seeking "special" account use details
 

If you look in /etc/passwd there are all sorts of login names other than the ones created for people. How do I discover:

• when and why each of these accounts exist?
• which of these are actually in use on my system(s) vs. created by default of just-in-case?
• alert or log or both when and if they get used?

There are all sorts of "alert on login" threads around the net. Starting a process running as a designated user does not provoke the 'login' event. For example, a web server might run as user 'www:www' and get started a system start. There is no 'login' event for this.
Likewise, the server might launch other processes also as 'www:www'. Again, there are no 'login' events.

While I can scan logs for activities resulting from many similar applications, I don't want to poll the log files. Also, I don't want to write real code that reads a syslog pipe parsing for the details that I seek. (gulp) I hope that isn't my only option.

I'm enough of an antique that I remember the original AT&T® Unix™. In those days, there was magic associated with any user or group number '10' and below. (Those digits might be base-8 instead of base-10.) The details about that magic are lost in the myst of my memory. I'm also aware of techniques where a daemon process has its unique UID:GID for a variety of security and operational reasons.

Merci d'avance,
~~~ 8d;-Dan

Many accounts are created by default on installation for commonly used tools (such as www for web as you mentioned.)

If I wanted to find out which, if any, of these accounts were in use I would do the following:
1) Run "ps -fu <username>" to see if any processes are running under the given entry in password currently.
2) Run "find / -user <username>" (for "find / -user <uid>" to find if any files are owned by the given entry.
3) Run "last <username>" to see if there is any history of them ever having logged in. (As you note there are often cases where a user account is used without logging in. Also last relies on files that may be corrupted or overwritten so isn't perfect.)
4) Check other logs in /var/log (such as secure log, cron log) to see if it shows anything ever used them.
5) Check init scripts and see if any of them mention the account. If they do check to see whether they're actually linked to start at any given run level. (i.e. check /etc/init files then check for links to same from /etc/rc?.d where the ? is one of the run levels).

By the way you can setup something called "logwatcher" to look for specific events in logs rather than having to write your own script.

Thanks to MensaWater for their detailed comments. They provide an excellent recipe for discovering the information that I'm seeking.

My original post strikes me as a question someone might ask during a system or network security audit. Does anyone of my LQ colleagues know much about audit tools available in the linux world -- specifically ubuntu and Mint?

Cheers,
~~~ 0;-Dan

It might not be obvious to some readers, but many of the commands might best get launched using sudo {command} so that they run as superuser. As an alternative, one might use sudo -i to open a superuser login shell.

Cheers,
~~~ 0;-Dan