Why was /etc/passwd updated automatically?



  • I have one pfSense hardware router that has run for a few weeks and was then shutdown for a few days (I am not sure if this has anything to do with this but I figured it wouldn't hurt to mention it). Upon booting it again, I noticed that the checksum of /etc/passwd had changed and, upon further inspection inside the logs, I found this inside /var/log/userlog:

    2018-03-06 13:44:13 [unknown:userdel] admin(0) account removed
    2018-03-06 13:44:13 [unknown:groupmod] all(1998)
    2018-03-06 13:44:13 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
    2018-03-06 13:44:13 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
    2018-03-06 13:44:13 [unknown:useradd] admin(0) home /root made
    2018-03-06 13:44:13 [unknown:groupmod] all(1998)
    2018-03-06 13:44:13 [unknown:groupmod] admins(1999)
    

    The timestamps here are the same of the last modified date of /etc/passwd so I think it's these changes that made the checksum of the passwd file change. However, I didn't update anything manually, I just booted the router back up, so what could have caused this? Is this behavior by design? And if so, what is really happening here?

    Additional note: even if I look further back into the past in the logs, I see quite a few log entries like these, which seem to always happen when pfSense is started, so it doesn't look like this was an isolated event.


  • Rebel Alliance

    "I noticed that the checksum of /etc/passwd had changed"

    How did you happen to notice that exactly?



  • Are you running a "pre-installed" version of pfSense?

    If so, best to get rid of it.  Read this.


  • Netgate

    That looks completely normal to me. /etc/passwd is one of the many files manipulated by the system based on the contents of config.xml.


  • Rebel Alliance

    I see the same entries in mine.

    I am more curious how he noticed its checksum changed ;)



  • @johnpoz:

    "I noticed that the checksum of /etc/passwd had changed"

    How did you happen to notice that exactly?

    A monitoring platform here threw this warning. It also has a history of the checksums for the file, and I confirmed that the checksum stayed the same for a long time until after this reboot, when it changed.

    @biggsy:

    Are you running a "pre-installed" version of pfSense?

    If so, best to get rid of it.  Read this.

    Uh that's scary. But luckily no, I installed this pfSense myself from the website (version 2.4.2-RELEASE, if it matters).

    @johnpoz:

    I see the same entries in mine.

    Perhaps this wasn't addressed to me, but "same entries" compared to what? 🤔


  • Rebel Alliance

    here…

    2018-01-11 14:45:36 [unknown:userdel] admin(0) account removed
    2018-01-11 14:45:36 [unknown:groupmod] all(1998)
    2018-01-11 14:45:36 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
    2018-01-11 14:45:36 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
    2018-01-11 14:45:36 [unknown:useradd] admin(0) home /root made
    2018-01-11 14:45:36 [unknown:groupmod] all(1998)
    2018-01-11 14:45:36 [unknown:groupmod] admins(1999)

    2017-12-13 07:55:53 [unknown:userdel] admin(0) account removed
    2017-12-13 07:55:53 [unknown:groupmod] all(1998)
    2017-12-13 07:55:53 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
    2017-12-13 07:55:53 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
    2017-12-13 07:55:53 [unknown:useradd] admin(0) home /root made
    2017-12-13 07:55:53 [unknown:groupmod] all(1998)
    2017-12-13 07:55:53 [unknown:groupmod] admins(1999)
    2017-12-15 03:56:15 [unknown:userdel] admin(0) account removed
    2017-12-15 03:56:15 [unknown:groupmod] all(1998)
    2017-12-15 03:56:15 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
    2017-12-15 03:56:15 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
    2017-12-15 03:56:15 [unknown:useradd] admin(0) home /root made
    2017-12-15 03:56:15 [unknown:groupmod] all(1998)
    2017-12-15 03:56:15 [unknown:groupmod] admins(1999)

    All would of been reboot times..

    What monitoring platform are you using on pfsense that tells you checksums have changed?  I am not aware of any such package.



  • Ah got it lol, I was just being slow then. This is what happens when you skip your morning coffee I guess.

    On pfSense specifically, I have been testing Zabbix, because you can install the client agent straight from the default repo: pfSense-pkg-zabbix-agent34-1.0.1

    One of the default templates is for FreeBSD machines, and one of the checks it does out of the box is monitoring the checksum of /etc/passwd.



  • @johnpoz:

    here…

    2018-01-11 14:45:36 [unknown:userdel] admin(0) account removed
    2018-01-11 14:45:36 [unknown:groupmod] all(1998)
    2018-01-11 14:45:36 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
    2018-01-11 14:45:36 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
    2018-01-11 14:45:36 [unknown:useradd] admin(0) home /root made
    2018-01-11 14:45:36 [unknown:groupmod] all(1998)
    2018-01-11 14:45:36 [unknown:groupmod] admins(1999)

    2017-12-13 07:55:53 [unknown:userdel] admin(0) account removed
    2017-12-13 07:55:53 [unknown:groupmod] all(1998)
    2017-12-13 07:55:53 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
    2017-12-13 07:55:53 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
    2017-12-13 07:55:53 [unknown:useradd] admin(0) home /root made
    2017-12-13 07:55:53 [unknown:groupmod] all(1998)
    2017-12-13 07:55:53 [unknown:groupmod] admins(1999)
    2017-12-15 03:56:15 [unknown:userdel] admin(0) account removed
    2017-12-15 03:56:15 [unknown:groupmod] all(1998)
    2017-12-15 03:56:15 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
    2017-12-15 03:56:15 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
    2017-12-15 03:56:15 [unknown:useradd] admin(0) home /root made
    2017-12-15 03:56:15 [unknown:groupmod] all(1998)
    2017-12-15 03:56:15 [unknown:groupmod] admins(1999)

    All would of been reboot times..

    What monitoring platform are you using on pfsense that tells you checksums have changed?  I am not aware of any such package.

    Ummmm well I`m using zabbix. And it whines about any MD5 change of mentioned file. :)


  • Rebel Alliance

    Can't you just turn that warning/whine off.. Since you know its going to change anytime you reboot?



  • @johnpoz:

    Can't you just turn that warning/whine off.. Since you know its going to change anytime you reboot?

    Now that I know that pfSense changes this file every reboot, sure (although it would still be useful to be notified when this file changes for reasons other than a reboot).

    Still, it would be nice to know why pfSense behaves like this, and why the admin account is removed every reboot and added to the passwd file again. Surely there must be a reason for this?


  • Rebel Alliance

    While I am not an expert on the whole boot process of pfsense.. From a general point of view… The configuration of pfsense is stored in XML... So on boot I would assume pfsense makes sure that "all" settings that are in the config XML are placed into the appropriate files.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy