8

On AIX 6100-05-02-1034, something is frequently changing the permissions of the /etc/passwd file to 640. That's bad...

How could I trace that what is chmoding the file? There is no history 1000 | fgrep -i chmod, I think a process is chmoding the file, but which one? dtrace can do this? it's not on AIX

Improve this question
3
  • Shouldn't you be grepping for chmod, not chown? Commented Sep 25, 2011 at 20:29
  • unix.stackexchange.com/questions/6068/… Commented Sep 27, 2011 at 18:10
  • :D no. CHMOD is the right. Commented Sep 27, 2011 at 18:10

2 Answers 2

Reset to default
7

Dtrace would be nice but it's not ported on AIX.

You should be able to trace what is chmoding the file with auditing: http://www.ibm.com/developerworks/aix/library/au-audit/

Improve this answer
2
  • I can see S_PASSWD_READ and S_PASSWD_WRITE, but what should I set to trace the chown-ing? so are there any "S_PERMISSION"? :D - ty! Commented Sep 25, 2011 at 14:09
  • I have no AIX system to check but I guess FILE_Mode should be a good clue. Commented Sep 25, 2011 at 18:15
0

At first I'd open a problem record with IBM as that sounds like broken code and should be fixed. I personally only had similar issues with /etc/resolv.conf also not readable by others, and when it belongs to root:system that might be a problem.

The pointer to audit subsystem is correct, although the famous developerworks URL-randomizer struck, and the above link is not working anymore. Check e.g. http://www-01.ibm.com/support/knowledgecenter/ssw_aix_61/com.ibm.aix.security/monitor_file_access_realtime.htm or the archived page: https://web.archive.org/web/20080328022606/http://www.ibm.com/developerworks/aix/library/au-audit/

For the event selection, you should try with FILE_Write and maybe in addition FILE_Mode, FILE_Privilege and/or FILE_Acl

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.