How to trace that what had "chmod 640"'ed the "/etc/passwd" file?

Question

On AIX 6100-05-02-1034, something is frequently changing the permissions of the /etc/passwd file to 640. That's bad...

How could I trace that what is chmoding the file? There is no history 1000 | fgrep -i chmod, I think a process is chmoding the file, but which one? dtrace can do this? it's not on AIX

http://unix.stackexchange.com/questions/6068/is-it-possible-to-find-out-what-program-or-script-created-a-given-file — LanceBaynes, Sep 27 '11 at 18:10

jlliagre · Accepted Answer · 2011-09-25T08:48:23.293

7

Dtrace would be nice but it's not ported on AIX.

You should be able to trace what is chmoding the file with auditing: http://www.ibm.com/developerworks/aix/library/au-audit/

edited Sep 25 '11 at 08:48

answered Sep 25 '11 at 07:24

jlliagre

61,204

I can see S_PASSWD_READ and S_PASSWD_WRITE, but what should I set to trace the chown-ing? so are there any "S_PERMISSION"? :D - ty! – LanceBaynes Sep 25 '11 at 14:09
I have no AIX system to check but I guess FILE_Mode should be a good clue. – jlliagre Sep 25 '11 at 18:15

score 0 · Answer 2 · answered Sep 07 '14 at 16:12

At first I'd open a problem record with IBM as that sounds like broken code and should be fixed. I personally only had similar issues with /etc/resolv.conf also not readable by others, and when it belongs to root:system that might be a problem.

The pointer to audit subsystem is correct, although the famous developerworks URL-randomizer struck, and the above link is not working anymore. Check e.g. http://www-01.ibm.com/support/knowledgecenter/ssw_aix_61/com.ibm.aix.security/monitor_file_access_realtime.htm or the archived page: https://web.archive.org/web/20080328022606/http://www.ibm.com/developerworks/aix/library/au-audit/

For the event selection, you should try with FILE_Write and maybe in addition FILE_Mode, FILE_Privilege and/or FILE_Acl

How to trace that what had "chmod 640"'ed the "/etc/passwd" file?

2 Answers2