asked on

/etc/shadow and smmsp account on Solaris

I have solaris server. It has file integrity checking. I received an alert the other day that /etc/shadow had been modified. I look at /etc/shadow and I see that there is a smmsp account that was just created. The server is running sendmail currently.. Not sure how the account was created, who created it, or is it a system issue.

This is a duplicate user name. I have two ssmsp accounts now, different UIDs but same usernames.

Is there a known bug with sendmail or a way to see who modified the file.

arnold

it all depends on who created the original ssmsp account.

Is one <1000 with one >1000 ?
IT sounds as though it was manually added versus using vipw or useradd.

Anyone that has root access or root access by way of sudo.

Check /var/adm/messages if you have sudo configured to syslog.
If you do not have auditing enabled, you can look at the date when the change occured and consult the last data to see who was logged in at the time.

longshot_tw2

ASKER

sorry for the delay getting back. Both are greater than 1000. the one that was created resently seems to have a number that I see on many blogs and google searches.

we do log sudo commands but none were run during that time period.

How do you see who was logged in at the time?

arnold

last but it often has to be done within 7 days since it relies on a file that is wiped by cron schedule

last | more and you should see the date when an account logged in or an event occurred as well as the duration of the session if the user logged off or how long the session is active (account is still logged in)

longshot_tw2

ASKER

thoght it might be something else. I used last and it just shows the last 24 hours. I guess we are wiping everyday.

ASKER CERTIFIED SOLUTION

arnold

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial