widdix / aws-ec2-ssh

Manage AWS EC2 SSH access with IAM
https://cloudonaut.io/manage-aws-ec2-ssh-access-with-iam/
MIT License
828 stars 289 forks source link

When using FIM monitoring on /etc there's a slew of updates always to groups and passwd and shadow #161

Open timwelch opened 4 years ago

timwelch commented 4 years ago

Metadata:

When using a FIM (file integrity monitoring) tool like TrendMicro, which scans OS paths like /etc for file changes for security, every time import_users.sh runs, it will always update the groups the users are in. Regardless of if they are in the group already. This causes tons of FIM alerts to be generated and /etc/groups, /etc/passwd and /etc/shadow are modified every time it runs.

I have a patch that I apply to my servers when I build them now. Here is the patch. It just rolls through the comma delimited list of groups and if it finds any group in the list that username doesn't exist, it then modifies the user include the list of groups.

--- import_users.sh.ORIG    2020-10-27 19:33:59.517983177 +0000
+++ import_users.sh 2020-10-27 20:00:53.462444213 +0000
@@ -192,7 +192,13 @@
         /bin/chown -R "${username}:${username}" "$(eval echo ~$username)"
         log "Created new user ${username}"
     fi
-    /usr/sbin/usermod -a -G "${localusergroups}" "${username}"
+
+    # TAW - 20201027 - only modify groups if we need to. Otherwise, FIM products will alert that
+    # we are constantly modifying /etc/groups.XXXXX and /etc/passwd.XXXXX files... 
+    for g in $(echo ${localusergroups}|sed 's/,/ /g')
+    do
+       /bin/groups ${username} | grep $g >/dev/null 2>&1 || /usr/sbin/usermod -a -G "${localusergroups}" "${username}"
+    done

     # Should we add this user to sudo ?
     if [[ ! -z "${SUDOERS_GROUPS}" ]]