Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - sandapa

Pages: [1]
General Questions / Re: Why was /etc/passwd updated automatically?
« on: March 07, 2018, 07:13:39 am »
Can't you just turn that warning/whine off.. Since you know its going to change anytime you reboot?

Now that I know that pfSense changes this file every reboot, sure (although it would still be useful to be notified when this file changes for reasons other than a reboot).

Still, it would be nice to know why pfSense behaves like this, and why the admin account is removed every reboot and added to the passwd file again. Surely there must be a reason for this?

General Questions / Re: Why was /etc/passwd updated automatically?
« on: March 07, 2018, 04:44:28 am »
Ah got it lol, I was just being slow then. This is what happens when you skip your morning coffee I guess.

On pfSense specifically, I have been testing Zabbix, because you can install the client agent straight from the default repo: pfSense-pkg-zabbix-agent34-1.0.1

One of the default templates is for FreeBSD machines, and one of the checks it does out of the box is monitoring the checksum of /etc/passwd.

General Questions / Re: Why was /etc/passwd updated automatically?
« on: March 07, 2018, 02:46:50 am »
"I noticed that the checksum of /etc/passwd had changed"

How did you happen to notice that exactly?

A monitoring platform here threw this warning. It also has a history of the checksums for the file, and I confirmed that the checksum stayed the same for a long time until after this reboot, when it changed.

Are you running a "pre-installed" version of pfSense? 

If so, best to get rid of it.  Read this.

Uh that's scary. But luckily no, I installed this pfSense myself from the website (version 2.4.2-RELEASE, if it matters).

I see the same entries in mine.

Perhaps this wasn't addressed to me, but "same entries" compared to what? 🤔

General Questions / Why was /etc/passwd updated automatically?
« on: March 06, 2018, 02:55:26 pm »
I have one pfSense hardware router that has run for a few weeks and was then shutdown for a few days (I am not sure if this has anything to do with this but I figured it wouldn't hurt to mention it). Upon booting it again, I noticed that the checksum of /etc/passwd had changed and, upon further inspection inside the logs, I found this inside /var/log/userlog:

Code: [Select]
2018-03-06 13:44:13 [unknown:userdel] admin(0) account removed
2018-03-06 13:44:13 [unknown:groupmod] all(1998)
2018-03-06 13:44:13 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2018-03-06 13:44:13 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2018-03-06 13:44:13 [unknown:useradd] admin(0) home /root made
2018-03-06 13:44:13 [unknown:groupmod] all(1998)
2018-03-06 13:44:13 [unknown:groupmod] admins(1999)

The timestamps here are the same of the last modified date of /etc/passwd so I think it's these changes that made the checksum of the passwd file change. However, I didn't update anything manually, I just booted the router back up, so what could have caused this? Is this behavior by design? And if so, what is really happening here?

Additional note: even if I look further back into the past in the logs, I see quite a few log entries like these, which seem to always happen when pfSense is started, so it doesn't look like this was an isolated event.

Pages: [1]