HPE Community
Operating System - HP-UX
1753878 Members
7450 Online
108809 Solutions
New Discussion юеВ

Auditing removed accounts

 
SOLVED
Go to solution
Susan Pellerito
Advisor

тАО06-21-2007 05:42 AM

тАО06-21-2007 05:42 AM

Auditing removed accounts

Is there anyplace where a removed or modified user is logged? The auditor is asking for proof of a terminated employees removal from the system within 45 hours. Any ideas?
0 Kudos
4 REPLIES 4
James R. Ferguson
Acclaimed Contributor

тАО06-21-2007 05:51 AM

тАО06-21-2007 05:51 AM

Solution

Re: Auditing removed accounts

Hi Susan:

If you use SAM to remove an account, SAM will log the event in '/var/sam/log/samlog'. Use the SAM viewer to examine the file either within SAM or with 'samlog_viewer(1)'.

Regards!

...JRF...

0 Kudos
Steven E. Protter
Exalted Contributor

тАО06-21-2007 05:54 AM

тАО06-21-2007 05:54 AM

Re: Auditing removed accounts

Shalom,

Proof that something does not exist huh? Only an auditor or Israeli(I'm just such a nut) could demand such.

Ideas:
1) id username

Idea 1 will show that the user name does not exist. If the command prompt includes the date and time you are good.

2) Log the output of the user removal and split the output with the | tee command. This will create an audit trail.

3) Use trusted system and run a post removal audit report. Note that this has been deprecated in HP-UX 11.31 as an option.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Tim Nelson
Honored Contributor

тАО06-21-2007 07:59 AM

тАО06-21-2007 07:59 AM

Re: Auditing removed accounts

If SAM was not used as mentioned.

Then use last to show the last login time, then logins or grep to show username is no longer there.

A future option would be to write a wrapper script that time stamps when userids were removed.

something as simple as the below may work, but certainly falible.

echo "removing username XYZ" >> logfile
userdel -r XYZ
0 Kudos
Susan Pellerito
Advisor

тАО06-21-2007 10:46 AM

тАО06-21-2007 10:46 AM

Re: Auditing removed accounts

Thanks you all for your advice! I have worked out a method to use the samlog_viewer to collect the necessary information.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.