Notify admin when account locked out

[ksas025]

Anyone know of a way to have AIX 4.3 notify root or an email address if an account locks out? I was thinking of a script/cron/lsuser solution but that seems to lack elegance. Im open to any better ideas. Thanks.

A.

 

[DonDavisFCB]

Here's a Perl script that I use.
I'll let you be the judge of it's elegance.
This line is required in /etc/syslog.conf:

auth.debug /syslog/auth.log rotate size 20000k files 10


#!/usr/opt/perl5/bin/perl -w
######################################################################
# SCRIPT NAME : /usr/local/bin/syslog.pl                   #
######################################################################
use Time::localtime;
use FileHandle;
use File::stat;
$syslog="/syslog/auth.log";
$log="/tmp/auth.out";
$|=1;
$subject="-subject AUTH syslog Event";

open(GWFILE, "< $syslog") or die "can't open $syslog: $!";
open(LOG, ">> $log") or die "can't open $log: $!";
LOG->autoflush(1);

### Seek to end of file ###
seek(GWFILE, 0, 2);
$prev_size=0;
### Do Forever ###
for (;;) {
    ### EXIT IF MORE THAN ONE COPY IS RUNNING ###
    $running=GetPsefData('/usr/local/bin/$0');
    exit if ($running > 1);
    $sb = stat($syslog);
    $size=$sb->size;
    if ( $size < $prev_size) {
       close(GWFILE);
       open(GWFILE, "< $syslog") or die "can't open $syslog: $!";
    }  else  {
       $prev_size=$size;
    }

    ### For each new record ###
    for ($curpos = tell(GWFILE); <GWFILE>; $curpos = tell(GWFILE)) {

        $MSG=$_;
        chomp($MSG) if (defined $MSG) ;
        
        if ($MSG=~/Login restricted/i ||
#           $MSG=~/Invalid user/i ||
#           $MSG=~/Software caused connection abort/i ||
#           $MSG=~/chan_read_failed/i ||
#           $MSG=~/failed login attempt/i ||
#           $MSG=~/Did not receive/i ||
            $MSG=~/UNKNOWN_USER/i ||
            $MSG=~/BREAK-IN/i ||
            $MSG=~/BAD SU/i ||
            $MSG=~/Authentication refused/i ||
            $MSG=~/No space left on device/i ||
            $MSG=~/encrypted password is invalid/i ||
            $MSG=~/rexec/i ||
            $MSG=~/not enough memory/i ||
            $MSG=~/Bad protocol/i ||
            $MSG=~/illegal port/i ||
            $MSG=~/illegal user/i ||
            $MSG=~/Failed dlopen/i ||
            $MSG=~/rlogind/i ) {
               &SendEmail;
               &SendPage if ($MSG=~/Login restricted/i );
        } else {
          next;
        }
    }
    seek(GWFILE, $curpos, 0);  # seek to where we had been
    sleep 2;
}

################################################################################
### END ########################################################################
################################################################################

### CHECK IF RUNNING ######################################
sub GetPsefData { #########################################
###########################################################
   open(PSEF_PIPE,"ps -ef|");
   my($process)=@_;
   my($i)=0;
   while (<PSEF_PIPE>) {
      next unless($_=~/$process/);
      chomp;
      $i++;
   }
   close(PSEF_PIPE);
   return $i;
}

### SEND EMAIL ############################################
sub SendEmail { ###########################################
###########################################################
   print LOG "EMAIL: $MSG\n";
   `<your email command here> -m "$MSG" $subject`;
   return;
}

### SEND PAGE #############################################
sub SendPage { ############################################
###########################################################
   print LOG "PAGE: $MSG\n";
   `<your paging command here>  -m "$MSG"`;
   return;
}

 

[ksas025]

Thanks for your response DonDavis. However you must be running a different version of AIX than me (I am running AIX 4.3.3) because my syslog.conf:auth.debug setting does not produce all of those nice descriptive log entries. I do get 'BAD SU' and 'Failed login' but I dont get 'Account has been locked' which is specifically what I am looking for.

On a side note. I use an open-source piece of software called logdog (by Brandon Zehm) to do what you script is doing. The only difference is that I have a central Log server where all 45 of my servers log to then the Perl script listen to a PIPE which syslog is filling. When the Perl Regex matches a string from the pipe to a sring in a user defined Hash it alerts me via email, pager, or whatever. I have heavily modified my copy to have a thresholding and field substitution routine but it works great right out of the box. Check it out if you have time; you might find it useful if you are using the script you just posted.

http://caspian.dotconf.net/menu/Software/LogDog/

 

[RodKnowlton]

ksas025,

If I understand correctly, you want to detect when a user login is "locked" due to failed logins, or perhaps a password that's been expired past the maxexpired setting.

There's no more elegant method for this than script/cron/lsuser for the same reason that I put "locked" in quotes. In both of the cases described above, the status of the account is only discovered when it's calculated by login as they attempt to log in. The only event generated is the failed login. This makes a sort of sense, since changing the loginretries or maxexpired settings could indirectly "unlock" the account.

A slightly more elegant method, I suppose, would be to watch the auth.debug output and trigger a targeted script check of just the user that failed login when a "failed login" message appears.

- Rod



IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

A Simple Code for Posting on the Web

 

[ksas025]

Yes, I am attempting to be notified when an account is locked due to whatever reason. This need has come about because of dozens of scheduled tasks that use rtools to do important jobs. Unfortunately, the user used for those tasks is also a maintenance account used by staff and when it gets locked out (which it sometimes does) our tasks begin to fail. Unfortunately it takes us a while to realize the locked account because we are too busy looking into other possible causes for our problems.

It would be nice if the appropriate personnel were notified as soon as an important account gets locked/disabled due to failed logins or whatever.

Rod, thanks for you input. I will continue with the scripting idea. I just thought that maybe AIX had something built in for this type of thing. For example, AIX's error notification object class allows me to notify via email for all sorts of system events.

Alex