HPE Community
Operating System - HP-UX
1833861 Members
2001 Online
110063 Solutions
New Discussion

Logging users' ivocations of /usr/bin/passwd

 
Ralph Grothe
Honored Contributor

‎02-19-2003 03:29 AM

‎02-19-2003 03:29 AM

Logging users' ivocations of /usr/bin/passwd

Hi SysWizs,

simple issue,
I need to keep a log of every invocation of the passwd command by users.

At first I thought this should be easy to accomplish through the syslogd.

But perusing the related manpages (e.g. abt. specially configuering sylogd.conf etc.) wasn't much of a revelation.

Does this mean I will have to write a small wrapper script (around passwd with an added logger(1) command or so) my self?

Albeit, I presumed that HP-UX already has a more conventional solution to this.

Rgds.

Ralph
Madness, thy name is system administration
0 Kudos
Reply
8 REPLIES 8
Armin Feller
Honored Contributor

‎02-19-2003 03:41 AM

‎02-19-2003 03:41 AM

Re: Logging users' ivocations of /usr/bin/passwd

restrict the permissions of:

/sbin/passwd
/usr/bin/passwd
/usr/old/bin/passwd

to root only or to a special user group configured in /etc/groups.
0 Kudos
Reply
Ralph Grothe
Honored Contributor

‎02-19-2003 03:47 AM

‎02-19-2003 03:47 AM

Re: Logging users' ivocations of /usr/bin/passwd

Armin,

probably I haven't understood your suggested meassure.

The users shall still be able to change their passwords.

It's only that these incidents shall be logged.
Madness, thy name is system administration
0 Kudos
Reply
Dietmar Konermann
Honored Contributor

‎02-19-2003 03:50 AM

‎02-19-2003 03:50 AM

Re: Logging users' ivocations of /usr/bin/passwd

Ralph,

I'm afraid, you need to write your wrapper script. No logging feature I'm aware of... at least for the simple /etc/passwd based passwd db.

Best regards...
Dietmar.
"Logic is the beginning of wisdom; not the end." -- Spock (Star Trek VI: The Undiscovered Country)
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎02-19-2003 04:14 AM

‎02-19-2003 04:14 AM

Re: Logging users' ivocations of /usr/bin/passwd

Yes, you need to switch auditing on. See /etc/rc.config.d/auditing and /sbin/init.d/auditing

Once set on if someome runs the passwd binary and either succeeds in changing their password or fails you get these entries in the audit log (which you can display with audisp)

SELF-AUDITING TEXT: User= ops_sf Passwd successfully changed

Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Zeev Schultz
Honored Contributor

‎02-19-2003 04:14 AM

‎02-19-2003 04:14 AM

Re: Logging users' ivocations of /usr/bin/passwd

Basically you can enable auditing (with trusted system) and monitor specific or all of
your users' activity .Pros - good idea to see what's going on.Cons - complicated to use+needs trusted system.

Zeev
So computers don't think yet. At least not chess computers. - Seymour Cray
0 Kudos
Reply
Ralph Grothe
Honored Contributor

‎02-19-2003 05:32 AM

‎02-19-2003 05:32 AM

Re: Logging users' ivocations of /usr/bin/passwd

Many thanks for the suggestions.

I have to read about the auditing facility, and what it's implications were.

Meanwhile I have come up myself with this quick'n'dirty hack.

In syslog.conf I inserted the following:

$ grep local /etc/syslog.conf
local0.info /var/adm/syslog/passwd.log

Then I sent syslogd a SIGHUP

kill -1 $(cat /var/run/syslogd.pid)

and in the /etc/profile (so far the users have Bourne shells at login) I defined this silly function:

passwd() {
/usr/bin/logger -p local0.info -i $LOGNAME invoked passwd
if [ $# -eq 0 ]; then
/usr/bin/passwd
else
/usr/bin/passwd $1
fi
}

Provided the user sticks with his login shell this seems to work reasonably, and I get entries like this:

$ tail -1 /var/adm/syslog/passwd.log
Feb 19 14:08:12 somehost someone[29627]: someone invoked passwd


But I guess this solution has too many deficiencies.
Madness, thy name is system administration
0 Kudos
Reply
monasingh_1
Trusted Contributor

‎02-19-2003 11:20 AM

‎02-19-2003 11:20 AM

Re: Logging users' ivocations of /usr/bin/passwd

just another one is to check the passwd file and see if it changed in last few mintutes. At any interval in cron copy the passwd file to passwd.xyz and if at next occurance you see it changed, then diff to see who all changed passwd. well, it may not give real number of changes if user changed passwd many times before you ran the program next.

Meanwhile I am thinking myself if your passwd program should be changed to /usr/bin/passwd so that no user can directly run /usr/bin/passwd and avoid getting logged...
0 Kudos
Reply
John Meissner
Esteemed Contributor

‎02-20-2003 05:31 AM

‎02-20-2003 05:31 AM

Re: Logging users' ivocations of /usr/bin/passwd

just a suggestion:

alias the passwd command to a script you create that loggs all the info and runs the passwd command.

script:

echo " `logname` date >> passwd.log"
passwd

#end

you could try something simple like this and it would only have pertinate info for you... no searching through syslog to find what you want.
All paths lead to destiny
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.