rementis has asked for the wisdom of the Perl Monks concerning the following question:

Hello again all-knowing Monks!

I have a unix admin problem that is driving me crazy, and although it's not necessarily perl-related I thought I'd ask for help here first.

I have a request (mandatory order) to have an email sent to a customer every time a particular user id has it's password changed. I can find no way to enable syslog logging for the passwd command and I'm trying to avoid creating my own database of /etc/shadow entries across 46 different servers. All of the servers are sun boxes running solaris 8. I have access to perl on each box, in case anyone recommends any kind of scripting.

Any ideas as to how I could get this done would be greatly appreciated.

Thanks in advance!

Replies are listed 'Best First'.
Re: /etc/shadow logging
by blue_cowdawg (Monsignor) on Mar 13, 2006 at 17:27 UTC
        I'm trying to avoid creating my own database of /etc/shadow entries across 46 different servers.

    Probably no real way to avoid it. Here's how I solved that problem a number of years ago. Wish I could find the original script, I'd just post it, but here's the psuedocode for it: 

    if backup of shadow file does not exist:
  a) copy shadow file to backup name
  b) exit
else 
  a) read in shadow file into a hash 
         userid => encrypted password
  b) read in backup shadow file into a hash
         userid => encrypted password
  c) loop through shadow hash
      1) push userid into changed array if 
         password fields do not match
      2) push userid into new id array if 
         userid does not exist in backup hash
  d) copy present file into backup file
  e) email results

    [download]

    Since everything is kept "local" this can easily be replicated to all the machine you support somewhat painlessly and doesn't require a "database" in the true sense of the word.

    If the backup copy of the shadow file doesn't exist, the assumption is that this is the first time the script has been run on a particular machine and no action other than creating the backup copy of the shadow file.

    Take care that you preserve permissions such that you don't compromize the shadow file or its copy.

    Peter L. Berghold -- Unix Professional
    Peter -at- Berghold -dot- Net; AOL IM redcowdawg Yahoo IM: blue_cowdawg
[reply]
[d/l]
Re: /etc/shadow logging
by idsfa (Vicar) on Mar 13, 2006 at 17:39 UTC
[reply]
[d/l]
[select]
      You could also use this PAM module to invoke a perl script in your login stack. That script could send the mail.
[reply]
Re: /etc/shadow logging
by wazoox (Prior) on Mar 13, 2006 at 17:12 UTC
    What about using FAM to monitor the file instead? Using SGI::FAM it would be a breeze. I don't know if FAM compiles easily on Solaris 8 though.
[reply]
      If that doesn't work, they could use the low tech version of having a cron job compare the current value against the last known value.
[reply]
Re: /etc/shadow logging
by jasonk (Parson) on Mar 15, 2006 at 02:16 UTC

    Many systems using shadow passwords also record the date the password was changed (as a Julian date in one of the later fields), if your systems have this you could easily figure out who had their passwords changed on a particular day.

    We're not surrounded, we're in a target-rich environment!
[reply]
Re: /etc/shadow logging
by rementis (Beadle) on Mar 13, 2006 at 17:37 UTC
    Thanks for that last pseudo-code, so far it seems like there's just no way around it. If anyone has already written this up I'd be eternally grateful, if not I'm more than capable of writing it myself. Thanks again!
[reply]

Back to Seekers of Perl Wisdom