Login or Register to Ask a Question and Join Our Community


Shell Programming and Scripting

Need script to monitor change in /etc/passwd

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting Need script to monitor change in /etc/passwd
# 1  
Old 09-09-2011
Need script to monitor change in /etc/passwd
Hi All,

From Audit point of view, I need to add a script to my production Solaris servers. That should be able to mail me, if any user is added or removed.
That means, I should get a mail, what user is deleted or added in /etc/passwd, i.e. if there is a change in this file, I should be notified via mail.
I am not expert in scripting. Please help me in best possible way to implement.

Regards
Abhishek
# 2  
Old 09-09-2011
Three steps, all run as root:
Code:
cd
cksum /etc/passwd | awk '{print $1}' > passwd.cksum
chmod 700 passwd.cksum

Create this script:
Code:
#!/bin/ksh
cd
value=$(cksum /etc/passwd | awk '{print $1}' )
value2=$( < passwd.cksum)
[ "$value2" = "$value" ] && exit  # everything is okay
/usr/bin echo "/etc/passwd changed" | /usr/bin/mailx -s '/etc/passwd alert'     me@mycompany.com
echo "$value2" > passwd.cksum   # prevent redundant error messages

Don't forget to test it first, and chmod +x your script.

Have it run every 10 minutes-- enter with crontab -e, which should put you in vi:
Code:
0,10,20,30,40,50 * * * *  /path/to/the/script/above/myscript.sh 2> /path/to/log

# 3  
Old 09-09-2011
You may be able to do this without scripting.

Are you using a network management system that receives SNMP traps?

We use HP OM on a few systems and we generate a message (which can be e-mailed) when there is a change to /etc/passwd or /etc/shadow.
# 4  
Old 09-09-2011
This script will also mail the names of deleted/added users, but does not catch other changes:
Code:
#!/bin/bash
ME=myusername@mymailhost
ulistorig=( `cut -d: -f1 /etc/passwd | sort` )
dateorig=`date`
while true; do
  ulistdel=""
  ulistadd=""
  sleep 10
  ulistcurr=( `cut -d: -f1 /etc/passwd | sort` )
  i=0
  j=0
  while [[ $i -lt ${#ulistorig[@]} && $j -lt ${#ulistcurr[@]} ]]; do
    if [[ "${ulistorig[i]}" == "${ulistcurr[j]}" ]]; then
      i=$((i+1))
      j=$((j+1))
    elif [[ "${ulistorig[i]}" < "${ulistcurr[j]}" ]]; then
      ulistdel="$ulistdel ${ulistorig[i]}"
      i=$((i+1))
    else
      ulistadd="$ulistadd ${ulistcurr[j]}"
      j=$((j+1))
    fi
  done
  while [[ $i -lt ${#ulistorig[@]} ]]; do
    ulistdel="$ulistdel ${ulistorig[i]}"
    i=$((i+1))
  done
  while [[ $j -lt ${#ulistcurr[@]} ]]; do
    ulistadd="$ulistdel ${ulistorig[i]}"
    i=$((i+1))
  done
  if [[ -n "$ulistdel" || -n "$ulistadd" ]]; then
    mailx -s "file changed" $ME <<EOF
changes in file since $dateorig:
  deleted users: $ulistdel
  added users: $ulistadd
EOF
  # echo changes to stdout, too
    cat <<EOF
changes in file since $dateorig:
  deleted users: $ulistdel
  added users: $ulistadd
EOF
    ulistorig=( `echo ${ulistcurr[@]}` )
    dateorig=`date`
  else
    # optional no changes message (for debugging/testing)
    echo "no changes in file since $dateorig"
  fi
done

# 5  
Old 09-09-2011
Hi HFREYER,

This script works well. Thanks a lot for providing it. But only issue is, if I run the script, it will keep on going, untill we do Control+C.
I want to configure it on mutiple servers.

ShawnD41 :- We are not using Network Management System

jim mcnamara :- When I run this script, it was not sending mail. Its logs saying as below -
/root/myscript.sh[6]: /usr/bin: cannot execute
/root/myscript.sh[6]: /usr/bin: cannot execute

Regards
# 6  
Old 09-10-2011
Hi solaris_1977,
how do you wish to control the termination of the script ? kill ? run for some period ?
To run it permanently on a remote server, you may start it like this:
Code:
nohup /path/to/script &

Then it will continue running after logout from the remote server.

Hi jim mcnamara,
I don't know why you get the "cannot execute" message. You my try run the mailx separately in order to check if it is correctly installed or your configuration is correct, respectively:
Code:
echo hello | mailx -s test myusername@mymailhost

# 7  
Old 09-10-2011
Hi hfreyer,

If you run it in nohup, it will keep on running, which will eat CPU time as well.

For jim mcnamara's script, it do not give me deleted or added user-name in my mail.

I wanted something like, script should check once a day (may be through cron), which user is added or deleted from original /etc/passwd file. May be I can get a mail like
"user123 deleted from /etc/passwd: Server456"
"user321 added to /etc/passwd: Server456"

Regards
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Solaris

Can't change users passwd

Have an issue with a user or root changing the user's passwd. We run the passwd command and a complex passwd is entered a message is displayed, "passwd is based on a dictionary word." We do have a dictionary file and I know for a fact the complex passwd is not in the list. This happens on a... (3 Replies)
Discussion started by: solizkewl
3 Replies

2. Solaris

Unable to change the passwd

bash-3.00# passwd sami New Password: Re-enter new Password: Dec 14 00:07:43 hack passwd: passwdutil: crypt_gensalt Invalid argument passwd: Unexpected failure. Password database unchanged. Permission denied i got this error while i am change the user(sami) passwd. (3 Replies)
Discussion started by: samiulla
3 Replies

3. Shell Programming and Scripting

Help required to write shell script to change passwd

Hi All, I wanted to write a shell script which will change the expired passwd in oracle. Here is below what I am trying, #!/bin/sh set -x ORACLE_HOME="/optware/oracle/9.2.0.2_64" SQLPLUS="${ORACLE_HOME}/bin/sqlplus" PASS="xyz" PATH=$ORACLE_HOME/bin:$PATH... (0 Replies)
Discussion started by: gr8_usk
0 Replies

4. UNIX for Dummies Questions & Answers

How to edit /etc/passwd file to change the comment

Hi All, I need to change the comment field in /etc/passwd file for one userid in my RHEL linux m/cs. I tried to open the file in vi editor and changed the comment, but next day it's getting reverted back again. :-( mitchell:x:1000:900:Jon Mitchell User:/home/mitchell:/bin/bash I need to... (2 Replies)
Discussion started by: NARESH1302
2 Replies

5. Solaris

Change passwd for bulk servers using SSH script

Hi, I need to Change passwd for bulk servers using SSH script. I have one server, from which i can reach all the servers without password via SSH. There is some expect script, from which i can achieve it. Can any one help me out here. Thanks in advance. Vicky (1 Reply)
Discussion started by: vickyingle5
1 Replies

6. Solaris

Force user to change passwd on first login

Hello All, How to force user to change his login passwd on his first login in solaris 10 ? while adding user do we need to set the password in theis case?? (7 Replies)
Discussion started by: saurabh84g
7 Replies

7. Shell Programming and Scripting

ksh script to change passwd

Hello All, I am trying to change a user passwd (one time password): cat /tmp/passwd mnop1234 mnop1234 #passwd abcd < /tmp/passwd (for some reason, it is not able to input the password from /tmp/passwd and comes back with "New Password: ") Is there a work around except using "expect". ... (1 Reply)
Discussion started by: solaix14
1 Replies

8. UNIX for Advanced & Expert Users

change passwd remotely in solaris 10

i'm trying to change passwd remotely in unix (solaris) and tried using "expect" but it is not working. Any ideas to change the passwd remotely using a shell script? (1 Reply)
Discussion started by: pharos467
1 Replies

9. UNIX for Dummies Questions & Answers

Need to change root passwd

I booted up Sun V240 server with boot cdrom -s using the Sun Operating System CD. I now am at the # prompt and su - root . The system will not allow me to set password for root. Get following error: # passwd New Password: xxxxxxxx Re-enter new Password: xxxxxxxx passwd: Unexpected failure. ... (4 Replies)
Discussion started by: mayewil
4 Replies

10. UNIX for Dummies Questions & Answers

User should not be allowed to change passwd

Hi Group, Can anyone assist me with this? I am on AIX 5.2 ML06. I create the user and assign a passwd. But I do not want the user to change the passwd at all. I like him/her to use the passwd that I have set for him/her. Any ideas would be highly appreciated!!! Thanks. (3 Replies)
Discussion started by: brookingsd
3 Replies
Login or Register to Ask a Question