?
Solved

Need notification for password change

Posted on 2012-08-13
18
Medium Priority
?
572 Views
Last Modified: 2012-09-26
Hello experts,

1) We need to receive the notification when some special accounts password are changed.
2) We need to receive a notification when the account will be expired in the next 7 days.

operating system: Solaris.

Is there a way we can achieve this?
0
Comment
Question by:ashwin2012
  • 9
  • 7
  • 2
18 Comments
 
LVL 11

Expert Comment

by:netballi
ID: 38287616
0
 

Author Comment

by:ashwin2012
ID: 38287705
yes that might solve my second query.

How about the first one? that is if password got changed.
0
 
LVL 11

Expert Comment

by:netballi
ID: 38288107
here is a link that explains the genetics of shadow file this will help you create your own script to extract when was a particular accounts password was last changed.

http://www.cyberciti.biz/faq/understanding-etcshadow-file/

you would probably have to run the script every day comparing the last password changed and today's date,  just to be on the ball every day to get  when some special accounts password are changed.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:ashwin2012
ID: 38288332
How can i send an email to a group email address when password for critical accounts is changed?

Thanks in advance
0
 
LVL 81

Expert Comment

by:arnold
ID: 38288423
Combining the suggestions above, you could run a script monitoring the password stored in the shadow file. If the password changes from the prior check, you would generate an email from the script to anyone you wish.

If you have system monitoring setup, and if one of the available checks provides for a login function, you could use the notification of the failed login for the alerting trigger.

Alternatively, if it is a critical account, presumably sme critical function relies/uses this account, making it clear that it can not be changed outside a change process is one way.
0
 

Author Comment

by:ashwin2012
ID: 38288542
okay that is clear that we can have a password check

but how can we compare password stored with the current password as the password is stored in the encrypted form.
0
 
LVL 81

Expert Comment

by:arnold
ID: 38288638
The encrypted form does not change without a change of password, the password is encrypted once at the time of the change.

The other option is to use expect with the password stored in plain text to test usng a login transaction.

You could also use perl, crypt() function to validate whether the encrypted password is the same as the plain one:
perl -e '$password="plaintext";$enc="encrypted passwd"; if test "$enc" = crypt($enc,$password) { print "password matched\n"; } else { print "password changed\n"; genemail();}'

Where genemail is a function that generates the email
open MAIL, "|/usr/lib/sendmail -oi -t" || die "unable to open sendmail for sending :$!\n"
print MAIL<<EOF
To: recipient
From: sender
Subject: password changed

The password for special account has changed
EOF
;
close(MAIL);

You can use a bash/shell/Korn script with a perl on liner that handles the crypt ing of the plain password using the encrypted one as the salt.
0
 

Author Comment

by:ashwin2012
ID: 38291721
thanks Arnold
however this would be difficult for me to apply as i know little about shell script and further i have no idea about perl.
Can you please help me with a simple idea so that i can come up with shell script on it.
0
 
LVL 81

Expert Comment

by:arnold
ID: 38292116
See whether auditing is enabled on your system. Password changes might be recorded.

http://docs.oracle.com/cd/E19253-01/816-4557/auditref-22/index.html

I'll see about a script.
0
 
LVL 81

Accepted Solution

by:
arnold earned 2000 total points
ID: 38310066
Here is the description of the process
The following will extract the username and the password.
awk -F\:  '(length($2)>3)  { print $1"\t"$2 } ' /etc/shadow
Then you would use a loop
 while read $line; do
set $line  #when using set, the items separated by white space will each be assigned to a variable starting with $1 to $x.  In this case since there are only two items it will be $1 and $2
username=$1
password=$2
done
Now combining it into a script
#!/bin/sh
user_of_interest="root"
filename_of_data="/root/lastpassword"
firstrun=0
sender='senderemailaddress'
recipient='recipientaddress'
gen_mail()
 {
   echo "To: $recipient
From: $sender
Subject: Password changed

The password for $user_of_interest changed from $lastpassword to $password

" | /usr/lib/sendmail -oi -t
}


if test -e "$filename_of_data" ; then
    lastpassword=`cat $filename_of_data`
else
     firstrun=1
fi
awk -F\: '  (length($2)>3) {  print $1"\t"$2 } ' /etc/shadow| while read line; d
o
set $line
username=$1
password=$2
echo "$username"
echo "$password"

if test "$user_of_interest" = "$username"; then
       if  test $firstrun -eq 1; then
                    echo "$password" > $filename_of_data
                    exit
       fi
       if test "$password" = "$lastpassword"; then
                echo "Passwords match"
                exit
       else
               echo "Password Changed"
                gen_mail "";
               echo "$password" >  $filename_of_data
                exit
       fi
fi
done

Open in new window


Just a quick example.
Test the mailing functionality by altering the encrypted password that is stored within the lastpassword file.
0
 

Author Comment

by:ashwin2012
ID: 38322906
Thanks Arnold for the script. I am yet to check the script.

Surely we are going to cron this script , what if the script was scheduled for 1 am everyday in the morning and the password was changed at 1:05 am, all the jobs related to this critical account will fail as password was changed and will take 23:55 hrs to get detected and send an email to the group about the password change.

We already have script for checking password expiry and mailing group when password is about to expire. So that user can request password change on time.

Here is the scenario if the a/c password was changed before expire time then we can make an script as an alias for passwd that will check those specific account when passed as arguments and the send an email on the very instant the passwd command is issued.
0
 
LVL 81

Expert Comment

by:arnold
ID: 38323208
You can setup this script ib the cron to run every five minutes.
0
 

Author Comment

by:ashwin2012
ID: 38324212
wont that be a performance issue on our servers as we have lot of them
0
 
LVL 81

Expert Comment

by:arnold
ID: 38324298
No, the script is not resource intensive.

Use time script

This will tell you oblong the script runs, and how much resources it will use.
0
 

Author Comment

by:ashwin2012
ID: 38327484
can you please elaborate time script
0
 

Author Comment

by:ashwin2012
ID: 38372413
Hi Arnold,

What is time script?

Thanks in advance
0
 
LVL 81

Expert Comment

by:arnold
ID: 38437216
Sorry, did not see the notification of you prior posts.
time is a command that is included and what it does is it runs the command that follows and maintains data on how long the command used the CPU/etc.
If you name the sample script above as checkpassword.sh running:
time ./checkpassword.sh
Will answer your previous question on whether running the checkpassword.sh script every 5 minutes lead to increased load on the system
0
 

Author Comment

by:ashwin2012
ID: 38439324
Thanks Dude
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question