Re: Login script (210 Views)
Reply
Frequent Advisor
Charles Keyser
Posts: 56
Registered: ‎07-13-2005
Message 1 of 9 (210 Views)
Accepted Solution

Login script

How would I set this to show active users. I am not a script guru

#!/usr/bin/sh
# Show deactivated users in a trusted system
set -u
PATH=/usr/bin:/usr/sbin:/usr/lbin

NOTTRUSTED=/sbin/true
if [ -x /usr/lbin/modprpw ]
then
modprpw 1> /dev/null 2>&1
if [ $? -eq 2 ]
then
NOTTRUSTED=/sbin/false
fi
fi

if $NOTTRUSTED
then
print "\n This system is not a Trusted System"
exit 1
fi

REASON[1]="past password lifetime"
REASON[2]="past last login time"
REASON[3]="past absolute account lifetime"
REASON[4]="exceeding unsuccessful login attempts"
REASON[5]="password required and a null password"
REASON[6]="admin lock"
REASON[7]="password is a *"

for USER in $(listusers | awk '{print $1}')
do
LOCKOUT=$(getprpw -r -m lockout $USER)
ERR=$?
if [ $ERR != 0 ]
then
print "getprpw failed, error = $ERR"
exit $ERR
fi

# Since multiple reasons may exist in LOCKOUT, process
# each bit position separately

if [ $LOCKOUT != "0000000" ]
then
print "\nUser $USER deactivated for:"
for BIT in 1 2 3 4 5 6 7
do
REASONBIT=$(echo $LOCKOUT | cut -c $BIT)
if [ $REASONBIT != 0 ]
then
if [ $REASONBIT = 1 ]
then
print " ${REASON[$BIT]}"
else
print " Bad character in lockout: $REASONBIT"
fi
fi
done
fi
done
Trusted Contributor
Autocross.US
Posts: 71
Registered: ‎12-29-2005
Message 2 of 9 (210 Views)

Re: Login script

This will print both active and inactive users:

#!/usr/bin/sh
# Show deactivated users in a trusted system
set -u
PATH=/usr/bin:/usr/sbin:/usr/lbin

NOTTRUSTED=/sbin/true
if [ -x /usr/lbin/modprpw ]
then
modprpw 1> /dev/null 2>&1
if [ $? -eq 2 ]
then
NOTTRUSTED=/sbin/false
fi
fi

if $NOTTRUSTED
then
print "\n This system is not a Trusted System"
exit 1
fi

REASON[1]="past password lifetime"
REASON[2]="past last login time"
REASON[3]="past absolute account lifetime"
REASON[4]="exceeding unsuccessful login attempts"
REASON[5]="password required and a null password"
REASON[6]="admin lock"
REASON[7]="password is a *"

for USER in $(listusers | awk '{print $1}')
do
LOCKOUT=$(getprpw -r -m lockout $USER)
ERR=$?
if [ $ERR != 0 ]
then
print "getprpw failed, error = $ERR"
exit $ERR
fi

# Since multiple reasons may exist in LOCKOUT, process
# each bit position separately

if [ $LOCKOUT != "0000000" ]
then
print "\nUser $USER deactivated for:"
for BIT in 1 2 3 4 5 6 7
do
REASONBIT=$(echo $LOCKOUT | cut -c $BIT)
if [ $REASONBIT != 0 ]
then
if [ $REASONBIT = 1 ]
then
print " ${REASON[$BIT]}"
else
print " Bad character in lockout: $REASONBIT"
fi
fi
done
else
print "\n\n$USER is active"
fi
done
I drive way too fast to worry about calories.
Frequent Advisor
Charles Keyser
Posts: 56
Registered: ‎07-13-2005
Message 3 of 9 (210 Views)

Re: Login script

Thanks so much. I am going to attempt to add a line to see when the last time logged in and last time password were change here is another script we use. It shows deactivated, we would like to show activated also, the last time user changed password, if they have a null password. We have auditors who found a couple of users whose accounts for password aging set to disabled which violated our policy. I am new here and would like to see the script give all this information. Here it is (Help) to modify

#!/usr/bin/sh
# Show deactivated users in a trusted system

set -u
PATH=/usr/bin:/usr/sbin:/usr/lbin
typeset -R26 MINTM
typeset -R26 EXPTM
typeset -R26 LFTM
typeset -R26 SPWCHG
typeset -R26 UPWCHG
typeset -R26 ACCTEXP
typeset -R26 LLOG
typeset -R26 ULOGINT
typeset -R26 SLOGINY
typeset -R26 UMAXLNTR
typeset -R26 NOTSET="-1"

REASON[1]="exceeded password lifetime"
REASON[2]="exceeded last login time"
REASON[3]="exceeded absolute account lifetime"
REASON[4]="exceeded unsuccessful login attempts"
REASON[5]="password required and a null password"
REASON[6]="administrator lock"
REASON[7]="password is a *"

