some LDAP users was automaticaly removed

Started by bran.ko, Today at 11:43:18 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 11:43:18 AM
HI, last night I have strage behavior. Some users was removed - by script I think
only in configuration backup is logged
Code Select
  <revision>
    <username>(root)</username>
    <description>The users "user1,...,user6(changed real name)" where successfully removed.</description>
    <time>1775862000.71</time>
  </revision>
This 6 users was LDAP users not local on firewall. But there are another 32 users without any problems.
I try to find some differencies but unsucessfully.

Which script is stared at 01:00 ? My cron is empty (thru web UI). User root is disabled for web logon.
Today at 02:42:42 PM #1
Have you checked /var/log/system.log or the audit logs around 01:00? Even if the GUI cron is empty, system-level cron or package tasks might still trigger something
Today at 05:08:16 PM #2
/var/log/system/latest.log is clear only systemctl log is here with some activity, and acme logs
Code Select
<13>1 2026-04-11T00:15:04+02:00 firewall configctl 63706 - [meta sequenceId="26"] event @ 1775859304.15 msg: Apr 11 00:15:04 firewall config[56811]: config-event: new_config /conf/backup/config-1775859304.1084.xml
<13>1 2026-04-11T00:15:04+02:00 firewall configctl 63706 - [meta sequenceId="28"] event @ 1775859304.15 exec: system event config_changed response: OK
/var/log/audit/latest - is clear also

crontab -e 
yes there is some scheduled scripts - byt nothing suspisious

firewall has installed all patches/updates
Print
Go Up Pages1
User actions