topic Re: user audit scripts in Operating System - Linux

user audit scripts

Kanan — Sun, 25 Mar 2007 02:39:47 GMT

Hi,
I am new to scripting. Could someone have user audit shell scripts for following purpose.

1. List of All Groups and Members of Groups.
Report should looklike
GID --- USERID----Last login date
2. List of Users with no Activity in past six months.

My OS is hp-ux 11.00.

Thanking you in advance,
Kannan

Re: user audit scripts

Steven E. Protter — Sun, 25 Mar 2007 02:52:17 GMT

Shalom,

Your request is not specific enough to provide a complete script. I will give over a few concepts.

/etc/group

This lists all groups and can be used with awk to select other information based on group.

cat /etc/group | awk '{print $1}' > file

while read -r groupname
do
grep $groupname /etc/passwd # awk can be used for refinement

done < file

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=51050

The link above connects to a treasure trove of syadmin scripts. One of them might do exactly what you want.

SEP

Re: user audit scripts

Rasheed Tamton — Sun, 25 Mar 2007 07:15:33 GMT

Hi Kanan,

This is the quickest one you can try at:

--
for i in `awk -F: '{print $1}' /etc/passwd`
do
grep $1 /etc/passwd|cut
last -1 -R $i|grep -v wtmp|grep -v '^ *$'
done
---
and do a man last

If you finetune it with SEP's one you can almost get whatever you want.

There is an system auditing feature availabe on hp-ux also but needs good understanding.

Regards,
Rasheed Tamton.

Re: user audit scripts

Rasheed Tamton — Sun, 25 Mar 2007 07:19:54 GMT

Sorry, I pasted an incomplete script which I was just testing.

The working one is below:

for i in `awk -F: '{print $1}' /etc/passwd`
do
last -1 -R $i|grep -v wtmp|grep -v '^ *$'
done

Rgds,
Rasheed Tamton.

Re: user audit scripts

James R. Ferguson — Sun, 25 Mar 2007 12:02:57 GMT

Hi Kannan:

> I am new to scripting.

Then the best way to begin is to try to _write_ something.

Look at the manpages for 'last(1)', 'listusers(1)' and 'logins(1M)'. These would be very useful in providing the data you want to satisfy your request.

You can use 'cut' or 'awk' to snip fields from either the raw group and password files or from the output of the above commands.

If you need an overview or a re-fresher for the shell, this is brief and free:

http://www.docs.hp.com/en/B2355-90046/B2355-90046.pdf

I would urge you to use the Posix shell as this is the HP-UX standard. It aligns closely with the Korn shell or even the Linux Bash shell to a large extent.

Regards!

...JRF...

Re: user audit scripts

Kanan — Mon, 26 Mar 2007 05:47:21 GMT

Thanks all for immediate response.

How do we check the Users with no activity in last 6 months.?

Also # passwd -s is not working for NIS users. Is there any known issues for password aging feature with NIS.

Thanks,
Anil

Re: user audit scripts

Rasheed Tamton — Mon, 26 Mar 2007 07:03:04 GMT

Hi,

for i in `awk -F: '{print $1}' /etc/passwd`
do
last -1 $i|awk '{print $1, $4, $5}'|grep -v wtmp|grep -v '^ *$'
done

This might give you the last one login from all the users who had logged in the system.

There is an old script from Paula (below link) may be it will be useful for you.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=39611

Reg. NIS, did you check the /etc/nsswitch.conf

May be you need to use passwd -r nis

Regards,
Rasheed Tamton.

Re: user audit scripts

Rasheed Tamton — Mon, 26 Mar 2007 07:14:54 GMT

Hi Anil,

Below is a DIRTY and tricky script with minor changes to the above one.
If you are really looking for a SIMPLE one it will help you for the time being.

for i in `awk -F: '{print $1}' /etc/passwd`
do
last -1 $i|awk '{print $1, $4, $5}'|grep -E 'Mar|Feb|Jan|Dec|Nov|Oct' |grep -v w
tmp|grep -v '^ *$'
done

(I just put the last six months from March backwards!!!)

Regards,
Rasheed Tamton.

Re: user audit scripts

James R. Ferguson — Mon, 26 Mar 2007 08:24:49 GMT

Hi (again):

While '/var/adm/wtmp' and 'last' is the standard vehicle for reading the binary file, the output does not include the _year_ of the entry, only the month.

A more useful mode in which to interpret 'wtmp' data is to transform the binary file into an Ascii text file:

# /usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp

...or push the data into a pipe:

# /usr/sbin/acct/fwtmp < /var/adm/wtmp | ...

One advantage of this is that the full date (+year) is available let alone the epoch seconds timestamp.

Regards!

...JRF...

Re: user audit scripts

Kanan — Mon, 26 Mar 2007 09:00:23 GMT

I dont have a old version of wtmp. Somebody has cleared it for hoouse keeping purpose. Is there any other way to see the last login info. I have around 1000 users and I need to find out users those are inactive for last 6 months.

thanks,

Re: user audit scripts

Oviwan — Mon, 26 Mar 2007 09:18:43 GMT

Hey

Have you already searched in this forum?

check this thread: http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1006456

Hope this helps a bit.

Regards

Re: user audit scripts

Kanan — Sun, 01 Apr 2007 08:35:51 GMT

does anyone has a shell script to get a report of users with no activity in last 6 months in handy. Its a non-trusted 11.0 environment.

Thanking you in advance,

Re: user audit scripts

Douglas James Cameron — Tue, 03 Apr 2007 15:41:11 GMT

I would follow the advice on the scripts by the others, but play with awk and finger.
For instance,
while (done==0)
finger * | awk '{ print $3,$9,$10,$11,$22,$23,$24 }' >> /finger_info
I'm not sure it would pull it in correctly, and it depende that you have finger installed. What you could do with awk is redirect all the output of finger to a file, and then use the awk getline function to read line by line, then test for the date being within 6 months and print it out to a report file.
Just thoughts, but always far different than reality.

Re: user audit scripts

Kanan — Tue, 10 Apr 2007 00:45:01 GMT

Could some one tell me how do I search for last 6 months from now. I tried some r&d's but didnt got a result.

Thanks.

Re: user audit scripts

Rasheed Tamton — Wed, 11 Apr 2007 02:23:52 GMT

Hi Kannan,
If you have backups of old wtmp files somewhere for the last six months - you can do like this as a workaround:

-Make a backup of the current wtmp file
- restore the old wtmp files,
rename those to different names,
and concatenate those files with the current wtmp and do the above scripts using last or finger on that.

If you want some editing on wtmp you can use :

/usr/lib/acct/fwtmp < wtmp > wtmp.txt
vi wtmp.txt
Convert back the modified wtmp.txt file back to original wtmp
(before this step make sure that you have the original backup of wtmp)

/usr/lib/acct/fwtmp -ic < wtmp.txt > wtmp

Regards,
Rasheed Tamton.