can some one please help me....I need to write a script which finds out if there is a new entry in /etc/passwd i.e if a new user has been created.
This script will run everyday through Cron.

this opens the file, puts the contents into an array and prints to screen...........you'll have to do your
own cron job............

Why go to all that trouble? Wouldn't cat /etc/passwd be a tad more efficient?

Of course, neither of the above help anything if you have a couple thousand users ... Probably something more along the lines of ls -l /etc/passwd is more helpful. When you get that email from cron every day, you just have to know "Hey! I didn't add any users yesterday!!!"

Easy right?

Of course, since it's pretty trivial to alter the modification time on a file, you could get all fancy and take an MD5 of the passwd file and store it someplace and then have a shell script that compares your stored MD5 with the MD5 of the passwd file.

But really, assuming it's all done on the same host, it's all fairly pointless. If a user has the swing to add a user account, he can manage to thwart your checks too

Another option is to back up /etc/passwd somewhere secure every day (like root's home directory) and the next time the script runs just do a diff between yesterday's /etc/passwd and today's. If you have many many users, you can see exactly which were added in the last 24 hours.

Again ... If the invading user can modify /etc/passwd, he can modify your copy in /root as well (and the job that does the checking for that matter ...).

I'd probably deal with it by having the cron job mail me an MD5 and the file itself, tehn having my procmailrc call another script that takes that mail apart and compares it to the previous day's. It would silently bitbucket the mail if there were no changes and if it did find changes it would mail a summary of them to me.

That way, unless the intruder got both my machines, I'd still be able to catch 'em.

Another tool you could use is the "comm" program. It is part of the core-utils package.
comm -3 /etc/passwd /root/oldpasswd

If you really want to be thorough about it, send /etc/passwd to a convenient printer located in a physically secure location as part of the script. That way, so long as the physical access is not breached, you'll have a record of accounts. If you have thousands of users, it may be more convenient to store it to WORM media (e.g. a tape or CD-R) and then eject the media.

It all depends on how paranoid you want to be, which will depend on your own internal risk management metrics (and if you work at a large company/organization) there should be a defined risk management policy.

Program a script to save copies of the passwd file periodically. Another script to display the output of "diff" between the old and the new passwd file.

i'm monitoring the status of a few system files not for security purposes (several systems are to be synced together so if one system changes the rest need to too), but the end need is the same--i have to determine if a file has been modified. my script also runs once per second so persistent status is not a major problem.

in any event, i make the assumption that if the date modified time has changed, the file has changed and then the rest of the script runs when the file date modified has run. you can check the last modified time with stat, i.e.
stat -c=%Y /etc/passwd
and when that value increases (the date gets newer) the file has been updated.

ok, so the "last modified time" can be changed so this would be completely inappropriate if the goal is to determine whether or not a file has been compromised.


if you just want to determine if there are new users added or old ones removed (and the actual usernames themselves are not viewed as confidential/security-important), you could also read /etc/passwd, munge the data to contain only usernames (chomp lines, split at ":", write to a new file) and then diff two different day's user list and see who was removed and who was added.



really the purpose of why you want to monitor this file is relevant.