HPE Community
Operating System - HP-UX
1825764 Members
2085 Online
109687 Solutions
New Discussion

deactivate new users if NOT accessed the system - NON trusted

 
SOLVED
Go to solution
Manuel Contreras
Regular Advisor

‎06-08-2004 09:37 AM

‎06-08-2004 09:37 AM

deactivate new users if NOT accessed the system - NON trusted

The following script will deactivate any users who have not accessed the system in X number of days....

I would like to limit this to NEW users only, any sugetions?


you have to copy the /etc/passwd file to control location which is re-created after the script is run.

I was thinking this could be initiated via crontab once every 24 hrs...

All input is appreciated,
manuel contreras


#!/bin/sh
#this script will check for new users and deactivate accounts
#if users have NOT accessed the system in Xnumber of days.

diff /etc/passwd /usr/local/unix/Security/passwd.copy | grep "<" | egrep -v 'root:' > \
/usr/local/unix/Security/passwd.diff

awk -F: '{print $1, $6}' /usr/local/unix/Security/passwd.diff | awk '{print $2, $3}' > \
/usr/local/unix/Security/newUSERS.lst

currentD=`date '+%d %e'`

for x in `cat /usr/local/unix/Security/newUSERS.lst | awk '{print $1}'`
do
usrHOME=`grep $x /usr/local/unix/Security/newUSERS.lst | awk '{print $2}'`
echo "$usrHOME will be checked"
usrHIST=`find "$usrHOME"/.sh_history -mtime +3 -print`
echo "$userHIST"
if [ -n "$usrHIST" ]
then
echo "today is - $currentD "
echo "the user was created more than 3days ago - today is $currentD "
echo""
echo "now checking If user has logged on the system"
userSTAT=`last -1 $x | grep begins `
if [ -n "$userSTAT" ]
then
echo "user will be deactivated"
echo "/usr/sam/lbin/usermod.sam -p "*" $x "
echo""
fi
else
echo "user has accessed the system recently"
fi
done

cp /etc/passwd /usr/local/unix/Security/passwd.copy

exit
0 Kudos
Reply
4 REPLIES 4
Manuel Contreras
Regular Advisor

‎06-08-2004 09:38 AM

‎06-08-2004 09:38 AM

Re: deactivate new users if NOT accessed the system - NON trusted

echo was for testing....

manuel contreras

echo "/usr/sam/lbin/usermod.sam -p "*" $x "
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎06-08-2004 10:16 AM

‎06-08-2004 10:16 AM

Solution

Re: deactivate new users if NOT accessed the system - NON trusted

Hi,

If I understand your script correctly,

You are taking a difference of passwd.copy and the current passwd file and arriving at the new users. Say a user 'user1' got created just before you ran this script. That user would automatically become 'old' with the command 'cp /etc/passwd /usr/local/unix/Security/passwd.copy'. So, you would need to incorporate further logic to retain the new users until 3 days. I would maintain four files - as newusers.now, newusers.1dayold, newusers.2dayold, newusers.3dayold. Everytime the script is run, it checks for each user in all these files and takes the users out of the files if the activity was found. The users left in newusers.3dayold file will be appended to newusers.disabled file and newusers.2dayold will be moved as newusers.3dayold etc.,


Also," grep $x /usr/local/unix/Security/newUSERS.lst | awk '{print $2}'" may not work always. For ex., users user1 and user11. So, add a delimiter like ":" or "," while you are making this user list.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Manuel Contreras
Regular Advisor

‎06-08-2004 10:31 AM

‎06-08-2004 10:31 AM

Re: deactivate new users if NOT accessed the system - NON trusted

you are correct on the logic...It needs further attention.

maybe I can have another job simply copy the /etc/passwd to control copy once a week, and take this out of the deactiveCHECKER?

thanks,
manuel contreras
0 Kudos
Reply
Abdul Rahiman
Esteemed Contributor

‎06-08-2004 10:34 AM

‎06-08-2004 10:34 AM

Re: deactivate new users if NOT accessed the system - NON trusted

One general comment about working with /etc/passwd using the hp-ux's grep command. I normally work on Tru64/AIX systems and was recently porting a useradd script to HP-UX. I was using the -w option with grep command on other flavours and I noted that the HP-UX's grep don't have the -w option. Finally we ended up downloading the gnu grep (ggrep) utility to replace the hp-ux grep.

The danger with simple grep is that it will give output for partial matching on a word and in case of users, it could be costly. for eg,
# grep smith newUSERS.lst
smith
smithj
smithjo

where as
#grep -w smith newUSERS.lst, would only give,
smith

This is from experience, and you may want to consider either doig more checks, or using ggrep to do exact word matching in case of usernames.

HTH,
Abdul.
No unix, no fun
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.