User type scripts

D8TA · September 3, 2013, 4:36pm

I am trying to figure out the best way to create a script which checks for new user creation? I am currently using Active Directory for most of my local user accounts to remove the need to keep up with passwords and all that good stuff. But I want to make sure no new accounts are being created and when they do I’d like to be notified or at least send off an email or something to be alerted. Basically, prevent new local accounts from being created. I am not sure if SUSE has something already built-in that can detect and alert on that or if there are open source tools that would be easy to implement.

Another item is the accounts that are present I would like to identify the local accounts that are or have not been used and which accounts have not changed their passwords in the last 12 months.

Any good built-in tools or any good scriptwriters out there able to lend me a hand?

Thanks in advance! Love the distro and the community.

ab · September 3, 2013, 5:00pm

You could watch the logs (/var/log/messages) for user creation.
Forwarding logs from various systems to a single system for analysis
regularly often makes this pretty simple.

If you are hooking up to an LDAP directory or something (like microsoft
active directory (MAD)) then you can usually enforce password changes in
that environment directly and then let openSUSE be a consumer only so that
passwords are never needed to be changed on individual boxes (becoming a
terrible task over time). LDAP-based directories typically have a
‘loginTime’ or 'lastLoginTime’attribute which shows when the last login
happened, so you can query that directly from there as well.

Good luck.

robin_listas · September 4, 2013, 2:24am

On 2013-09-03 16:46, D8TA wrote:

> from being created. I am not sure if SUSE has something already built-in
> that can detect and alert on that or if there are open source tools that
> would be easy to implement.

Yes, there is a security cron job that does this. But I don’t have it
installed in this laptop and I don’t remember the package name. Ask me
again on Thursday, if I forget.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))

D8TA · September 5, 2013, 4:37pm

Reminder…I tried to find a cron job for security but came up empty. Would you tell me the package name?

robin_listas · September 6, 2013, 2:53am

On 2013-09-05 16:46, D8TA wrote:
>
> Reminder…I tried to find a cron job for security but came up empty.
> Would you tell me the package name?

Thanks - I knew I had said I had to look up something, but I forgot what
O:-)

Sample email:

+++······························
Date: Fri, 6 Sep 2013 00:00:03 +0200 (CEST)
From: root <root@Telcontar.valinor>
To: root@Telcontar.valinor
Subject: Local Daily Security for Telcontar.valinor: Changes

Daily security check v2.0 by Marc Heuse <...@suse.de>

This is an automated mail by the seccheck tool. If you want to disable
this service, set START_SECCHK=no in /etc/sysconfig/seccheck.

…

······························+±


Telcontar:~ # rpm -qf /etc/sysconfig/seccheck
file /etc/sysconfig/seccheck is not owned by any package
Telcontar:~ #

Crumbs.


Telcontar:~ # rpm -qf /etc/cron.d/seccheck
seccheck-2.0-678.1.1.noarch
Telcontar:~ #

That’s the one

There are different tests running daily, wekkly, or monthly. One of them
will say about new users, for sure, but no idea which. The weekly job
says, for instance:

+++······························
Warning: user moriarty has got a password and a valid shell but never
logged in.
······························+±

I have created a new user, so I hope to notice when it gets reported.

–
Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

D8TA · September 6, 2013, 2:54pm

Excellent!! Thanks this is what I was looking for. WIsh there was a way to add custom commands into this check as well, passwd -aS is one I am looking for so I can see when the password was last changed.

Thanks again.

robin_listas:

On 2013-09-05 16:46, D8TA wrote:
>
> Reminder…I tried to find a cron job for security but came up empty.
> Would you tell me the package name?

Thanks - I knew I had said I had to look up something, but I forgot what
O:-)

Sample email:

+++······························
Date: Fri, 6 Sep 2013 00:00:03 +0200 (CEST)
From: root <root@Telcontar.valinor>
To: root@Telcontar.valinor
Subject: Local Daily Security for Telcontar.valinor: Changes

Daily security check v2.0 by Marc Heuse <…@suse.de>

This is an automated mail by the seccheck tool. If you want to disable
this service, set START_SECCHK=no in /etc/sysconfig/seccheck.

…

······························+±
Telcontar:~ # rpm -qf /etc/sysconfig/seccheck
file /etc/sysconfig/seccheck is not owned by any package
Telcontar:~ #
Crumbs.
Telcontar:~ # rpm -qf /etc/cron.d/seccheck
seccheck-2.0-678.1.1.noarch
Telcontar:~ #
That’s the one

There are different tests running daily, wekkly, or monthly. One of them
will say about new users, for sure, but no idea which. The weekly job
says, for instance:

+++······························
Warning: user moriarty has got a password and a valid shell but never
logged in.
······························+±

I have created a new user, so I hope to notice when it gets reported.

–
Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

robin_listas · September 6, 2013, 4:33pm

On 2013-09-06 14:56, D8TA wrote:
>
> Excellent!! Thanks this is what I was looking for. WIsh there was a way
> to add custom commands into this check as well, passwd -aS is one I am
> looking for so I can see when the password was last changed.

It is a script, you can add/change/remove whatever you wish. You can add
things and send them to the maintainer/developer for inclusion in next
version.

> Thanks again.

Welcome

–
Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)