Skip to content

Instantly share code, notes, and snippets.

@nohtyp

nohtyp/useraudit.sh

Created December 18, 2013 14:33
Show Gist options
  • Save nohtyp/8023300 to your computer and use it in GitHub Desktop.
Save nohtyp/8023300 to your computer and use it in GitHub Desktop.
Download ZIP
user audit script
Raw
useraudit.sh
#!/bin/bash
#Create user list
cat /etc/passwd | awk -F : '{print $1}' > list
#Parse list and create organized list
USER=`cat list| while read line; do echo -n $line ;printf " "; done`
PWNEVER="PWNEVER.log"
if [ -f "$PWNEVER" ]; then
mv $PWNEVER $PWNEVER.1
fi
if [ -f "$HOSTNAME.log" ]; then
mv $HOSTNAME.log $HOSTNAME.log.1
fi
NUMBER=5
#Get current date
TDATE=$(date)
echo "Report Date" "[" $TDATE "]" "on" $HOSTNAME >$HOSTNAME.log ; printf "\n" >> $HOSTNAME.log
#Loop through user list
for i in $USER
do
#Get user's id
USERID=$(id -u $i)
#Get user's last login
LLOG=$(last -dn1 $i | sed s/wtmp\ begins//g)
#Parse list for password column
LACCOUNT=`grep $i /etc/shadow | awk -F : '{print $2}'`
#Get account's Password expiration date
USREXPACCT=$(chage -l $i | grep "Password [Ee]xpires" | awk -F : '{print $2}' )
#Get account's Password expiration month
USREXPMONTH=$(chage -l $i | grep "Password [Ee]xpires" | awk -F " " '{print $4}' )
#Get account's Password expiration day
USREXPDAY=$(chage -l $i | grep "Password [Ee]xpires" | awk -F " " '{print $5}' | sed s/\,//g )
#Get account's Password expiration year
USREXYEAR=$(chage -l $i | grep "Password [Ee]xpires" | awk -F " " '{print $6}')
#Get current month
CURMONTH=$(date | awk -F " " '{print $2}')
#Get current day
CURDAY=$(date | awk -F " " '{print $3}')
#Get current year
CURYEAR=$(date | awk -F " " '{print $6}')
#Substitute user's month for a number
case "$USREXPMONTH" in
Jan) MONTH=1 ;;
Feb) MONTH=2 ;;
Mar) MONTH=3 ;;
Apr) MONTH=4 ;;
May) MONTH=5 ;;
Jun) MONTH=6 ;;
Jul) MONTH=7 ;;
Aug) MONTH=8 ;;
Sep) MONTH=9 ;;
Oct) MONTH=10 ;;
Nov) MONTH=11 ;;
Dec) MONTH=12 ;;
*) MONTH=0;;
esac
#Substitute current month for a number
case "$CURMONTH" in
Jan) CMONTH=1 ;;
Feb) CMONTH=2 ;;
Mar) CMONTH=3 ;;
Apr) CMONTH=4 ;;
May) CMONTH=5 ;;
Jun) CMONTH=6 ;;
Jul) CMONTH=7 ;;
Aug) CMONTH=8 ;;
Sep) CMONTH=9 ;;
Oct) CMONTH=10 ;;
Nov) CMONTH=11 ;;
Dec) CMONTH=12 ;;
*) CMONTH=0 ;;
esac
#Check if the 2nd column contains an !(account is disabled)
if [ "${LACCOUNT:0:1}" = "!" ] ; then
continue
elif [ "$USERID" -gt $NUMBER ] && [ "$USREXPACCT" != " never" ]; then
echo $i":"$USERID >> $HOSTNAME.log
echo "Last Login:"$LLOG >>$HOSTNAME.log
if [ "$MONTH" -eq "$CMONTH" ] && [ "$USREXPDAY" != "$CURDAY" ] && [ "$USREXYEAR" -eq "$CURYEAR" ] ; then
if [ "$USREXPDAY" -lt "$CURDAY" ]; then
echo $i"'s password expired on the $USREXPDAY of this month." >>$HOSTNAME.log;printf "\n">>$HOSTNAME.log
else
echo $i"'s password expires on the $USREXPDAY of this month." >>$HOSTNAME.log; printf "\n" >> $HOSTNAME.log
fi
elif [ "$MONTH" -eq "$CMONTH" ] && [ "$USREXPDAY" -eq "$CURDAY" ] && [ "$USREXYEAR" -eq "$CURYEAR" ] ; then
echo $i"'s" "password has expired today" >> $HOSTNAME.log; printf "\n" >> $HOSTNAME.log
elif [ "$MONTH" -lt "$CMONTH" ] && [ "$USREXYEAR" -le "$CURYEAR" ]; then
echo $i"'s password expired $USREXPMONTH $USREXPDAY, $USREXYEAR" >> $HOSTNAME.log; printf"\n" >>$HOSTNAME.log
elif [ "$MONTH" -gt "$CMONTH" ] && [ "$USREXYEAR" -lt "$CURYEAR" ]; then
echo $i"'s password expired $USREXPMONTH $USREXPDAY, $USREXYEAR" >> $HOSTNAME.log; printf "\n" >>$HOSTNAME.log
else [ "$MONTH" -gt "$CMONTH" ] && [ "$USREXYEAR" -ge "$CURYEAR" ]
echo $i"'s password expires $USREXPMONTH $USREXPDAY, $USREXYEAR" >>$HOSTNAME.log;printf "\n" >>$HOSTNAME.log
fi
else
echo $i":" $USERID ": password set to expire$USREXPACCT">> PWNEVER.log
fi
done
#mail <email> -s "Account Report on $HOSTNAME" < $HOSTNAME.log
#mail <email> -s "Account Report on $HOSTNAME" < PWNEVER.log
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment