Show new user accounts

theillien · 10-19-2011, 10:55 AM

Due to a contract stipulation, one of our security policies dictates that we stay informed of user accounts when they're added. We aren't required to use LDAP or any other centralized authentication scheme so I'm looking at scripting it. The idea is that it would run once a week letting us know if any accounts were added in the previous week and what they are.

Has anyone else ever done anything like this and is able to provide input on how to approach it? I have a preliminary script which does some file diff'ing, but it is rudimentary and not very effective.

XavierP · 10-19-2011, 04:13 PM

It seems as though they are trying to push a big chunk of governance onto the IT department. Surely good practice is for the hiring manager and HR to work together on a new hire and then the hiring manager will put through the paperwork which includes a request for a new user account and will gain approval from a registered approver. Then the service desk (because obviously you are ITIL compliant) will store the request and approval on the CMS and that will tie up with an account if required. Is there a problem with rogue accounts on your system and if so it would appear that you have a completely different problem than just logging accounts.

theillien · 10-19-2011, 04:14 PM

We don't have rogue accounts at the moment, but due to compliance we need to track such things to ensure we are not letting any slip through and go unnoticed.

unSpawn · 10-19-2011, 04:38 PM

I agree standard procedures should be the start of the audit trail in terms of authorization and authentication. Practically speaking there's no need to script anything on PAM-aware systems as it logs any account manipulation which Logwatch then can report about. Same goes for audit-aware systems but then you want ausearch / aureport.

theillien · 10-19-2011, 04:54 PM

That's all well and good and I appreciate your input. However, the problem still stands. I need to send a report of new accounts that have been created on a weekly basis.

Can anyone help with this rather than offer opinion on policy?

unSpawn · 10-19-2011, 05:03 PM

So Logwatch is of no use to you?

theillien · 10-19-2011, 05:33 PM

Can logwatch send me an email that lists only the accounts created in the last week without all the other stuff but also send me an email every week with all the other stuff?

unSpawn · 10-19-2011, 05:40 PM

See 'man logwatch' the "--service pam" part? Else just cronjob a 'egrep "(user|group)add" /var/log/secure'.

White Tea Citrus · 10-20-2011, 09:44 AM

Hello!

Here is a fine script:

#!/bin/bash

cat /etc/passwd|awk -F : '{ print $1 }'|sort -nk1 > ~/desiredlogdirectory/passwd.newweek
diff ~/desiredlogdirectory/passwd.newweek ~/desiredlogdirectory/passwd.oldweek |grep -v '^$'|grep -v '^>'|grep -v '^---'|tail -n +2 > ~/desiredlogdirectory/newusers.week$(date +%V)
sed -i '1s/^/Please welcome our new users:\n/' ~/desiredlogdirectory/newusers.week$(date +%V)
mv ~/desiredlogdirectory/passwd.newweek ~/desiredlogdirectory/passwd.oldweek
cat ~/desiredlogdirectory/newusers.week$(date +%V)|wall

What do you think?

theillien · 10-27-2011, 10:49 AM

I appreciate the input.

This is the meat of what I've come up with:

Code:

#!/bin/bash

while [ read line ]
do
        arr=($line)
done < $(grep "new user" /var/log/secure |grep -v COMMAND |grep -v group |awk '{print $8}' |awk -F= '{print $2}' |sed '/^/ s/,$//')

I need to sort out how to best do this and only find entries from the previous week (search the previously rotated secure log or will the existing one work, etc.)

The only issue I think I'm going to have with this is that when I run the above to test that it works, the last entry shows up with ": No such file or directory" appended. Why would that happen?

-Mathew

White Tea Citrus · 10-30-2011, 10:59 AM

Hello Mathew,

I'm working on a solution

Filip

White Tea Citrus · 10-30-2011, 01:16 PM

Mathew,

So I prepared a script for what you were trying to do:

Code:

#!/bin/bash

if [ -a ~/YourLogDirectory/authlog.week$(( $(date +%V) -1 )) ]
then
cat /var/log/auth.log > ~/YourLogDirectory/authlog.new
TOBEGREPPED1=$(tail -n1 ~/YourLogDirectory/authlog.week$(( $(date +%V) -1 ))|sed "s/\[/\\\[/g"|sed "s/\]/\\\]/g")
THELINENO2=$(cat -n ~/YourLogDirectory/authlog.new |grep "$TOBEGREPPED1"|awk '{ print $1 }')
tail -n+$(( $THELINENO2 +1 )) ~/YourLogDirectory/authlog.new > ~/YourLogDirectory/authlog.week_$(date +%V)
grep -e "new user" -e "delete user" ~/YourLogDirectory/authlog.week_$(date +%V) > ~/YourLogDirectory/authlog.week$(date +%V)
echo "Here is the last timestamp for logrotate">>~/YourLogDirectory/authlog.week$(date +%V)
tail -n1 /var/log/auth.log >> ~/YourLogDirectory/authlog.week$(date +%V)
rm -f ~/YourLogDirectory/authlog.new
rm -f ~/YourLogDirectory/authlog.week_$(date +%V)
elif [ -a ~/YourLogDirectory/authlog.week* ]
then
tail -n1 /var/log/auth.log > ~/YourLogDirectory/authlog.week$(date +%V)
sed -i '1s/^/No new users were added however here is the timestamp for log rotation:\n/' ~/YourLogDirectory/authlog.week$(date +%V)
else
cat /var/log/auth.log| grep -e "new user" -e "delete user"> ~/YourLogDirectory/authlog.week$(date +%V)
fi

The sed there puts a backslash before any [ and ] so the whole last line of the previous week's log can be grepped. If you don't have an auth.log file, you'll probably have to add this sed for every char that causes grep to fail. For the grep part, you can use yours.

I hope you'll enjoy the script as I do.

Filip