Thursday, May 19, 2011

Find dormant accounts on a Linux server

In busy production systems, there will be lot of accounts which may not be using from longer intervals. Finding them we have standard linux utilities like "last" and "lastlog".

The "last" command display the audit details of the users who were logged in the system with time frame. On the other hand "lastlog" display all the user's last logged in details with time frame.

last command uses the log file /var/log/wtmp for getting the user data. As in the modern linux systems, the wtmp file is rotating monthly basis the last command gives only the current month's statistics.

If we want to have the last command output with an yearly statistics, we need to change the rotation configuration in /etc/logrotate.conf as below,

/var/log/wtmp {
 missingok
 monthly <= change it to "yearly"
 create 0664 root utmp
 rotate 1
}

The following script will display the users who are not logged in the last 3 calendar months including the current month. I am sure this will be usefull for people like me to get a clear idea of who are not active on the system.

#!/bin/bash
#
#
# Gives a list of users who have not logged in the last 3 calendar months including the current one.
#
umask 077

THIS_MONTH=`date +%h`
LAST_MONTH=`date --date="1 month ago" +%h`
LLAST_MONTH=`date --date="2 months ago" +%h`

last | grep "$THIS_MONTH \|\ $LAST_MONTH \|\ $LLAST_MONTH" | awk '{print $1}' | sort -u > /tmp/users1$$
cat /etc/passwd | awk -F: '{print $1}' | sort -u > /tmp/users2$$
comm -13 /tmp/users[12]$$
rm -f /tmp/users[12]$$


The above script assumes the last command can show the user statistics of more than 3 months.

Using "lastlog"

The simple and dirty way to find the dormant accounts on a linux system is using the"lastlog" command. The following script will do the trick.

#!/bin/bash
#
#
# Gives a list of users who have not logged in the last 90 days.
#
PATH=/bin:/usr/bin;export PATH
umask 077
lastlog -b 90 |grep -iv Never | awk '{print $1}' | sort -u > /tmp/users1$$
lastlog |grep -iv Never | awk '{print $1}' | sort -u > /tmp/users2$$
comm -2 /tmp/users[12]$$ | grep -v Username
rm -f /tmp/users[12]$$
Posted by at
Labels:

1 comment:

  1. AnonymousDecember 24, 2011 at 5:21 PM

    Above the linux review is very helpful to improve my web hosting knowledge.All the points are explained very clearly.Reading this kind of article is very helpful to improve my web hosting knowledge.web hosting companies

    ReplyDelete

Subscribe to: Post Comments (Atom)