HPE Community
Operating System - HP-UX
1751770 Members
4409 Online
108781 Solutions
New Discussion юеВ

Re: Login script

 
SOLVED
Go to solution
Charles Keyser
Frequent Advisor

тАО12-09-2008 11:02 AM

тАО12-09-2008 11:02 AM

Login script

How would I set this to show active users. I am not a script guru

#!/usr/bin/sh
# Show deactivated users in a trusted system
set -u
PATH=/usr/bin:/usr/sbin:/usr/lbin

NOTTRUSTED=/sbin/true
if [ -x /usr/lbin/modprpw ]
then
modprpw 1> /dev/null 2>&1
if [ $? -eq 2 ]
then
NOTTRUSTED=/sbin/false
fi
fi

if $NOTTRUSTED
then
print "\n This system is not a Trusted System"
exit 1
fi

REASON[1]="past password lifetime"
REASON[2]="past last login time"
REASON[3]="past absolute account lifetime"
REASON[4]="exceeding unsuccessful login attempts"
REASON[5]="password required and a null password"
REASON[6]="admin lock"
REASON[7]="password is a *"

for USER in $(listusers | awk '{print $1}')
do
LOCKOUT=$(getprpw -r -m lockout $USER)
ERR=$?
if [ $ERR != 0 ]
then
print "getprpw failed, error = $ERR"
exit $ERR
fi

# Since multiple reasons may exist in LOCKOUT, process
# each bit position separately

if [ $LOCKOUT != "0000000" ]
then
print "\nUser $USER deactivated for:"
for BIT in 1 2 3 4 5 6 7
do
REASONBIT=$(echo $LOCKOUT | cut -c $BIT)
if [ $REASONBIT != 0 ]
then
if [ $REASONBIT = 1 ]
then
print " ${REASON[$BIT]}"
else
print " Bad character in lockout: $REASONBIT"
fi
fi
done
fi
done
0 Kudos
Reply
8 REPLIES 8
Autocross.US
Trusted Contributor

тАО12-09-2008 11:53 AM

тАО12-09-2008 11:53 AM

Solution

Re: Login script

This will print both active and inactive users:

#!/usr/bin/sh
# Show deactivated users in a trusted system
set -u
PATH=/usr/bin:/usr/sbin:/usr/lbin

NOTTRUSTED=/sbin/true
if [ -x /usr/lbin/modprpw ]
then
modprpw 1> /dev/null 2>&1
if [ $? -eq 2 ]
then
NOTTRUSTED=/sbin/false
fi
fi

if $NOTTRUSTED
then
print "\n This system is not a Trusted System"
exit 1
fi

REASON[1]="past password lifetime"
REASON[2]="past last login time"
REASON[3]="past absolute account lifetime"
REASON[4]="exceeding unsuccessful login attempts"
REASON[5]="password required and a null password"
REASON[6]="admin lock"
REASON[7]="password is a *"

for USER in $(listusers | awk '{print $1}')
do
LOCKOUT=$(getprpw -r -m lockout $USER)
ERR=$?
if [ $ERR != 0 ]
then
print "getprpw failed, error = $ERR"
exit $ERR
fi

# Since multiple reasons may exist in LOCKOUT, process
# each bit position separately

if [ $LOCKOUT != "0000000" ]
then
print "\nUser $USER deactivated for:"
for BIT in 1 2 3 4 5 6 7
do
REASONBIT=$(echo $LOCKOUT | cut -c $BIT)
if [ $REASONBIT != 0 ]
then
if [ $REASONBIT = 1 ]
then
print " ${REASON[$BIT]}"
else
print " Bad character in lockout: $REASONBIT"
fi
fi
done
else
print "\n\n$USER is active"
fi
done
I drive way too fast to worry about calories.
Reply
Charles Keyser
Frequent Advisor

тАО12-09-2008 12:34 PM

тАО12-09-2008 12:34 PM

Re: Login script

Thanks so much. I am going to attempt to add a line to see when the last time logged in and last time password were change here is another script we use. It shows deactivated, we would like to show activated also, the last time user changed password, if they have a null password. We have auditors who found a couple of users whose accounts for password aging set to disabled which violated our policy. I am new here and would like to see the script give all this information. Here it is (Help) to modify

#!/usr/bin/sh
# Show deactivated users in a trusted system

set -u
PATH=/usr/bin:/usr/sbin:/usr/lbin
typeset -R26 MINTM
typeset -R26 EXPTM
typeset -R26 LFTM
typeset -R26 SPWCHG
typeset -R26 UPWCHG
typeset -R26 ACCTEXP
typeset -R26 LLOG
typeset -R26 ULOGINT
typeset -R26 SLOGINY
typeset -R26 UMAXLNTR
typeset -R26 NOTSET="-1"

REASON[1]="exceeded password lifetime"
REASON[2]="exceeded last login time"
REASON[3]="exceeded absolute account lifetime"
REASON[4]="exceeded unsuccessful login attempts"
REASON[5]="password required and a null password"
REASON[6]="administrator lock"
REASON[7]="password is a *"

