to notice that exactly?
-
Are you running a "pre-installed" version of pfSense?
If so, best to get rid of it. Read this.
-
That looks completely normal to me. /etc/passwd is one of the many files manipulated by the system based on the contents of config.xml.
-
I see the same entries in mine.
I am more curious how he noticed its checksum changed ;)
-
"I noticed that the checksum of /etc/passwd had changed"
How did you happen to notice that exactly?
A monitoring platform here threw this warning. It also has a history of the checksums for the file, and I confirmed that the checksum stayed the same for a long time until after this reboot, when it changed.
Are you running a "pre-installed" version of pfSense?
If so, best to get rid of it. Read this.
Uh that's scary. But luckily no, I installed this pfSense myself from the website (version 2.4.2-RELEASE, if it matters).
I see the same entries in mine.
Perhaps this wasn't addressed to me, but "same entries" compared to what?
-
here…
2018-01-11 14:45:36 [unknown:userdel] admin(0) account removed
2018-01-11 14:45:36 [unknown:groupmod] all(1998)
2018-01-11 14:45:36 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2018-01-11 14:45:36 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2018-01-11 14:45:36 [unknown:useradd] admin(0) home /root made
2018-01-11 14:45:36 [unknown:groupmod] all(1998)
2018-01-11 14:45:36 [unknown:groupmod] admins(1999)2017-12-13 07:55:53 [unknown:userdel] admin(0) account removed
2017-12-13 07:55:53 [unknown:groupmod] all(1998)
2017-12-13 07:55:53 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2017-12-13 07:55:53 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2017-12-13 07:55:53 [unknown:useradd] admin(0) home /root made
2017-12-13 07:55:53 [unknown:groupmod] all(1998)
2017-12-13 07:55:53 [unknown:groupmod] admins(1999)
2017-12-15 03:56:15 [unknown:userdel] admin(0) account removed
2017-12-15 03:56:15 [unknown:groupmod] all(1998)
2017-12-15 03:56:15 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2017-12-15 03:56:15 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2017-12-15 03:56:15 [unknown:useradd] admin(0) home /root made
2017-12-15 03:56:15 [unknown:groupmod] all(1998)
2017-12-15 03:56:15 [unknown:groupmod] admins(1999)All would of been reboot times..
What monitoring platform are you using on pfsense that tells you checksums have changed? I am not aware of any such package.
-
Ah got it lol, I was just being slow then. This is what happens when you skip your morning coffee I guess.
On pfSense specifically, I have been testing Zabbix, because you can install the client agent straight from the default repo: pfSense-pkg-zabbix-agent34-1.0.1
One of the default templates is for FreeBSD machines, and one of the checks it does out of the box is monitoring the checksum of /etc/passwd.
-
here…
2018-01-11 14:45:36 [unknown:userdel] admin(0) account removed
2018-01-11 14:45:36 [unknown:groupmod] all(1998)
2018-01-11 14:45:36 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2018-01-11 14:45:36 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2018-01-11 14:45:36 [unknown:useradd] admin(0) home /root made
2018-01-11 14:45:36 [unknown:groupmod] all(1998)
2018-01-11 14:45:36 [unknown:groupmod] admins(1999)2017-12-13 07:55:53 [unknown:userdel] admin(0) account removed
2017-12-13 07:55:53 [unknown:groupmod] all(1998)
2017-12-13 07:55:53 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2017-12-13 07:55:53 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2017-12-13 07:55:53 [unknown:useradd] admin(0) home /root made
2017-12-13 07:55:53 [unknown:groupmod] all(1998)
2017-12-13 07:55:53 [unknown:groupmod] admins(1999)
2017-12-15 03:56:15 [unknown:userdel] admin(0) account removed
2017-12-15 03:56:15 [unknown:groupmod] all(1998)
2017-12-15 03:56:15 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2017-12-15 03:56:15 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2017-12-15 03:56:15 [unknown:useradd] admin(0) home /root made
2017-12-15 03:56:15 [unknown:groupmod] all(1998)
2017-12-15 03:56:15 [unknown:groupmod] admins(1999)All would of been reboot times..
What monitoring platform are you using on pfsense that tells you checksums have changed? I am not aware of any such package.
Ummmm well I`m using zabbix. And it whines about any MD5 change of mentioned file. :)
-
Can't you just turn that warning/whine off.. Since you know its going to change anytime you reboot?
-
Can't you just turn that warning/whine off.. Since you know its going to change anytime you reboot?
Now that I know that pfSense changes this file every reboot, sure (although it would still be useful to be notified when this file changes for reasons other than a reboot).
Still, it would be nice to know why pfSense behaves like this, and why the admin account is removed every reboot and added to the passwd file again. Surely there must be a reason for this?
-
While I am not an expert on the whole boot process of pfsense.. From a general point of view… The configuration of pfsense is stored in XML... So on boot I would assume pfsense makes sure that "all" settings that are in the config XML are placed into the appropriate files.
