how to monitor “create user” action on linux platform?
Question
currently on linux platform,
if someone or some app create a user.
Does other apps be able to get this message immediately?
if yes, app can use which way to know a user is created ?
thanks in advance
1 answers
solution1
0 2014-08-14 12:51:43
You may use similar script like below to examine the /etc/passwd file continuously. You may vary "sleep" command to determine the delay. If you run this script in background, it will send mail when new users are added or removed. You can feed these results to desired application by altering the code.
#!/bin/bash
unalias cp &>/dev/null
OLD=`wc -l "/etc/passwd" | awk '{print $1}'` && /bin/cp -f /etc/passwd /etc/passwd.old
while true ; do
sleep 1
NEW=`wc -l "/etc/passwd" | awk '{print $1}'` && MID=${NEW} && /bin/cp -f /etc/passwd /etc/passwd.copy
if [[ ${NEW} -gt ${OLD} ]]
then
DIFF=`expr ${NEW} - ${OLD}`
USERS=`tail -n ${DIFF} "/etc/passwd.copy" | awk -F: '{ print $1 }'`
echo -e "New user(s):\n ${USERS} " | mail -s "New Users Created! at `date +%c`" admin@mail.com
elif [[ ${NEW} -lt ${OLD} ]]
then
USERS=`diff -y /etc/passwd /etc/passwd.old | awk -F">" '{print $2}'| awk -F: '{print $1}' | grep -E -v "^$"`
echo -e "User(s)removed:\n ${USERS[@]}" | mail -s "Users removed at `date +%c`" admin@mail.com
fi
sleep 1
OLD=${MID} && /bin/cp -f /etc/passwd.copy /etc/passwd.old
done
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.