HPE Community
Operating System - Linux
1830227 Members
2295 Online
109999 Solutions
New Discussion

user audit scripts

 
Kanan
Occasional Advisor

‎03-24-2007 07:39 PM

‎03-24-2007 07:39 PM

user audit scripts

Hi,
I am new to scripting. Could someone have user audit shell scripts for following purpose.

1. List of All Groups and Members of Groups.
Report should looklike
GID --- USERID----Last login date
2. List of Users with no Activity in past six months.

My OS is hp-ux 11.00.

Thanking you in advance,
Kannan
0 Kudos
Reply
14 REPLIES 14
Steven E. Protter
Exalted Contributor

‎03-24-2007 07:52 PM

‎03-24-2007 07:52 PM

Re: user audit scripts

Shalom,

Your request is not specific enough to provide a complete script. I will give over a few concepts.

/etc/group

This lists all groups and can be used with awk to select other information based on group.


cat /etc/group | awk '{print $1}' > file

while read -r groupname
do
grep $groupname /etc/passwd # awk can be used for refinement

done < file


http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=51050

The link above connects to a treasure trove of syadmin scripts. One of them might do exactly what you want.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Rasheed Tamton
Honored Contributor

‎03-25-2007 12:15 AM

‎03-25-2007 12:15 AM

Re: user audit scripts

Hi Kanan,

This is the quickest one you can try at:

--
for i in `awk -F: '{print $1}' /etc/passwd`
do
grep $1 /etc/passwd|cut
last -1 -R $i|grep -v wtmp|grep -v '^ *$'
done
---
and do a man last

If you finetune it with SEP's one you can almost get whatever you want.

There is an system auditing feature availabe on hp-ux also but needs good understanding.

Regards,
Rasheed Tamton.
0 Kudos
Reply
Rasheed Tamton
Honored Contributor

‎03-25-2007 12:19 AM

‎03-25-2007 12:19 AM

Re: user audit scripts

Sorry, I pasted an incomplete script which I was just testing.

The working one is below:

for i in `awk -F: '{print $1}' /etc/passwd`
do
last -1 -R $i|grep -v wtmp|grep -v '^ *$'
done


Rgds,
Rasheed Tamton.
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎03-25-2007 05:02 AM

‎03-25-2007 05:02 AM

Re: user audit scripts

Hi Kannan:

> I am new to scripting.

Then the best way to begin is to try to _write_ something.

Look at the manpages for 'last(1)', 'listusers(1)' and 'logins(1M)'. These would be very useful in providing the data you want to satisfy your request.

You can use 'cut' or 'awk' to snip fields from either the raw group and password files or from the output of the above commands.

If you need an overview or a re-fresher for the shell, this is brief and free:

http://www.docs.hp.com/en/B2355-90046/B2355-90046.pdf

I would urge you to use the Posix shell as this is the HP-UX standard. It aligns closely with the Korn shell or even the Linux Bash shell to a large extent.

Regards!

...JRF...
0 Kudos
Reply
Kanan
Occasional Advisor

‎03-25-2007 10:47 PM

‎03-25-2007 10:47 PM

Re: user audit scripts

Thanks all for immediate response.

How do we check the Users with no activity in last 6 months.?

Also # passwd -s is not working for NIS users. Is there any known issues for password aging feature with NIS.

Thanks,
Anil
0 Kudos
Reply
Rasheed Tamton
Honored Contributor

‎03-26-2007 12:03 AM

‎03-26-2007 12:03 AM

Re: user audit scripts

Hi,

for i in `awk -F: '{print $1}' /etc/passwd`
do
last -1 $i|awk '{print $1, $4, $5}'|grep -v wtmp|grep -v '^ *$'
done

This might give you the last one login from all the users who had logged in the system.

