topic Re: Login script in Operating System - HP-UX

Login script

Charles Keyser — Tue, 09 Dec 2008 19:02:08 GMT

How would I set this to show active users. I am not a script guru

#!/usr/bin/sh
# Show deactivated users in a trusted system
set -u
PATH=/usr/bin:/usr/sbin:/usr/lbin

NOTTRUSTED=/sbin/true
if [ -x /usr/lbin/modprpw ]
then
modprpw 1> /dev/null 2>&1
if [ $? -eq 2 ]
then
NOTTRUSTED=/sbin/false
fi
fi

if $NOTTRUSTED
then
print "\n This system is not a Trusted System"
exit 1
fi

REASON[1]="past password lifetime"
REASON[2]="past last login time"
REASON[3]="past absolute account lifetime"
REASON[4]="exceeding unsuccessful login attempts"
REASON[5]="password required and a null password"
REASON[6]="admin lock"
REASON[7]="password is a *"

for USER in $(listusers | awk '{print $1}')
do
LOCKOUT=$(getprpw -r -m lockout $USER)
ERR=$?
if [ $ERR != 0 ]
then
print "getprpw failed, error = $ERR"
exit $ERR
fi

# Since multiple reasons may exist in LOCKOUT, process
# each bit position separately

if [ $LOCKOUT != "0000000" ]
then
print "\nUser $USER deactivated for:"
for BIT in 1 2 3 4 5 6 7
do
REASONBIT=$(echo $LOCKOUT | cut -c $BIT)
if [ $REASONBIT != 0 ]
then
if [ $REASONBIT = 1 ]
then
print " ${REASON[$BIT]}"
else
print " Bad character in lockout: $REASONBIT"
fi
fi
done
fi
done

Re: Login script

Autocross.US — Tue, 09 Dec 2008 19:53:32 GMT

This will print both active and inactive users:

#!/usr/bin/sh
# Show deactivated users in a trusted system
set -u
PATH=/usr/bin:/usr/sbin:/usr/lbin

NOTTRUSTED=/sbin/true
if [ -x /usr/lbin/modprpw ]
then
modprpw 1> /dev/null 2>&1
if [ $? -eq 2 ]
then
NOTTRUSTED=/sbin/false
fi
fi

if $NOTTRUSTED
then
print "\n This system is not a Trusted System"
exit 1
fi

REASON[1]="past password lifetime"
REASON[2]="past last login time"
REASON[3]="past absolute account lifetime"
REASON[4]="exceeding unsuccessful login attempts"
REASON[5]="password required and a null password"
REASON[6]="admin lock"
REASON[7]="password is a *"

for USER in $(listusers | awk '{print $1}')
do
LOCKOUT=$(getprpw -r -m lockout $USER)
ERR=$?
if [ $ERR != 0 ]
then
print "getprpw failed, error = $ERR"
exit $ERR
fi

# Since multiple reasons may exist in LOCKOUT, process
# each bit position separately

if [ $LOCKOUT != "0000000" ]
then
print "\nUser $USER deactivated for:"
for BIT in 1 2 3 4 5 6 7
do
REASONBIT=$(echo $LOCKOUT | cut -c $BIT)
if [ $REASONBIT != 0 ]
then
if [ $REASONBIT = 1 ]
then
print " ${REASON[$BIT]}"
else
print " Bad character in lockout: $REASONBIT"
fi
fi
done
else
print "\n\n$USER is active"
fi
done

Re: Login script

Charles Keyser — Tue, 09 Dec 2008 20:34:16 GMT

Thanks so much. I am going to attempt to add a line to see when the last time logged in and last time password were change here is another script we use. It shows deactivated, we would like to show activated also, the last time user changed password, if they have a null password. We have auditors who found a couple of users whose accounts for password aging set to disabled which violated our policy. I am new here and would like to see the script give all this information. Here it is (Help) to modify

#!/usr/bin/sh
# Show deactivated users in a trusted system

set -u
PATH=/usr/bin:/usr/sbin:/usr/lbin
typeset -R26 MINTM
typeset -R26 EXPTM
typeset -R26 LFTM
typeset -R26 SPWCHG
typeset -R26 UPWCHG
typeset -R26 ACCTEXP
typeset -R26 LLOG
typeset -R26 ULOGINT
typeset -R26 SLOGINY
typeset -R26 UMAXLNTR
typeset -R26 NOTSET="-1"

REASON[1]="exceeded password lifetime"
REASON[2]="exceeded last login time"
REASON[3]="exceeded absolute account lifetime"
REASON[4]="exceeded unsuccessful login attempts"
REASON[5]="password required and a null password"
REASON[6]="administrator lock"
REASON[7]="password is a *"

