Recently I came across a situation wherein there was a requirement to trigger an email alert whenever a new user is added to the system (Linux). By default an alert would get logged in "/var/log/secure" file as and when a user is added or removed. However, I wanted a similar e-mail alert to be sent. Hence, I thought of coming up with a script to get this done. I found that this can be achieved in 2 ways as explained below (there could many other ways as well):
I’ve written a simple shell script which can do this. However, requirement is that we need to maintain one file (the name of this file that I’ve specified in the script can be changed as per required) to store list of users, and this file is compared with another new file which dynamically populates user names from "/etc/passwd" file, and differences would be printed/emailed as new users added.
A snap of adding user and running the script “generate-useradd-alert.sh” is shown below:
The script would keep updating the userlist file (/root/userlist_localhost.old) as and when a user gets added or removed. Say for example, at present there are 4 users added to the system as shown here:
As we see in the above screenshot, a user by name “testuser1” was deleted after running the script which eventually updated the list file "/root/userlist_localhost.old". This file generates and keeps the list of users within the range specified by "UID_MIN" and "UID_MAX" variables defined in "/etc/login.defs" file.
Make sure this file “/root/userlist_localhost.old” (you may change this file as per convenience and requirements) is secured and doesn’t get deleted or modified by other users, otherwise, all users including newly added at that time when script is run would be considered as old (existing users) and hence, no email alerts would get generated.
I’ve added a filter to log all "user add" entries in the "/etc/rsyslog.conf" file as shown below:
AnsibleCoding>grep useradd -A1 -B1 /etc/rsyslog.conf
#-----generating custom log files whenever a new user added-----#
if $programname == 'useradd' & $syslogseverity <= '6' and ($msg startswith "new user:") then /var/log/useradd.log
You may add a filter like the one here, or customize it as you need.
So, whenever a new user gets added there would be a log generated in this file "/var/log/useradd.log" which is similar to the one added to "/var/log/secure" file as shown in the below snap:
I’ve created a simple script which fetches details from this log file "/var/log/useradd.log" and triggers an e-mail, after which it would delete the contents in this file. So, any newly added users would get stored in this file and gets removed after the script has run. This script can be added to crontab and configured to run every a minute, or once in 2 minutes as required, so that an e-mail alert would gets triggered. If there are no users found then nothing happens.
A snap of this script works is shown below:-
Note: Make sure to set execute bit on the required script file and configure cron job as required.
I’ve bundled both these scripts in a tar file. This tar file can download using the below link.