Discussion:
how to identify inactive accounts over 90 days
(too old to reply)
d'Jonz'Z
20 years ago
Permalink
I'm trying to find the best way to identify user accounts that have not been
accessed in over 90 days.

Does anyone know of a way to determine this? I'm running AIX v5.2.

Last shows login activity, but not for over 90 days.

Ideally, I'd like a solution that notifies me so I can disable the account
or automatically disables it.

I've noticed the /etc/security/passwd file gets set to ADMCHG when root
changes a user's password. If this value doesn't change in a while, I can
assume the account isn't being used. but that's pretty crude and provides no
time frame.

Any thoughts are appreciated.

Thanks - Dale

Please post replies or edit my reply address
J***@gmail.com
20 years ago
Permalink
Either set up accounting on your system, or this should do it,
at least until 2038. I don't think this will work if the
account has never been used.

#!/usr/bin/perl -w
# List all users who have logged in more than 90 days ago
my $user = "NIL";
open (LOG, "/etc/security/lastlog") || die "No lastlog!";
SW: while(<LOG>) {
next SW if /^\*/; # comments

if ( /^(\w+):/ ) {
$user = $1;
}

if ( /time_last_login = (\d+)/ ) {
if (time > ($1 + (90*24*3600))) {
print "$user last logged in at ".localtime($1)."\n";
}
}
}
steven_nospam at Yahoo! Canada
20 years ago
Permalink
Post by d'Jonz'Z
I'm trying to find the best way to identify user accounts that have not been
accessed in over 90 days.
Ideally, I'd like a solution that notifies me so I can disable the account
or automatically disables it.
Thanks - Dale
There is a file called /etc/security/lastlog that contains entries
similar to the one below:

johndoe:
time_last_login = 1114521079
tty_last_login = /dev/pts/4
host_last_login = 192.168.1.125
unsuccessful_login_count = 0
time_last_unsuccessful_login = 1113934358
tty_last_unsuccessful_login = /dev/pts/12
host_last_unsuccessful_login = 192.168.1.125

The "time_last_login" field is probably what you are looking for, but
you would have to do some date arithmetic or convert the number into a
readable date/time format. The number shown is the number of seconds
that elapsed between Jan 1, 1970 (GMT) and the current system
date/time.

Steve
epacket
20 years ago
Permalink
# perl -we "print scalar localtime 1114521079"

- Jon

The above will convert epoch to a readble date / time.
...
d'Jonz'Z
20 years ago
Permalink
Thanks for the great suggestions. With a little scripting, I should have a
solid solution in no time to look for inactive accounts and disable them
daily.

I knew there had to be a simple way to do this :--)

Dale
...
Ross
20 years ago
Permalink
Post by d'Jonz'Z
I'm trying to find the best way to identify user accounts that have not been
accessed in over 90 days.
The easiest way would be to force users to change their passwords every
12 weeks, and tell AIX to lock those accounts whose passwords are not
changed. Go to "smitty chuser" to view these parameters.

If you don't like that idea, use something like "lsuser -a
time_last_login ALL" to get a list of all users, and the time of their
last login. You'll need to filter the known list of system accounts.
The problem here is that those users who have never logged in will of
course not have a last login time.

In my case, I handle this by creating the user's home directory with
770 permissions (I do the "per-user group" thing), and key off of the
last modify date on their home directory, because only the owner can
change it. I have a Python script that runs nightly and produces a
report. Then I have another Python script that locks the accounts with
the command

chuser shell=/usr/local/bin/loginlocked login=false su=false
rlogin=false account_locked=true <userid>

This pretty much locks the account from all the access methods I have
on my systems including OpenSSH. The /usr/local/bin/loginlocked is a
basic C program I wrote that securely prints a terminal message about
the reason for the account being locked and what to do about it, and
then exits.

-Ross

Continue reading on narkive:
Loading...