Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Due to a contract stipulation, one of our security policies dictates that we stay informed of user accounts when they're added. We aren't required to use LDAP or any other centralized authentication scheme so I'm looking at scripting it. The idea is that it would run once a week letting us know if any accounts were added in the previous week and what they are.
Has anyone else ever done anything like this and is able to provide input on how to approach it? I have a preliminary script which does some file diff'ing, but it is rudimentary and not very effective.
It seems as though they are trying to push a big chunk of governance onto the IT department. Surely good practice is for the hiring manager and HR to work together on a new hire and then the hiring manager will put through the paperwork which includes a request for a new user account and will gain approval from a registered approver. Then the service desk (because obviously you are ITIL compliant) will store the request and approval on the CMS and that will tie up with an account if required. Is there a problem with rogue accounts on your system and if so it would appear that you have a completely different problem than just logging accounts.
We don't have rogue accounts at the moment, but due to compliance we need to track such things to ensure we are not letting any slip through and go unnoticed.
I agree standard procedures should be the start of the audit trail in terms of authorization and authentication. Practically speaking there's no need to script anything on PAM-aware systems as it logs any account manipulation which Logwatch then can report about. Same goes for audit-aware systems but then you want ausearch / aureport.
That's all well and good and I appreciate your input. However, the problem still stands. I need to send a report of new accounts that have been created on a weekly basis.
Can anyone help with this rather than offer opinion on policy?
Can logwatch send me an email that lists only the accounts created in the last week without all the other stuff but also send me an email every week with all the other stuff?
#!/bin/bash
while [ read line ]
do
arr=($line)
done < $(grep "new user" /var/log/secure |grep -v COMMAND |grep -v group |awk '{print $8}' |awk -F= '{print $2}' |sed '/^/ s/,$//')
I need to sort out how to best do this and only find entries from the previous week (search the previously rotated secure log or will the existing one work, etc.)
The only issue I think I'm going to have with this is that when I run the above to test that it works, the last entry shows up with ": No such file or directory" appended. Why would that happen?
Script for weekly report of new and deleted users to be put into crontab
Mathew,
So I prepared a script for what you were trying to do:
Code:
#!/bin/bash
if [ -a ~/YourLogDirectory/authlog.week$(( $(date +%V) -1 )) ]
then
cat /var/log/auth.log > ~/YourLogDirectory/authlog.new
TOBEGREPPED1=$(tail -n1 ~/YourLogDirectory/authlog.week$(( $(date +%V) -1 ))|sed "s/\[/\\\[/g"|sed "s/\]/\\\]/g")
THELINENO2=$(cat -n ~/YourLogDirectory/authlog.new |grep "$TOBEGREPPED1"|awk '{ print $1 }')
tail -n+$(( $THELINENO2 +1 )) ~/YourLogDirectory/authlog.new > ~/YourLogDirectory/authlog.week_$(date +%V)
grep -e "new user" -e "delete user" ~/YourLogDirectory/authlog.week_$(date +%V) > ~/YourLogDirectory/authlog.week$(date +%V)
echo "Here is the last timestamp for logrotate">>~/YourLogDirectory/authlog.week$(date +%V)
tail -n1 /var/log/auth.log >> ~/YourLogDirectory/authlog.week$(date +%V)
rm -f ~/YourLogDirectory/authlog.new
rm -f ~/YourLogDirectory/authlog.week_$(date +%V)
elif [ -a ~/YourLogDirectory/authlog.week* ]
then
tail -n1 /var/log/auth.log > ~/YourLogDirectory/authlog.week$(date +%V)
sed -i '1s/^/No new users were added however here is the timestamp for log rotation:\n/' ~/YourLogDirectory/authlog.week$(date +%V)
else
cat /var/log/auth.log| grep -e "new user" -e "delete user"> ~/YourLogDirectory/authlog.week$(date +%V)
fi
The sed there puts a backslash before any [ and ] so the whole last line of the previous week's log can be grepped. If you don't have an auth.log file, you'll probably have to add this sed for every char that causes grep to fail. For the grep part, you can use yours.
I hope you'll enjoy the script as I do.
Filip
Last edited by White Tea Citrus; 10-31-2011 at 11:02 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.