Why was /etc/passwd updated automatically?

A Former User

I have one pfSense hardware router that has run for a few weeks and was then shutdown for a few days (I am not sure if this has anything to do with this but I figured it wouldn't hurt to mention it). Upon booting it again, I noticed that the checksum of /etc/passwd had changed and, upon further inspection inside the logs, I found this inside /var/log/userlog:

2018-03-06 13:44:13 [unknown:userdel] admin(0) account removed
2018-03-06 13:44:13 [unknown:groupmod] all(1998)
2018-03-06 13:44:13 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2018-03-06 13:44:13 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2018-03-06 13:44:13 [unknown:useradd] admin(0) home /root made
2018-03-06 13:44:13 [unknown:groupmod] all(1998)
2018-03-06 13:44:13 [unknown:groupmod] admins(1999)

The timestamps here are the same of the last modified date of /etc/passwd so I think it's these changes that made the checksum of the passwd file change. However, I didn't update anything manually, I just booted the router back up, so what could have caused this? Is this behavior by design? And if so, what is really happening here?

Additional note: even if I look further back into the past in the logs, I see quite a few log entries like these, which seem to always happen when pfSense is started, so it doesn't look like this was an isolated event.

johnpoz

"I noticed that the checksum of /etc/passwd had changed"

How did you happen to notice that exactly?

biggsy

Are you running a "pre-installed" version of pfSense?

If so, best to get rid of it.  Read this.

Derelict

That looks completely normal to me. /etc/passwd is one of the many files manipulated by the system based on the contents of config.xml.

johnpoz

I see the same entries in mine.

I am more curious how he noticed its checksum changed ;)

A Former User

@johnpoz:

"I noticed that the checksum of /etc/passwd had changed"

How did you happen to notice that exactly?

A monitoring platform here threw this warning. It also has a history of the checksums for the file, and I confirmed that the checksum stayed the same for a long time until after this reboot, when it changed.

@biggsy:

Are you running a "pre-installed" version of pfSense?

If so, best to get rid of it.  Read this.

Uh that's scary. But luckily no, I installed this pfSense myself from the website (version 2.4.2-RELEASE, if it matters).

@johnpoz:

I see the same entries in mine.

Perhaps this wasn't addressed to me, but "same entries" compared to what?

johnpoz

here…

2018-01-11 14:45:36 [unknown:userdel] admin(0) account removed
2018-01-11 14:45:36 [unknown:groupmod] all(1998)
2018-01-11 14:45:36 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2018-01-11 14:45:36 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2018-01-11 14:45:36 [unknown:useradd] admin(0) home /root made
2018-01-11 14:45:36 [unknown:groupmod] all(1998)
2018-01-11 14:45:36 [unknown:groupmod] admins(1999)

2017-12-13 07:55:53 [unknown:userdel] admin(0) account removed
2017-12-13 07:55:53 [unknown:groupmod] all(1998)
2017-12-13 07:55:53 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2017-12-13 07:55:53 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2017-12-13 07:55:53 [unknown:useradd] admin(0) home /root made
2017-12-13 07:55:53 [unknown:groupmod] all(1998)
2017-12-13 07:55:53 [unknown:groupmod] admins(1999)
2017-12-15 03:56:15 [unknown:userdel] admin(0) account removed
2017-12-15 03:56:15 [unknown:groupmod] all(1998)
2017-12-15 03:56:15 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2017-12-15 03:56:15 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2017-12-15 03:56:15 [unknown:useradd] admin(0) home /root made
2017-12-15 03:56:15 [unknown:groupmod] all(1998)
2017-12-15 03:56:15 [unknown:groupmod] admins(1999)

All would of been reboot times..

What monitoring platform are you using on pfsense that tells you checksums have changed?  I am not aware of any such package.

A Former User

Ah got it lol, I was just being slow then. This is what happens when you skip your morning coffee I guess.

On pfSense specifically, I have been testing Zabbix, because you can install the client agent straight from the default repo: pfSense-pkg-zabbix-agent34-1.0.1

One of the default templates is for FreeBSD machines, and one of the checks it does out of the box is monitoring the checksum of /etc/passwd.

maverick_slo

@johnpoz:

here…

2018-01-11 14:45:36 [unknown:userdel] admin(0) account removed
2018-01-11 14:45:36 [unknown:groupmod] all(1998)
2018-01-11 14:45:36 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2018-01-11 14:45:36 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2018-01-11 14:45:36 [unknown:useradd] admin(0) home /root made
2018-01-11 14:45:36 [unknown:groupmod] all(1998)
2018-01-11 14:45:36 [unknown:groupmod] admins(1999)

2017-12-13 07:55:53 [unknown:userdel] admin(0) account removed
2017-12-13 07:55:53 [unknown:groupmod] all(1998)
2017-12-13 07:55:53 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2017-12-13 07:55:53 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2017-12-13 07:55:53 [unknown:useradd] admin(0) home /root made
2017-12-13 07:55:53 [unknown:groupmod] all(1998)
2017-12-13 07:55:53 [unknown:groupmod] admins(1999)
2017-12-15 03:56:15 [unknown:userdel] admin(0) account removed
2017-12-15 03:56:15 [unknown:groupmod] all(1998)
2017-12-15 03:56:15 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2017-12-15 03:56:15 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2017-12-15 03:56:15 [unknown:useradd] admin(0) home /root made
2017-12-15 03:56:15 [unknown:groupmod] all(1998)
2017-12-15 03:56:15 [unknown:groupmod] admins(1999)

All would of been reboot times..

What monitoring platform are you using on pfsense that tells you checksums have changed?  I am not aware of any such package.

Ummmm well I`m using zabbix. And it whines about any MD5 change of mentioned file. :)

johnpoz

Can't you just turn that warning/whine off.. Since you know its going to change anytime you reboot?

A Former User

@johnpoz:

Can't you just turn that warning/whine off.. Since you know its going to change anytime you reboot?

Now that I know that pfSense changes this file every reboot, sure (although it would still be useful to be notified when this file changes for reasons other than a reboot).

Still, it would be nice to know why pfSense behaves like this, and why the admin account is removed every reboot and added to the passwd file again. Surely there must be a reason for this?

johnpoz

While I am not an expert on the whole boot process of pfsense.. From a general point of view… The configuration of pfsense is stored in XML... So on boot I would assume pfsense makes sure that "all" settings that are in the config XML are placed into the appropriate files.