How to find dormant users on your Linux Box?

Want to know the inactive users on your Linux machine who have not been using the machine since long time?

The following simple shell script, called not-this-month, uses the last command to produce a list of the users who haven’t logged in during the current month. Run it the last day of the month to produce a list of accounts that you may wish to disable.

# not-this-month:
# Gives a list of users who have not logged in this month
PATH=/bin:/usr/bin;export PATH
umask 077
mkdir /tmp/NTM || exit 1
chmod 700 /tmp/NTM
THIS_MONTH=´date | awk ‘{print $2}’´
last | grep $THIS_MONTH | awk ‘{print $1}’ | sort -u > /tmp/NTM/users1$$
cat /etc/passwd| awk -F: ‘{print $1}’ | sort -u > /tmp/NTM/users2$$
comm -13 /tmp/NTM/users[12]$$
rm -r /tmp/NTM
The following explains the details of this shell script:

Sets up a safe path. This also enables you to avoid specifying full pathnames to all of the commands that follow.

umask 077
Sets the umask value so that other users on your system will not be able to read the temporary files in /tmp.

mkdir /tmp/NTM || exit 1
Creates a temporary directory for the temp files. This prevents an attacker from hijacking the files used in the script. If the directory already exists, then the script exits with an error.

THIS_MONTH=´date | awk ‘{print $2}’´
Sets the shell variable THIS_MONTH to the name of the current month.

Generates a list of all of the logins on record.

| grep $THIS_MONTH
Filters the above list so that it includes only the logins that happened this month.

| awk ‘{print $1}’
Selects out the login name from the above list.

| sort -u
Sorts the list of logins alphabetically, and removes multiple instances of account names.

cat /etc/passwd | awk -F: ‘{print $1}’
Generates a list of the usernames of every user on the system.[8]

[8] Once again, you may need to replace the cat /etc/passwd command with your own system-specific command that prints out the contents of the password database.

comm -13
Prints items present in the second file, but not the first, i.e., the names of accounts that have not been used this month.

This shell script assumes that the database used by the last program has been kept for at least one month.

After you have determined which accounts have not been used recently, consider disabling them or contacting their owners. Of course, do not disable accounts such as root, bin, uucp, and news that are used for administrative purposes and system functions. Also remember that users who access their account only with the rsh (the remote shell command) or su commands won’t show up with the last command. If these accesses are logged by syslog on your system, you can write another script to look for them (or their absence).

Please follow and like us:

Leave a Reply to Anonymous Cancel reply