HPE Community
Operating System - HP-UX
1834722 Members
2531 Online
110069 Solutions
New Discussion

user expiration

 
SOLVED
Go to solution
Pal_6
Occasional Advisor

‎03-13-2007 11:47 PM

‎03-13-2007 11:47 PM

user expiration

my task:
i need a script that uses the last log (var/adm/wtmp) and deletes the dormant user after 90 days.

i've read ALL the posts in here about the subject.(even the one about the caljd.sh script)

finger is not allowed, Trusted system is not an option (company policy)

i am gonna set the passwd -x 30 so, logins -ox will give an output.

problem is that the boss want it to be done automaticly via cron (that i can fix myself)

its just the date in last that annoys me..

anyone?

regards Pal
0 Kudos
9 REPLIES 9
James R. Ferguson
Acclaimed Contributor

‎03-14-2007 12:13 AM

‎03-14-2007 12:13 AM

Solution

Re: user expiration

Hi Pal:

Probably the easist way to fetch and filter the data you want is to use '/usr/sbin/acct/fwtmp' to convert the binary data to Ascii. The field immediately before the data is the Epoch number of seconds. This is then easily manipulated to find your dormant users.

Regards!

...JRF...
0 Kudos
Court Campbell
Honored Contributor

‎03-14-2007 12:24 AM

‎03-14-2007 12:24 AM

Re: user expiration

Why not just use INACTIVITY_MAXDAYS in the /etc/default/security file.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Pal_6
Occasional Advisor

‎03-14-2007 12:51 AM

‎03-14-2007 12:51 AM

Re: user expiration

found a script (that i tweaked a bit)..
originally made for tcb.

Dont remember who wrote it but tnx to the author..

Dont got a unixbox to try it on, but do u think it will work?

# Check to see if this is a trusted box
#if [ -d /tcb ]
#then
# Section to figure out login date information based on the epoch date records
# in the /tcb/auth/files directory only works on trusted systems
#
# Round about way to get the current epoch number
LOGDIR=/var/adm
TMPLOG=/tmp/wtmp.tmplog
WORKLOG=/tmp/wtmp.worklog

cat $LOGDIR/wtmp > $TMPLOG
# Converting logs from bin to ascii. . . "
cat $TMPLOG |/usr/sbin/acct/fwtmp > $WORKLOG
#inserted reverse sort for non trusted systems
sort -r -k 8 $WORKLOG > $WORKLOG
cat $WORKLOG | awk '{print $8}' > /tmp/dates.out
CURRENT=`/usr/contrib/bin/perl -e "print time"`

# Remaining local variables
NINETY='7776000'
SIXTY='5184000'
THIRTY='2592000'
#FORMULA=echo "0d$NUMBER=Y" | adb
NDAYS=`/usr/bin/expr $CURRENT - $NINETY`
SDAYS=`/usr/bin/expr $CURRENT - $SIXTY`
TDAYS=`/usr/bin/expr $CURRENT - $THIRTY`
NDAYSOUT=/tmp/n.out
SDAYSOUT=/tmp/s.out
TDAYSOUT=/tmp/t.out
GOODDAYS=/tmp/good.out
NORECORD=/tmp/norec.out
USERLIST=/tmp/userlist

# Create file headers
echo "" >> $NDAYSOUT
echo "C. <---- Users who have no login activity over 90 days ---->" >> $NDAYSOUT
echo "" >> $SDAYSOUT
echo "D. <---- Users who have no login activity over 60 days ---->" >> $SDAYSOUT
echo "" >> $TDAYSOUT
echo "E. <---- Users who have no login activity over 30 days ---->" >> $TDAYSOUT
echo "" >> $GOODDAYS
echo "F. <---- Users who have login activity under 30 days ---->" >> $GOODDAYS

# Start processing user accounts
cat /etc/passwd | awk -F: '{print $1}' > /tmp/userlist
for NAME in `cat /tmp/userlist`
do
# changes made to the original Trusted systems script
NUMBER=`cat $WORKLOG | grep $NAME | head -1 | awk '{print $8}'` > /dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$NUMBER" -gt "$TDAYS" ] ; then
echo $NAME >> $GOODDAYS
elif [ "$NUMBER" -le "$TDAYS" -a "$NUMBER" -gt "$SDAYS" ] ;then
echo $NAME >> $TDAYSOUT
elif [ "$NUMBER" -le "$SDAYS" -a "$NUMBER" -gt "$NDAYS" ] ; then
echo $NAME >> $SDAYSOUT
elif [ "$NUMBER" -le "$NDAYS" ] ; then
echo $NAME >> $NDAYSOUT
else
echo $NAME >> /dev/null
fi
else
echo $NAME >> $NORECORD
fi
done

cat $NDAYSOUT $SDAYSOUT $TDAYSOUT >> $OUTPUT
# Uncomment line below to show who has logged in recently
cat $GOODDAYS >> $OUTPUT

