Security Auditing 1

[made13]

We are required to perform regular checks on System Access as aprt of an audit requirement. The information required is as follows;

1. A report of all users, with the time and date that the user last accessed the system.
2. A list of all login attempts, especially those that have failed for whatever reason.

We are runnng AIX 5.1 on our servers. The information above would be required on a weekly basis to allow review by users.

Are there any PERL scripts that currently do this?

Thanks...

 

[unixdan]

First things first, I am still a perl neophyte. So, this answer contains minimal perl. Also, most of the information can be gotten with few commands. The following could be used as a starting point to make a more elegant perl solution.

You might check out the following:
/etc/security/failedlogin - file containing failed logins
(Tek-Tips faq52-672, "who -a /etc/security/failedlogin")
the last command
the lsuser command


The command "lsuser -a time_last_login ALL" shows the date/time of the last login of all of the users on the system. (The output is in the number of seconds since 1970)

There are several ways to convert the number of seconds since 1970 to the "normal" date/time. In the past, I've used a simple C program, but the following perl program, should also work:
---------sec2date.pl--------
#!/usr/bin/perl
$timestamp=$ARGV[0];
if ($timestamp) {
$time=localtime($timestamp);
print("$time\n");
};
-----------------------------


The following is an example of set of commands that can extract the last login times for all users on the system.
----last_logins.sh------------------------
#!/bin/ksh
lsuser -a time_last_login ALL |
while read line
do
dt=`echo $line | awk -F= '{print $2}'`
if [[ $dt != "" ]]; then
echo $line `sec2date $dt`
fi
done
-------------------------------------------

 

[made13]

Thanks very much, unixdan. This has helped me a lot.