Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

User creation log 1

Status
Not open for further replies.

misn1day

Technical User
Jun 19, 2002
14
US
We just had an audit done on our systems and one of the things that was asked of us was how did we know when a user was created. I have been trying to do some research and have been unable to find anything. Does anyone know how I can track/log user creation in AIX?
 
If you are creating users with smit then you will find a smit.log file in the directory where you were when you used smit.
 
Unfortunately, most users aren’t created via smit. Also, I think the audits are looking for something that can be run on a daily basis that would look for all users that were setup and then determine if any where setup that weren’t suppose to be.
 
You could turn on AIX Audit.

I use this for the same reason you are talking about. I only use it to track user and group add, delete, change....

 
Thanks for the info. I have looked into audit a couple times in the past but it overwelms me after awhile. What command are you using to extract user creation? BTW, I have found a great product that interacts with AIX audit. It is called Snare. They are in a testing phase currently for AIX but the project looks like it will be really usefull. Just thought I would pass that on.
 
Here's a method, whether you use smit or mkuser.

Update /usr/lib/security/mkuser.sys to include the logging information you want. Here is an example:

## Log the creation of accounts
echo $(date)" "$(logname)" "$2" "$1 >> /path/to/logs/mkuser.log

That will place the date, the login name, the account name created, and the home directory for that account name. Storing the login name is handy if you have admins in the security group who can add users. If all administration is done through the root user, then it loses some effectiveness.

There are variations of this theme, so have at it.

This does not assist with account changes/deletions.
 
This was exactly what I needed! Thank you!!
 
In /etc/security/config I setup a class

Code:
     classes:
        uidgid = USER_Change,USER_Remove,USER_Create,GROUP_Change,GROUP_Create,G
ROUP_Remove   "


Then I set it up so user root only watches the uidgid "class
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top