HPE Community
Operating System - HP-UX
1830898 Members
3096 Online
110017 Solutions
New Discussion

Monitoring user accounts

 
SOLVED
Go to solution
Rob McCarthy
New Member

‎09-04-2003 12:11 PM

‎09-04-2003 12:11 PM

Monitoring user accounts

I have a request from the security group at the company that I work for. They would like to get a daily report of users who have not accessed their accounts for the last 90 days. We are a HP-UX 11 i shop running our system in trusted mode. Is their an auditing tool within the OS that will do this? Are there any freeware scripts ou there that would produce this information?
0 Kudos
Reply
5 REPLIES 5
Mark Grant
Honored Contributor

‎09-04-2003 12:13 PM

‎09-04-2003 12:13 PM

Re: Monitoring user accounts

Not sure on a trusted system but check out the "last" command
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎09-04-2003 12:15 PM

‎09-04-2003 12:15 PM

Solution

Re: Monitoring user accounts

You should be able to process the output of passwd -sa and produce a report yourself.

Alternatively, you can add a line of code to /etc/profile and log accounts as they get used.

echo $LOGNAME date >> /var/adm/userlog

Then you can process this file against a user list from /etc/passwd and produce a list of users that have not logged in.

Or, A. Clay Stevenson will post in a little perl script.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Brian Bergstrand
Honored Contributor

‎09-04-2003 12:20 PM

‎09-04-2003 12:20 PM

Re: Monitoring user accounts

I have a script to do this, but I can't post it because of company restrictions.

I can tell you what you need to do though:

1. Get the GMT time in seconds. I wrote a hello world style C program that prints the result of the the time() system call to stdout.

2. Loop through each user in the password file (I skip system accounts) and find the corresponding tcb entry. This can be done by grabbing the first char of the login name and then accssing the file in /tcb/files/auth//

The tcb file contains a field called u_suclog that lists the last successful login in GMT seconds since UNIX epoch.

You then compare these two numbers.

This is a very simplified overview, but it should get you started.

I would say to use /usr/lbin/getprpw, but it outputs the date as a human readable string in the local timezone. That makes for harder numeric operations.

HTH.
Reply
A. Clay Stephenson
Acclaimed Contributor

‎09-04-2003 12:25 PM

‎09-04-2003 12:25 PM

Re: Monitoring user accounts

Brian's approach is basically sound. Rather than using C to get epoch seconds a far simpler method is simply:
NOW=$(perl -e 'print time')
If it ain't broke, I can fix that.
Reply
James R. Ferguson
Acclaimed Contributor

‎09-04-2003 12:29 PM

‎09-04-2003 12:29 PM

Re: Monitoring user accounts

Hi Rob:

Have a look at 'last'. See the man pages.

Regards!

...JRF...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.