Auditing user accounts - Aix

This is a discussion on Auditing user accounts - Aix ; Hello all Is there any other possibility for auditing of user accounts different than observing changes in files like /etc/passwd, /etc/group, /etc/security/user? I haven't found such event in AIX auditing system. -- Regards Filip Kata...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Auditing user accounts

  1. Auditing user accounts

    Hello all

    Is there any other possibility for auditing of user accounts different
    than observing changes in files like /etc/passwd, /etc/group,
    /etc/security/user? I haven't found such event in AIX auditing system.

    --
    Regards
    Filip Kata

  2. Re: Auditing user accounts

    On Fri, 26 Oct 2007 14:26:46 +0200, Filip Kata wrote:

    > Hello all
    >
    > Is there any other possibility for auditing of user accounts different
    > than observing changes in files like /etc/passwd, /etc/group,
    > /etc/security/user? I haven't found such event in AIX auditing system.


    What would you like to do with them? If you're running AIX 5.3 TL5 or
    above, you should have access to the new AIXpert tool from IBM for free.
    If you just want user/group data in an XML format, I can send you some
    code to do that...

    -Chris

  3. Re: Auditing user accounts

    Christopher Petersen pisze:
    > On Fri, 26 Oct 2007 14:26:46 +0200, Filip Kata wrote:
    >
    >> Hello all
    >>
    >> Is there any other possibility for auditing of user accounts different
    >> than observing changes in files like /etc/passwd, /etc/group,
    >> /etc/security/user? I haven't found such event in AIX auditing system.

    >
    > What would you like to do with them? If you're running AIX 5.3 TL5 or
    > above, you should have access to the new AIXpert tool from IBM for free.
    > If you just want user/group data in an XML format, I can send you some
    > code to do that...


    Chris I must have only three things: created accounts, deleted and
    changed. That's all.

    --
    Pozdrawiam
    Filip Kata

  4. Re: Auditing user accounts

    On Oct 27, 1:26 am, Filip Kata wrote:
    > Hello all
    >
    > Is there any other possibility for auditing of user accounts different
    > than observing changes in files like /etc/passwd, /etc/group,
    > /etc/security/user? I haven't found such event in AIX auditing system.
    >
    > --
    > Regards
    > Filip Kata


    mind the CRLF's

    #!/bin/ksh
    # $Id$
    # MHB 29/08/2002 original scripting
    # MHB 28/03/2007 change for MoH
    # MHB 15/05/2007 fixed duplicate $never_logged_in
    printing bug
    # audit all users on host
    # get the seconds since epoch
    secs_since_epoch=$(perl -le 'print time')
    function do_the_thing
    {
    # function to test a string to see if the test created any output
    if [[ -n "$1" ]]; then
    # and print the string
    print "$1" | troff -a
    fi
    }
    function put_it_out_there
    {
    do_the_thing "$no_password_aging"
    do_the_thing "$all_locked_accounts"
    do_the_thing "$never_logged_in"
    do_the_thing "$not_for_ninety"
    do_the_thing "$passwd_set_never_logged_in"
    do_the_thing "$too_many_unsuccessful"
    do_the_thing "$has_it_expired"
    }
    # get list of all local users, conveniently excludes finding default
    stanzas
    for user_name in $( awk -F':' '{print $1}' /etc/passwd | sort ) ; do

    # check for password aging
    if [[ -n $(awk 'BEGIN{ FS = "\n"; RS = ""}
    $1 == "'"$user_name"':"{ if (/minage|maxage/ ){print $0} } ' /
    etc/security/user ) ]]; then
    if [[ -z $no_password_aging ]]; then
    no_password_aging=$( print no passwd aging -
    $user_name )
    else
    no_password_aging=$( print $no_password_aging
    $user_name )
    fi
    fi
    # check for locked accounts
    if [[ -n $(awk 'BEGIN{ FS = "\n"; RS = ""}
    $1 == "'"$user_name"':"{ if (/account_locked = true/ ){print
    $0} } ' /etc/security/user ) ]]; then
    if [[ -z $all_locked_accounts ]]; then
    all_locked_accounts=$( print locked users -
    $user_name )
    else
    all_locked_accounts=$( print
    $all_locked_accounts $user_name )
    fi
    fi
    # check for accounts that have never logged in
    if [[ -z $( awk 'BEGIN{ FS = "\n"; RS = ""}
    $1 == "'$user_name':" ' /etc/security/lastlog) ]] || [[ -n $
    ( awk 'BEGIN{ FS = "\n"; RS = ""}
    $1 == "'"$user_name"':" { if (!/time_last_login/ ){print
    $1} } ' /etc/security/lastlog ) ]]; then
    if [[ -z $never_logged_in ]]; then
    never_logged_in=$( print never logged in -
    $user_name )
    else
    never_logged_in=$( print $never_logged_in
    $user_name )
    fi
    fi
    # check to see if not logged in for last 90 days
    if [[ -n $( awk 'BEGIN{ FS = "\n"; RS = ""}
    $1 == "'"$user_name"':"{ if (/time_last_login/ ){print $1} }
    ' /etc/security/lastlog) ]]; then

