Re: Command to dump/restore user info OSR5


----- Original Message -----
From: "Jeff Hyman" <scolist@xxxxxxxxxx>
Newsgroups: comp.unix.sco.misc
To: <distro@xxxxxxx>
Sent: Monday, March 24, 2008 4:27 PM
Subject: Re: Command to dump/restore user info OSR5


----- clipped -----
| > Can 'ap' be used to determine if ones password has been changed?
| > especially root's password? .... other then grepping '/etc/shadow'
| > for a user and checking for a change?
|
| yes with the right options. What I have done is a nightly shell script
| that dumps everything and then does a diff on the saved know good and the
| new dump. This lets me know when some makes changes. I am working on a
| port of rkhunter that would be better, as it checks for a lot of other
| things.
|
Boyd,

Till you wrap up 'rkhunter' can you share the 'ap' syntax to monitor
ones password change ?

- Jeff H

There is no such syntax.
Write a script that does a dump and then compares (using whatever utility you like) the current dump against the previous such dump.
Then run that script from cron every day or every hour or whatever schedule you like.

A _crude_ starter script just to illustrate the base idea might look like this:

-----top-----
#!/bin/sh
# Monitor user database for changes daily.
# Relies on the "ap" (account propogation) utility, and so, only works on SCO.
D=/u/apmon
[ -d $D ] || mkdir -p $D || exit 1
cd $D || exit 1
mv -f ap02 ap03 >/dev/null 2>&1
mv -f ap01 ap02 >/dev/null 2>&1
mv -f ap00 ap01 >/dev/null 2>&1
ap -d -g > ap00
diff -c ap01 ap00 |egrep "(u_name|u_pwd)" |mail -s "AP Monitor" root
-----end-----

You don't have a diff unless you install the devsys or gnutools.
And in the case of gnutools you'd want to add /usr/gnu/bin to PATH in /etc/default/cron and /etc/profile and /.profile
The -c option luckily just happens to be a valid option that exists in both the native and gnu diff, and does the same thing in both. It provides enough context lines around the actually changed lines such that when a password is changed, you can see the user it applied to. The egrep ignores lines you probably don't care about.

Output looks like this:

# diff -c ap01 ap00 |egrep "(u_name|u_pwd)"
stewie:u_name=stewie:u_id#242:\
! :u_pwd=8OUrdPXqmkKT61x3ZmEHmuFc:\
stewie:u_name=stewie:u_id#242:\
! :u_pwd=wdhsdhsjkkwjhfjwej:\

So user stewie's password changed since the last time the script was run.
The order of the filenames on the diff command line, and the way the script renumbers filenames, means that the first instance is the old password and the next instance is the new password.

The sample script maintains a constant 3 day history, ap00 is always the last dump, ap01 is always the one before that, etc...

Probably this is not useful enough yet either since a simple diff of the two dumps I think will always find differences every day even if nothing you care about changed, because I think there is last login timestamps in there that will change every time somene logs in. So you'd want to add more filtering than that egrep in there to ignore some of the diff output.

Or really, you really want to write an awk or perl script that parses the ap data and only looks at selective parts and compares that, instead of using diff at all. That was just a real quick & dirty way to start.

Since it's not as simple as any magic single command, thats why things like rkhunter and other root kit & invasion detectors were written and are rather non trivial apps and why I too am interested that someone is porting one to OSR5.

--
Brian K. White brian@xxxxxxxxx http://www.myspace.com/KEYofR
+++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++.
filePro BBx Linux SCO FreeBSD #callahans Satriani Filk!

.

Relevant Pages

  • Issue related to system() call and file handles.
    ... The command makes a call to an Oracle command called 'exp'. ... Helps dump the database into a raw file. ... I have this script I make on the fly that calls this application ... One problem though, it seems like, the exp command, can't create the ...
    (comp.lang.c)
  • Re: Issue related to system() call and file handles.
    ... The command makes a call to an Oracle command called 'exp'. ... Helps dump the database into a raw file. ... I have this script I make on the fly that calls this application ... second shell, ...
    (comp.lang.c)
  • Re: different ip addresses at different locations
    ... > script you write for them to change the IP appropriately. ... > Do a GOOGLE search for NETSH for more information, ... > You can then create a dump file for every network that you use. ... > To load a set of settings again, type the following command: ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: trouble with sh script
    ... :>>>> i am new to shell scripting. ... :>>>> then I wrote a script to make sure see if my system has changed at all. ... :>>> No command after the first exec will be run. ... its ineffecient to run the diff twice when you done't need to. ...
    (comp.unix.shell)
  • RE: Firewall Inquiry
    ... > basically its all command line (unless you dump the rules into a ... > script). ... DFW (FWM clone with more options) - ...
    (Focus-Linux)