If you look in
/etc/passwd there are all sorts of login names other than the ones created for people. How do I discover:
- when and why each of these accounts exist?
- which of these are actually in use on my system(s) vs. created by default of just-in-case?
- alert or log or both when and if they get used?
There are all sorts of "alert on login" threads around the net. Starting a process running as a designated user does not provoke the 'login' event. For example, a web server might run as user 'www:www' and get started a system start. There is no 'login' event for this.
Likewise, the server might launch other processes also as 'www:www'. Again, there are no 'login' events.
While I can scan logs for activities resulting from many similar applications, I don't want to poll the log files. Also, I don't want to write real code that reads a syslog pipe parsing for the details that I seek. (gulp) I hope that isn't my only option.
I'm enough of an antique that I remember the original
AT&T® Unix™. In those days, there was magic associated with any user or group number '10' and below. (Those digits might be base-8 instead of base-10.) The details about that magic are lost in the myst of my memory. I'm also aware of techniques where a daemon process has its unique UID:GID for a variety of security and operational reasons.
Merci d'avance,
~~~ 8d;-Dan