NOTTRUSTED=/sbin/true
if [ -x /usr/lbin/modprpw ]
then
modprpw 1> /dev/null 2>&1
if [ $? -eq 2 ]
then
NOTTRUSTED=/sbin/false
fi
fi

if $NOTTRUSTED
then
print "\n This system is not a Trusted System"
exit 1
fi

for USER in $(listusers | awk '{print $1}')
do
LOCKOUT=$(getprpw -r -m lockout $USER)
ERR=$?
if [ $ERR != 0 ]
then
print "getprpw failed, error = $ERR"
exit $ERR
fi

# Since multiple reasons may exist in LOCKOUT, process
# each bit position separately

if [ $LOCKOUT != "0000000" ]
then
print "\nUser $USER deactivated, reason: \c"
for BIT in 1 2 3 4 5 6 7
do
REASONBIT=$(echo $LOCKOUT | cut -c $BIT)
if [ $REASONBIT != 0 ]
then
if [ $REASONBIT = 1 ]
then
print "${REASON[$BIT]}"
else
print "AUDIT error: Bad character in lockout: $REASONBIT"
fi
fi
done

MINTM=$(getprpw -r -m mintm $USER)
EXPTM=$(getprpw -r -m exptm $USER)
LFTM=$(getprpw -r -m lftm $USER)
SPWCHG=$(getprpw -r -m spwchg $USER)
UPWCHG=$(getprpw -r -m upwchg $USER)
ACCTEXP=$(getprpw -r -m acctexp $USER)
LLOG=$(getprpw -r -m llog $USER)
ULOGINT=$(getprpw -r -m ulogint $USER)
SLOGINY=$(getprpw -r -m sloginy $USER)
UMAXLNTR=$(getprpw -r -m umaxlntr $USER)

# Show values only if set (-1 is not set)

[[ "$MINTM" != "$NOTSET" ]] && \
print "$MINTM = Min time between PW changes"
[[ "$EXPTM" != "$NOTSET" ]] && \
print "$EXPTM = Password expiration time"
[[ "$LFTM" != "$NOTSET" ]] && \
print "$LFTM = Password lifetime"
[[ "$SPWCHG" != "$NOTSET" ]] && \
print "$SPWCHG = Password was changed"
[[ "$UPWCHG" != "$NOTSET" ]] && \
print "$UPWCHG = Password was unsuccessfully changed"
[[ "$ACCTEXP" != "$NOTSET" ]] && \
print "$ACCTEXP = account expires"
[[ "$LLOG" != "$NOTSET" ]] && \
print "$LLOG = Last successful login"
[[ "$SLOGINY" != "$NOTSET" ]] && \
print "$SLOGINY = Terminal used for last successful login"
[[ "$ULOGINT" != "$NOTSET" ]] && \
print "$ULOGINT = Last unsuccessful login"
[[ "$UMAXLNTR" != "$NOTSET" ]] && \
print "$UMAXLNTR = Max unsuccessful login tries"

fi
done

print
exit 0

Re: Login script

Autocross.US — Tue, 09 Dec 2008 21:21:19 GMT

I've attached a script that i use to do a similar task with managing expired accounts.

I've added the reason codes from the above script to it. See if this works for you.

One thing i've noticed is that it only prints the last reason code. So if the LOCKOUT is something like 1001001, only the last 1 is actually noted in the output. I can fix this if it's something you may use, but most users probably are locked for 1 reason, not many.

Re: Login script

Charles Keyser — Tue, 09 Dec 2008 21:40:18 GMT

I showed my boss and he said thanks, he would like to know if you could add a another column to say last time password was reset?

Thanks for all of your help

Re: Login script

Autocross.US — Tue, 09 Dec 2008 22:12:02 GMT

Added the SPWCHG value for each user to the last column. See attachment.

Re: Login script

Charles Keyser — Mon, 15 Dec 2008 14:29:51 GMT

Thanks for all of your help. That is exactly what I needed. I appreciate your time on this

-Charlie

Re: Login script

Steven E. Protter — Mon, 15 Dec 2008 14:45:14 GMT

Shalom,

last output with a grep can be used to get last login information, so long as the wtmp file in /var/adm/syslog is not erased or emptied.

SEP

Re: Login script

rmueller58 — Mon, 15 Dec 2008 15:58:59 GMT

I called Charles attached script "chkdisable" and execute with the following:

chkdisable |grep exceed |awk '{print $2}'

To determine any current lockouts.