« on: March 07, 2018, 07:13:39 am »
Can't you just turn that warning/whine off.. Since you know its going to change anytime you reboot?

Now that I know that pfSense changes this file every reboot, sure (although it would still be useful to be notified when this file changes for reasons other than a reboot).

Still, it would be nice to know why pfSense behaves like this, and why the admin account is removed every reboot and added to the passwd file again. Surely there must be a reason for this?

« on: March 07, 2018, 04:44:28 am »
Ah got it lol, I was just being slow then. This is what happens when you skip your morning coffee I guess.

On pfSense specifically, I have been testing Zabbix, because you can install the client agent straight from the default repo: pfSense-pkg-zabbix-agent34-1.0.1

One of the default templates is for FreeBSD machines, and one of the checks it does out of the box is monitoring the checksum of /etc/passwd.

« on: March 07, 2018, 02:46:50 am »
"I noticed that the checksum of /etc/passwd had changed"

How did you happen to notice that exactly?

A monitoring platform here threw this warning. It also has a history of the checksums for the file, and I confirmed that the checksum stayed the same for a long time until after this reboot, when it changed.

Are you running a "pre-installed" version of pfSense? 

If so, best to get rid of it.  Read this.

Uh that's scary. But luckily no, I installed this pfSense myself from the website (version 2.4.2-RELEASE, if it matters).

I see the same entries in mine.

Perhaps this wasn't addressed to me, but "same entries" compared to what? 🤔

General Questions / Why was /etc/passwd updated automatically?
« on: March 06, 2018, 02:55:26 pm »
I have one pfSense hardware router that has run for a few weeks and was then shutdown for a few days (I am not sure if this has anything to do with this but I figured it wouldn't hurt to mention it). Upon booting it again, I noticed that the checksum of /etc/passwd had changed and, upon further inspection inside the logs, I found this inside /var/log/userlog:

Code: [Select]
2018-03-06 13:44:13 [unknown:userdel] admin(0) account removed
2018-03-06 13:44:13 [unknown:groupmod] all(1998)
2018-03-06 13:44:13 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2018-03-06 13:44:13 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2018-03-06 13:44:13 [unknown:useradd] admin(0) home /root made
2018-03-06 13:44:13 [unknown:groupmod] all(1998)
2018-03-06 13:44:13 [unknown:groupmod] admins(1999)

The timestamps here are the same of the last modified date of /etc/passwd so I think it's these changes that made the checksum of the passwd file change. However, I didn't update anything manually, I just booted the router back up, so what could have caused this? Is this behavior by design? And if so, what is really happening here?

Additional note: even if I look further back into the past in the logs, I see quite a few log entries like these, which seem to always happen when pfSense is started, so it doesn't look like this was an isolated event.