# clean up
cat /dev/null > $NDAYSOUT
cat /dev/null > $SDAYSOUT
cat /dev/null > $TDAYSOUT
cat /dev/null > $GOODDAYS
cat /dev/null > $NORECORD
cat /dev/null > $USERLIST
#fi
0 Kudos
Court Campbell
Honored Contributor

‎03-14-2007 12:54 AM

‎03-14-2007 12:54 AM

Re: user expiration

Also I was just looking at the man page for logins. Try this:

#logins -xo

looks as if the 9th field is the last login date. It looks like a more usable date format.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Pal_6
Occasional Advisor

‎03-14-2007 01:00 AM

‎03-14-2007 01:00 AM

Re: user expiration

that date is the date you changed password
0 Kudos
Reshma Malusare
Trusted Contributor

‎03-14-2007 01:06 AM

‎03-14-2007 01:06 AM

Re: user expiration

Hi Pal,
Refer following thread:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1043321

Thanks & Regards
Reshma
0 Kudos
Pal_6
Occasional Advisor

‎03-14-2007 01:24 AM

‎03-14-2007 01:24 AM

Re: user expiration

usermod -f and -e requires a security package..



0 Kudos
Pal_6
Occasional Advisor

‎03-14-2007 01:43 AM

‎03-14-2007 01:43 AM

Re: user expiration

ok.. this works..

tnx for all replies:

# Check to see if this is a trusted box
#if [ -d /tcb ]
#then
# Section to figure out login date information based on the epoch date records
# in the /tcb/auth/files directory only works on trusted systems
#
# Round about way to get the current epoch number
LOGDIR=/var/adm
TMPLOG=/tmp/wtmp.tmplog
WORKLOG=/tmp/wtmp.worklog
WORKLOG1=/tmp/wtmp.worklog1

#cat $LOGDIR/wtmp > $TMPLOG
cp $LOGDIR/wtmp $TMPLOG

# Converting logs from bin to ascii. . . "
cat $TMPLOG |/usr/sbin/acct/fwtmp > $WORKLOG
#legg in sort her
sort -r -k 8 $WORKLOG > $WORKLOG1
cp $WORKLOG1 $WORKLOG
cat $WORKLOG | awk '{print $8}' > /tmp/dates.out
CURRENT=`/usr/contrib/bin/perl -e "print time"`

# Remaining local variables
NINETY='7776000'
SIXTY='5184000'
THIRTY='2592000'
#FORMULA=echo "0d$NUMBER=Y" | adb
NDAYS=`/usr/bin/expr $CURRENT - $NINETY`
SDAYS=`/usr/bin/expr $CURRENT - $SIXTY`
TDAYS=`/usr/bin/expr $CURRENT - $THIRTY`
NDAYSOUT=/tmp/n.out
SDAYSOUT=/tmp/s.out
TDAYSOUT=/tmp/t.out
GOODDAYS=/tmp/good.out
NORECORD=/tmp/norec.out
USERLIST=/tmp/userlist

# Create file headers
echo "" >> $NDAYSOUT
echo "C. <---- Users who have no login activity over 90 days ---->" >> $NDAYSOUT
echo "" >> $SDAYSOUT
echo "D. <---- Users who have no login activity over 60 days ---->" >> $SDAYSOUT
echo "" >> $TDAYSOUT
echo "E. <---- Users who have no login activity over 30 days ---->" >> $TDAYSOUT
echo "" >> $GOODDAYS
echo "F. <---- Users who have login activity under 30 days ---->" >> $GOODDAYS

# Start processing user accounts
cat /etc/passwd | awk -F: '{print $1}' > /tmp/userlist
for NAME in `cat /tmp/userlist`
do
NUMBER=`cat $WORKLOG | grep $NAME | head -1 | awk '{print $8}'` > /dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$NUMBER" -gt "$TDAYS" ] ; then
echo $NAME >> $GOODDAYS
elif [ "$NUMBER" -le "$TDAYS" -a "$NUMBER" -gt "$SDAYS" ] ;then
echo $NAME >> $TDAYSOUT
elif [ "$NUMBER" -le "$SDAYS" -a "$NUMBER" -gt "$NDAYS" ] ; then
echo $NAME >> $SDAYSOUT
elif [ "$NUMBER" -le "$NDAYS" ] ; then
echo $NAME >> $NDAYSOUT
else
echo $NAME >> /dev/null
fi
else
echo $NAME >> $NORECORD
fi
done

cat $NDAYSOUT $SDAYSOUT $TDAYSOUT >> $OUTPUT
# Uncomment line below to show who has logged in recently
cat $GOODDAYS >> $OUTPUT

# clean up
cat /dev/null > $NDAYSOUT
cat /dev/null > $SDAYSOUT
cat /dev/null > $TDAYSOUT
cat /dev/null > $GOODDAYS
cat /dev/null > $NORECORD
cat /dev/null > $USERLIST
#fi
0 Kudos
Pal_6
Occasional Advisor

‎03-14-2007 01:44 AM

‎03-14-2007 01:44 AM

Re: user expiration

the manipulation af the ascii file gave the answer i needed
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.