When using a FIM (file integrity monitoring) tool like TrendMicro, which scans OS paths like /etc for file changes for security, every time import_users.sh runs, it will always update the groups the users are in. Regardless of if they are in the group already. This causes tons of FIM alerts to be generated and /etc/groups, /etc/passwd and /etc/shadow are modified every time it runs.
I have a patch that I apply to my servers when I build them now. Here is the patch. It just rolls through the comma delimited list of groups and if it finds any group in the list that username doesn't exist, it then modifies the user include the list of groups.
--- import_users.sh.ORIG 2020-10-27 19:33:59.517983177 +0000
+++ import_users.sh 2020-10-27 20:00:53.462444213 +0000
@@ -192,7 +192,13 @@
/bin/chown -R "${username}:${username}" "$(eval echo ~$username)"
log "Created new user ${username}"
fi
- /usr/sbin/usermod -a -G "${localusergroups}" "${username}"
+
+ # TAW - 20201027 - only modify groups if we need to. Otherwise, FIM products will alert that
+ # we are constantly modifying /etc/groups.XXXXX and /etc/passwd.XXXXX files...
+ for g in $(echo ${localusergroups}|sed 's/,/ /g')
+ do
+ /bin/groups ${username} | grep $g >/dev/null 2>&1 || /usr/sbin/usermod -a -G "${localusergroups}" "${username}"
+ done
# Should we add this user to sudo ?
if [[ ! -z "${SUDOERS_GROUPS}" ]]
Metadata:
When using a FIM (file integrity monitoring) tool like TrendMicro, which scans OS paths like /etc for file changes for security, every time import_users.sh runs, it will always update the groups the users are in. Regardless of if they are in the group already. This causes tons of FIM alerts to be generated and /etc/groups, /etc/passwd and /etc/shadow are modified every time it runs.
I have a patch that I apply to my servers when I build them now. Here is the patch. It just rolls through the comma delimited list of groups and if it finds any group in the list that username doesn't exist, it then modifies the user include the list of groups.