In article <20080324172525.GA22411@lonestar.cactus.com>,
Jeff Hyman <scolist@cactus.com> wrote:
> Can 'ap' be used to determine if ones password has been changed?
>especially root's password? .... other then grepping '/etc/shadow'
>for a user and checking for a change?

To see when a user's password was last changed, do:

passwd -s <username>

The third field printed is the date of the last password change.
Of course, root is free to edit the information that this relies upon.

John
--
John DuBois spcecdt@armory.com KC6QKZ/AE http://www.armory.com/~spcecdt/

----- clipped -----
| > Can 'ap' be used to determine if ones password has been changed?
| > especially root's password? .... other then grepping '/etc/shadow'
| > for a user and checking for a change?
|
| yes with the right options. What I have done is a nightly shell script
| that dumps everything and then does a diff on the saved know good and the
| new dump. This lets me know when some makes changes. I am working on a
| port of rkhunter that would be better, as it checks for a lot of other
| things.
|
Boyd,

Till you wrap up 'rkhunter' can you share the 'ap' syntax to monitor
ones password change ?

- Jeff H

----- Original Message -----
From: "Jeff Hyman" <scolist@cactus.com>
Newsgroups: comp.unix.sco.misc
To: <distro@jpr.com>
Sent: Monday, March 24, 2008 4:27 PM
Subject: Re: Command to dump/restore user info OSR5


> ----- clipped -----
> | > Can 'ap' be used to determine if ones password has been changed?
> | > especially root's password? .... other then grepping '/etc/shadow'
> | > for a user and checking for a change?
> |
> | yes with the right options. What I have done is a nightly shell script
> | that dumps everything and then does a diff on the saved know good and the
> | new dump. This lets me know when some makes changes. I am working on a
> | port of rkhunter that would be better, as it checks for a lot of other
> | things.
> |
> Boyd,
>
> Till you wrap up 'rkhunter' can you share the 'ap' syntax to monitor
> ones password change ?
>
> - Jeff H

There is no such syntax.
Write a script that does a dump and then compares (using whatever utility you like) the current dump against the previous such dump.
Then run that script from cron every day or every hour or whatever schedule you like.

A _crude_ starter script just to illustrate the base idea might look like this:

-----top-----
#!/bin/sh
# Monitor user database for changes daily.
# Relies on the "ap" (account propogation) utility, and so, only works on SCO.
D=/u/apmon
[ -d $D ] || mkdir -p $D || exit 1
cd $D || exit 1
mv -f ap02 ap03 >/dev/null 2>&1
mv -f ap01 ap02 >/dev/null 2>&1
mv -f ap00 ap01 >/dev/null 2>&1
ap -d -g > ap00
diff -c ap01 ap00 |egrep "(u_name|u_pwd)" |mail -s "AP Monitor" root
-----end-----

You don't have a diff unless you install the devsys or gnutools.
And in the case of gnutools you'd want to add /usr/gnu/bin to PATH in /etc/default/cron and /etc/profile and /.profile
The -c option luckily just happens to be a valid option that exists in both the native and gnu diff, and does the same thing in both. It provides enough context lines around the actually changed lines such that when a password is changed, you can see the user it applied to. The egrep ignores lines you probably don't care about.

Output looks like this:

# diff -c ap01 ap00 |egrep "(u_name|u_pwd)"
stewie:u_name=stewie:u_id#242:\
! :u_pwd=8OUrdPXqmkKT61x3ZmEHmuFc:\
stewie:u_name=stewie:u_id#242:\
! :u_pwd=wdhsdhsjkkwjhfjwej:\

So user stewie's password changed since the last time the script was run.
The order of the filenames on the diff command line, and the way the script renumbers filenames, means that the first instance is the old password and the next instance is the new password.

The sample script maintains a constant 3 day history, ap00 is always the last dump, ap01 is always the one before that, etc...

Probably this is not useful enough yet either since a simple diff of the two dumps I think will always find differences every day even if nothing you care about changed, because I think there is last login timestamps in there that will change every time somene logs in. So you'd want to add more filtering than that egrep in there to ignore some of the diff output.

Or really, you really want to write an awk or perl script that parses the ap data and only looks at selective parts and compares that, instead of using diff at all. That was just a real quick & dirty way to start.

Since it's not as simple as any magic single command, thats why things like rkhunter and other root kit & invasion detectors were written and are rather non trivial apps and why I too am interested that someone is porting one to OSR5.

--
Brian K. White brian@aljex.com http://www.myspace.com/KEYofR
+++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++.
filePro BBx Linux SCO FreeBSD #callahans Satriani Filk!