NOTTRUSTED=/sbin/true
if [ -x /usr/lbin/modprpw ]
then
modprpw 1> /dev/null 2>&1
if [ $? -eq 2 ]
then
NOTTRUSTED=/sbin/false
fi
fi

if $NOTTRUSTED
then
print "\n This system is not a Trusted System"
exit 1
fi

for USER in $(listusers | awk '{print $1}')
do
LOCKOUT=$(getprpw -r -m lockout $USER)
ERR=$?
if [ $ERR != 0 ]
then
print "getprpw failed, error = $ERR"
exit $ERR
fi

# Since multiple reasons may exist in LOCKOUT, process
# each bit position separately

if [ $LOCKOUT != "0000000" ]
then
print "\nUser $USER deactivated, reason: \c"
for BIT in 1 2 3 4 5 6 7
do
REASONBIT=$(echo $LOCKOUT | cut -c $BIT)
if [ $REASONBIT != 0 ]
then
if [ $REASONBIT = 1 ]
then
print "${REASON[$BIT]}"
else
print "AUDIT error: Bad character in lockout: $REASONBIT"
fi
fi
done

MINTM=$(getprpw -r -m mintm $USER)
EXPTM=$(getprpw -r -m exptm $USER)
LFTM=$(getprpw -r -m lftm $USER)
SPWCHG=$(getprpw -r -m spwchg $USER)
UPWCHG=$(getprpw -r -m upwchg $USER)
ACCTEXP=$(getprpw -r -m acctexp $USER)
LLOG=$(getprpw -r -m llog $USER)
ULOGINT=$(getprpw -r -m ulogint $USER)
SLOGINY=$(getprpw -r -m sloginy $USER)
UMAXLNTR=$(getprpw -r -m umaxlntr $USER)

# Show values only if set (-1 is not set)

[[ "$MINTM" != "$NOTSET" ]] && \
print "$MINTM = Min time between PW changes"
[[ "$EXPTM" != "$NOTSET" ]] && \
print "$EXPTM = Password expiration time"
[[ "$LFTM" != "$NOTSET" ]] && \
print "$LFTM = Password lifetime"
[[ "$SPWCHG" != "$NOTSET" ]] && \
print "$SPWCHG = Password was changed"
[[ "$UPWCHG" != "$NOTSET" ]] && \
print "$UPWCHG = Password was unsuccessfully changed"
[[ "$ACCTEXP" != "$NOTSET" ]] && \
print "$ACCTEXP = account expires"
[[ "$LLOG" != "$NOTSET" ]] && \
print "$LLOG = Last successful login"
[[ "$SLOGINY" != "$NOTSET" ]] && \
print "$SLOGINY = Terminal used for last successful login"
[[ "$ULOGINT" != "$NOTSET" ]] && \
print "$ULOGINT = Last unsuccessful login"
[[ "$UMAXLNTR" != "$NOTSET" ]] && \
print "$UMAXLNTR = Max unsuccessful login tries"

fi
done

print
exit 0
Trusted Contributor
Autocross.US
Posts: 71
Registered: ‎12-29-2005
Message 4 of 9 (210 Views)

Re: Login script

I've attached a script that i use to do a similar task with managing expired accounts.

I've added the reason codes from the above script to it. See if this works for you.

One thing i've noticed is that it only prints the last reason code. So if the LOCKOUT is something like 1001001, only the last 1 is actually noted in the output. I can fix this if it's something you may use, but most users probably are locked for 1 reason, not many.
I drive way too fast to worry about calories.
Frequent Advisor
Charles Keyser
Posts: 56
Registered: ‎07-13-2005
Message 5 of 9 (210 Views)

Re: Login script

I showed my boss and he said thanks, he would like to know if you could add a another column to say last time password was reset?

Thanks for all of your help
Trusted Contributor
Autocross.US
Posts: 71
Registered: ‎12-29-2005
Message 6 of 9 (210 Views)

Re: Login script

Added the SPWCHG value for each user to the last column. See attachment.

I drive way too fast to worry about calories.
Frequent Advisor
Charles Keyser
Posts: 56
Registered: ‎07-13-2005
Message 7 of 9 (210 Views)

Re: Login script

Thanks for all of your help. That is exactly what I needed. I appreciate your time on this

-Charlie
Exalted Contributor
Steven E. Protter
Posts: 33,806
Registered: ‎08-15-2002
Message 8 of 9 (210 Views)

Re: Login script

Shalom,

last output with a grep can be used to get last login information, so long as the wtmp file in /var/adm/syslog is not erased or emptied.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Valued Contributor
rmueller58
Posts: 851
Registered: ‎02-19-2001
Message 9 of 9 (210 Views)

Re: Login script

I called Charles attached script "chkdisable" and execute with the following:

chkdisable |grep exceed |awk '{print $2}'

To determine any current lockouts.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.