NOTTRUSTED=/sbin/true
if [ -x /usr/lbin/modprpw ]
then
modprpw 1> /dev/null 2>&1
if [ $? -eq 2 ]
then
NOTTRUSTED=/sbin/false
fi
fi

if $NOTTRUSTED
then
print "\n This system is not a Trusted System"
exit 1
fi

for USER in $(listusers | awk '{print $1}')
do
LOCKOUT=$(getprpw -r -m lockout $USER)
ERR=$?
if [ $ERR != 0 ]
then
print "getprpw failed, error = $ERR"
exit $ERR
fi

# Since multiple reasons may exist in LOCKOUT, process
# each bit position separately

if [ $LOCKOUT != "0000000" ]
then
print "\nUser $USER deactivated, reason: \c"
for BIT in 1 2 3 4 5 6 7
do
REASONBIT=$(echo $LOCKOUT | cut -c $BIT)
if [ $REASONBIT != 0 ]
then
if [ $REASONBIT = 1 ]
then
print "${REASON[$BIT]}"
else
print "AUDIT error: Bad character in lockout: $REASONBIT"
fi
fi
done

MINTM=$(getprpw -r -m mintm $USER)
EXPTM=$(getprpw -r -m exptm $USER)
LFTM=$(getprpw -r -m lftm $USER)
SPWCHG=$(getprpw -r -m spwchg $USER)
UPWCHG=$(getprpw -r -m upwchg $USER)
ACCTEXP=$(getprpw -r -m acctexp $USER)
LLOG=$(getprpw -r -m llog $USER)
ULOGINT=$(getprpw -r -m ulogint $USER)
SLOGINY=$(getprpw -r -m sloginy $USER)
UMAXLNTR=$(getprpw -r -m umaxlntr $USER)

# Show values only if set (-1 is not set)

[[ "$MINTM" != "$NOTSET" ]] && \
print "$MINTM = Min time between PW changes"
[[ "$EXPTM" != "$NOTSET" ]] && \
print "$EXPTM = Password expiration time"
[[ "$LFTM" != "$NOTSET" ]] && \
print "$LFTM = Password lifetime"
[[ "$SPWCHG" != "$NOTSET" ]] && \
print "$SPWCHG = Password was changed"
[[ "$UPWCHG" != "$NOTSET" ]] && \
print "$UPWCHG = Password was unsuccessfully changed"
[[ "$ACCTEXP" != "$NOTSET" ]] && \
print "$ACCTEXP = account expires"
[[ "$LLOG" != "$NOTSET" ]] && \
print "$LLOG = Last successful login"
[[ "$SLOGINY" != "$NOTSET" ]] && \
print "$SLOGINY = Terminal used for last successful login"
[[ "$ULOGINT" != "$NOTSET" ]] && \
print "$ULOGINT = Last unsuccessful login"
[[ "$UMAXLNTR" != "$NOTSET" ]] && \
print "$UMAXLNTR = Max unsuccessful login tries"

fi
done

print
exit 0
0 Kudos
Reply
Autocross.US
Trusted Contributor

тАО12-09-2008 01:21 PM

тАО12-09-2008 01:21 PM

Re: Login script

I've attached a script that i use to do a similar task with managing expired accounts.

I've added the reason codes from the above script to it. See if this works for you.

One thing i've noticed is that it only prints the last reason code. So if the LOCKOUT is something like 1001001, only the last 1 is actually noted in the output. I can fix this if it's something you may use, but most users probably are locked for 1 reason, not many.
I drive way too fast to worry about calories.
Reply
Charles Keyser
Frequent Advisor

тАО12-09-2008 01:40 PM

тАО12-09-2008 01:40 PM

Re: Login script

I showed my boss and he said thanks, he would like to know if you could add a another column to say last time password was reset?

Thanks for all of your help
0 Kudos
Reply
Autocross.US
Trusted Contributor

тАО12-09-2008 02:12 PM

тАО12-09-2008 02:12 PM

Re: Login script

Added the SPWCHG value for each user to the last column. See attachment.

I drive way too fast to worry about calories.
Reply
Charles Keyser
Frequent Advisor

тАО12-15-2008 06:29 AM

тАО12-15-2008 06:29 AM

Re: Login script

Thanks for all of your help. That is exactly what I needed. I appreciate your time on this

-Charlie
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО12-15-2008 06:45 AM

тАО12-15-2008 06:45 AM

Re: Login script

Shalom,

last output with a grep can be used to get last login information, so long as the wtmp file in /var/adm/syslog is not erased or emptied.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
rmueller58
Valued Contributor

тАО12-15-2008 07:58 AM

тАО12-15-2008 07:58 AM

Re: Login script

I called Charles attached script "chkdisable" and execute with the following:

chkdisable |grep exceed |awk '{print $2}'

To determine any current lockouts.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.