Why was /etc/passwd updated automatically?

A Former User · Mar 6, 2018, 8:55 PM

I have one pfSense hardware router that has run for a few weeks and was then shutdown for a few days (I am not sure if this has anything to do with this but I figured it wouldn't hurt to mention it). Upon booting it again, I noticed that the checksum of /etc/passwd had changed and, upon further inspection inside the logs, I found this inside /var/log/userlog:

2018-03-06 13:44:13 [unknown:userdel] admin(0) account removed
2018-03-06 13:44:13 [unknown:groupmod] all(1998)
2018-03-06 13:44:13 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2018-03-06 13:44:13 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2018-03-06 13:44:13 [unknown:useradd] admin(0) home /root made
2018-03-06 13:44:13 [unknown:groupmod] all(1998)
2018-03-06 13:44:13 [unknown:groupmod] admins(1999)

The timestamps here are the same of the last modified date of /etc/passwd so I think it's these changes that made the checksum of the passwd file change. However, I didn't update anything manually, I just booted the router back up, so what could have caused this? Is this behavior by design? And if so, what is really happening here?

Additional note: even if I look further back into the past in the logs, I see quite a few log entries like these, which seem to always happen when pfSense is started, so it doesn't look like this was an isolated event.

johnpoz · Mar 6, 2018, 9:13 PM

"I noticed that the checksum of /etc/passwd had changed"

How did you happen to notice that exactly?

biggsy · Mar 6, 2018, 11:07 PM

Are you running a "pre-installed" version of pfSense?

If so, best to get rid of it. Read this.

Derelict · Mar 7, 2018, 3:33 AM

That looks completely normal to me. /etc/passwd is one of the many files manipulated by the system based on the contents of config.xml.

johnpoz · Mar 7, 2018, 8:32 AM

I see the same entries in mine.

I am more curious how he noticed its checksum changed ;)

A Former User · Mar 7, 2018, 8:46 AM

@johnpoz:

"I noticed that the checksum of /etc/passwd had changed"

How did you happen to notice that exactly?

A monitoring platform here threw this warning. It also has a history of the checksums for the file, and I confirmed that the checksum stayed the same for a long time until after this reboot, when it changed.

@biggsy:

Are you running a "pre-installed" version of pfSense?

If so, best to get rid of it. Read this.

Uh that's scary. But luckily no, I installed this pfSense myself from the website (version 2.4.2-RELEASE, if it matters).

@johnpoz:

I see the same entries in mine.

Perhaps this wasn't addressed to me, but "same entries" compared to what?

johnpoz · Mar 7, 2018, 9:34 AM

here…

2018-01-11 14:45:36 [unknown:userdel] admin(0) account removed
2018-01-11 14:45:36 [unknown:groupmod] all(1998)
2018-01-11 14:45:36 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2018-01-11 14:45:36 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2018-01-11 14:45:36 [unknown:useradd] admin(0) home /root made
2018-01-11 14:45:36 [unknown:groupmod] all(1998)
2018-01-11 14:45:36 [unknown:groupmod] admins(1999)

2017-12-13 07:55:53 [unknown:userdel] admin(0) account removed
2017-12-13 07:55:53 [unknown:groupmod] all(1998)
2017-12-13 07:55:53 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2017-12-13 07:55:53 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2017-12-13 07:55:53 [unknown:useradd] admin(0) home /root made
2017-12-13 07:55:53 [unknown:groupmod] all(1998)
2017-12-13 07:55:53 [unknown:groupmod] admins(1999)
2017-12-15 03:56:15 [unknown:userdel] admin(0) account removed
2017-12-15 03:56:15 [unknown:groupmod] all(1998)
2017-12-15 03:56:15 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2017-12-15 03:56:15 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2017-12-15 03:56:15 [unknown:useradd] admin(0) home /root made
2017-12-15 03:56:15 [unknown:groupmod] all(1998)
2017-12-15 03:56:15 [unknown:groupmod] admins(1999)

All would of been reboot times..

What monitoring platform are you using on pfsense that tells you checksums have changed? I am not aware of any such package.

A Former User · Mar 7, 2018, 10:44 AM

Ah got it lol, I was just being slow then. This is what happens when you skip your morning coffee I guess.

On pfSense specifically, I have been testing Zabbix, because you can install the client agent straight from the default repo: pfSense-pkg-zabbix-agent34-1.0.1

One of the default templates is for FreeBSD machines, and one of the checks it does out of the box is monitoring the checksum of /etc/passwd.

maverick_slo · Mar 7, 2018, 11:09 AM

@johnpoz:

here…

2018-01-11 14:45:36 [unknown:userdel] admin(0) account removed
2018-01-11 14:45:36 [unknown:groupmod] all(1998)
2018-01-11 14:45:36 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2018-01-11 14:45:36 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2018-01-11 14:45:36 [unknown:useradd] admin(0) home /root made
2018-01-11 14:45:36 [unknown:groupmod] all(1998)
2018-01-11 14:45:36 [unknown:groupmod] admins(1999)

2017-12-13 07:55:53 [unknown:userdel] admin(0) account removed
2017-12-13 07:55:53 [unknown:groupmod] all(1998)
2017-12-13 07:55:53 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2017-12-13 07:55:53 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2017-12-13 07:55:53 [unknown:useradd] admin(0) home /root made
2017-12-13 07:55:53 [unknown:groupmod] all(1998)
2017-12-13 07:55:53 [unknown:groupmod] admins(1999)
2017-12-15 03:56:15 [unknown:userdel] admin(0) account removed
2017-12-15 03:56:15 [unknown:groupmod] all(1998)
2017-12-15 03:56:15 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2017-12-15 03:56:15 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2017-12-15 03:56:15 [unknown:useradd] admin(0) home /root made
2017-12-15 03:56:15 [unknown:groupmod] all(1998)
2017-12-15 03:56:15 [unknown:groupmod] admins(1999)

All would of been reboot times..

What monitoring platform are you using on pfsense that tells you checksums have changed? I am not aware of any such package.

Ummmm well I`m using zabbix. And it whines about any MD5 change of mentioned file. :)

johnpoz · Mar 7, 2018, 12:47 PM

Can't you just turn that warning/whine off.. Since you know its going to change anytime you reboot?

A Former User · Mar 7, 2018, 1:13 PM

@johnpoz:

Can't you just turn that warning/whine off.. Since you know its going to change anytime you reboot?

Now that I know that pfSense changes this file every reboot, sure (although it would still be useful to be notified when this file changes for reasons other than a reboot).

Still, it would be nice to know why pfSense behaves like this, and why the admin account is removed every reboot and added to the passwd file again. Surely there must be a reason for this?

johnpoz · Mar 7, 2018, 1:16 PM

While I am not an expert on the whole boot process of pfsense.. From a general point of view… The configuration of pfsense is stored in XML... So on boot I would assume pfsense makes sure that "all" settings that are in the config XML are placed into the appropriate files.