    if (( $secs_since_epoch - $( awk 'BEGIN{ FS = "\n"; RS
    = ""}
    $1 == "'"$user_name"':"{if (match($0,/time_last_login
    = [0-9]+/) ){
    print substr($0, RSTART+18, 10)} }' /etc/security/
    lastlog ) > 7776000 )); then
    if [[ -z $not_for_ninety ]]; then
    not_for_ninety=$( print not used 90+ -
    $user_name )
    else
    not_for_ninety=$( print
    $not_for_ninety $user_name )
    fi
    fi
    fi
    # check to see if password set, but user never logged in
    if [[ -n $( awk 'BEGIN{ FS = "\n"; RS = ""}
    $1 == "'"$user_name"':"{ if (/flags = ADMCHG/ ){print $1} }
    ' /etc/security/passwd) ]]; then
    if [[ -z $passwd_set_never_logged_in ]]; then
    passwd_set_never_logged_in=$( print passwd set
    but user never logged in - $user_name )
    else
    passwd_set_never_logged_in=$( print
    $passwd_set_never_logged_in $user_name )
    fi
    fi
    # check number of unsuccessful logins
    num_unsuccessful_logins=$( awk 'BEGIN{ FS = "\n"; RS = ""}
    $1 == "'"$user_name"':" {if (match($0,/
    unsuccessful_login_count = [0-9]+/) )
    {print substr($0, RSTART+27, 1)} }' /etc/security/lastlog )
    if [[ -n $num_unsuccessful_logins ]] &&
    (( $num_unsuccessful_logins >= 4 )) ; then
    if [[ -z $too_many_unsuccessful ]]; then
    too_many_unsuccessful=$( print 5 or
    more unsuccessful logins - $user_name )
    else
    too_many_unsuccessful=$( print
    $too_many_unsuccessful $user_name )
    fi
    fi

    # check to see if the password has expired
    time_now=$(perl -le 'print time')
    password_last_update=$( awk 'BEGIN{ FS = "\n"; RS = ""}
    $1 == "'"$user_name"':" { if (match($0,/lastupdate/) )
    {print substr($0, RSTART+13, 10)} } ' /etc/security/passwd )
    if [[ -n $password_last_update ]]; then
    if (( $(( $time_now - $password_last_update )) > $
    (( 60*60*24*7*4)) )); then
    if [[ -z $has_it_expired ]]; then
    has_it_expired=$( print Password older
    than 4 weeks - $user_name )
    else
    has_it_expired=$( print
    $has_it_expired $user_name )
    fi
    fi
    fi
    done
    if [[ $1 = "-o" ]]; then
    this_script=$(basename $0)
    output_file=/var/adm/rebuild/${this_script%%.sh}.txt
    print '$Id$' >$output_file
    put_it_out_there >>$output_file
    else
    put_it_out_there
    fi


  5. Re: Auditing user accounts

    On Oct 29, 3:28 am, Filip Kata wrote:
    > Christopher Petersen pisze:
    >
    > > On Fri, 26 Oct 2007 14:26:46 +0200, Filip Kata wrote:

    >
    > >> Hello all

    >
    > >> Is there any other possibility for auditing of user accounts different
    > >> than observing changes in files like /etc/passwd, /etc/group,
    > >> /etc/security/user? I haven't found such event in AIX auditing system.

    >
    > > What would you like to do with them? If you're running AIX 5.3 TL5 or
    > > above, you should have access to the new AIXpert tool from IBM for free.
    > > If you just want user/group data in an XML format, I can send you some
    > > code to do that...

    >
    > Chris I must have only three things: created accounts, deleted and
    > changed. That's all.
    >
    > --
    > Pozdrawiam
    > Filip Kata


    Creating, changing and deleting users should normally always be done
    with mksuer, chuser and rmuser. You can track when and by whom these
    commands were executed using AIX auditing. If the changes are always
    made using smitty you can capture details of what was done by saving
    the smit.script file.

    HTH

    Jim Lane


  6. Re: Auditing user accounts

    Jim.Lane@cibc.com pisze:
    > On Oct 29, 3:28 am, Filip Kata wrote:
    >> Christopher Petersen pisze:
    >>
    >>> On Fri, 26 Oct 2007 14:26:46 +0200, Filip Kata wrote:
    >>>> Hello all
    >>>> Is there any other possibility for auditing of user accounts different
    >>>> than observing changes in files like /etc/passwd, /etc/group,
    >>>> /etc/security/user? I haven't found such event in AIX auditing system.
    >>> What would you like to do with them? If you're running AIX 5.3 TL5 or
    >>> above, you should have access to the new AIXpert tool from IBM for free.
    >>> If you just want user/group data in an XML format, I can send you some
    >>> code to do that...

    >> Chris I must have only three things: created accounts, deleted and
    >> changed. That's all.
    >>
    >> --
    >> Pozdrawiam
    >> Filip Kata

    >
    > Creating, changing and deleting users should normally always be done
    > with mksuer, chuser and rmuser. You can track when and by whom these
    > commands were executed using AIX auditing. If the changes are always
    > made using smitty you can capture details of what was done by saving
    > the smit.script file.


    I think that better way is to watch changes in files like /etc/passwd
    because you can modify them without using chuser.

    --
    Regards
    Filip Kata

+ Reply to Thread