There is an old script from Paula (below link) may be it will be useful for you.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=39611

Reg. NIS, did you check the /etc/nsswitch.conf

May be you need to use passwd -r nis

Regards,
Rasheed Tamton.
0 Kudos
Reply
Rasheed Tamton
Honored Contributor

‎03-26-2007 12:14 AM

‎03-26-2007 12:14 AM

Re: user audit scripts

Hi Anil,

Below is a DIRTY and tricky script with minor changes to the above one.
If you are really looking for a SIMPLE one it will help you for the time being.

for i in `awk -F: '{print $1}' /etc/passwd`
do
last -1 $i|awk '{print $1, $4, $5}'|grep -E 'Mar|Feb|Jan|Dec|Nov|Oct' |grep -v w
tmp|grep -v '^ *$'
done


(I just put the last six months from March backwards!!!)

Regards,
Rasheed Tamton.
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎03-26-2007 01:24 AM

‎03-26-2007 01:24 AM

Re: user audit scripts

Hi (again):

While '/var/adm/wtmp' and 'last' is the standard vehicle for reading the binary file, the output does not include the _year_ of the entry, only the month.

A more useful mode in which to interpret 'wtmp' data is to transform the binary file into an Ascii text file:

# /usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp

...or push the data into a pipe:

# /usr/sbin/acct/fwtmp < /var/adm/wtmp | ...

One advantage of this is that the full date (+year) is available let alone the epoch seconds timestamp.

Regards!

...JRF...

0 Kudos
Reply
Kanan
Occasional Advisor

‎03-26-2007 02:00 AM

‎03-26-2007 02:00 AM

Re: user audit scripts

I dont have a old version of wtmp. Somebody has cleared it for hoouse keeping purpose. Is there any other way to see the last login info. I have around 1000 users and I need to find out users those are inactive for last 6 months.

thanks,

0 Kudos
Reply
Oviwan
Honored Contributor

‎03-26-2007 02:18 AM

‎03-26-2007 02:18 AM

Re: user audit scripts

Hey

Have you already searched in this forum?

check this thread: http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1006456

Hope this helps a bit.

Regards
0 Kudos
Reply
Kanan
Occasional Advisor

‎04-01-2007 01:35 AM

‎04-01-2007 01:35 AM

Re: user audit scripts

does anyone has a shell script to get a report of users with no activity in last 6 months in handy. Its a non-trusted 11.0 environment.

Thanking you in advance,
0 Kudos
Reply
Douglas James Cameron
Occasional Advisor

‎04-03-2007 08:41 AM

‎04-03-2007 08:41 AM

Re: user audit scripts

I would follow the advice on the scripts by the others, but play with awk and finger.
For instance,
while (done==0)
finger * | awk '{ print $3,$9,$10,$11,$22,$23,$24 }' >> /finger_info
I'm not sure it would pull it in correctly, and it depende that you have finger installed. What you could do with awk is redirect all the output of finger to a file, and then use the awk getline function to read line by line, then test for the date being within 6 months and print it out to a report file.
Just thoughts, but always far different than reality.
0 Kudos
Reply
Kanan
Occasional Advisor

‎04-09-2007 05:45 PM

‎04-09-2007 05:45 PM

Re: user audit scripts

Could some one tell me how do I search for last 6 months from now. I tried some r&d's but didnt got a result.

Thanks.
0 Kudos
Reply
Rasheed Tamton
Honored Contributor

‎04-10-2007 07:23 PM

‎04-10-2007 07:23 PM

Re: user audit scripts

Hi Kannan,
If you have backups of old wtmp files somewhere for the last six months - you can do like this as a workaround:

-Make a backup of the current wtmp file
- restore the old wtmp files,
rename those to different names,
and concatenate those files with the current wtmp and do the above scripts using last or finger on that.

If you want some editing on wtmp you can use :

/usr/lib/acct/fwtmp < wtmp > wtmp.txt
vi wtmp.txt
Convert back the modified wtmp.txt file back to original wtmp
(before this step make sure that you have the original backup of wtmp)

/usr/lib/acct/fwtmp -ic < wtmp.txt > wtmp

Regards,
Rasheed Tamton.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.