Find the answer to your Linux question:
Results 1 to 9 of 9
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    [SOLVED] notified via email on useradds?

    Hi all,
    I am forced, (from a higher power) to allow a script to run on my boxes that adds/deletes user accounts at will. It runs in cron.d. I would really like to be notified via email only if an account is added or deleted. I was thinking of a big process of copying the /etc/passwd file, doing a diff after the script runs, pumping the results to a file, then using mutt to send me the results only if the file has been updated. Problem is that it is kind of a bulky process and even if diff doesn't find any differences, it still updates the file. I was hoping someone knew of a better way?

    any help would be great!

  2. #2

    Many, many, many ways...

    A) Does the script only call useradd? If so, replace the useradd command with a wrapper script that takes the entered parameters, e-mails you, and then calls the original useradd as usual.

    B) Running diff, etc? Check the changed time on /etc/passwd. If date is in the past, there has been no user changes.


  3. #3
    Thanks for the reply HROAdmin26.

    Unfortunately I shouldn't really be touching the script that adds the users. It's a whole big audit thing. Anyway, I will continue with the "diff" approach. I'm thinking that I need a script that will only do a diff if the file /etc/passwd has been modified and then output the differences to an email? But I guess that also means that I have to copy /etc/passwd everyday so that I can compare the new and old files.

  4. $spacer_open
  5. #4
    I did not advocate touching this custom script that adds users. HOW does it add users? Does it manipulate the passwd file directly? Or does it call useradd?

    I suggested adding a wrapper to useradd.

    Yes, a simple way to check for new users would be to parse the passwd file, pull out the usernames, and put them in another file for daily reference/comparison.

  6. #5
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    You can use the inotify facility to be informed when someone changes the /etc/passwd or /etc/shadow files. That can trigger a script that looks at the deltas and emails you the exact changes made as well as making a copy for further comparisons for the next change..
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  7. #6
    Linux Newbie nplusplus's Avatar
    Join Date
    Apr 2010
    Charlotte, NC, USA
    Just a thought, but it seems most of the systems I have worked with log user adds and changes via syslog. You could write a script that intercepts such output to syslog, checks for the useradd/del actions, and emails you when a match is made. I guess it would then need to pass the input on to the real syslog.

    Come to think of it, rsyslog might be able to do this for you.

  8. #7
    Linux Enthusiast Mudgen's Avatar
    Join Date
    Feb 2007
    Expanding on Rubberman's excellent advice, there are command line tools for inotify to accomplish what you want without having to write code to use the inotify kernel facility yourself. This guy has a good brief example of how to watch a project directory, with a pipe to trigger another action.

    Monitoring file system events with inotify, incron and authctl - Andries Filmer

  9. #8
    Excellent suggestions everyone! Thanks! I found Logsend on the inotify page and it will do kinda what I need. I have it configured to grep the /var/log/messages file for these strings:


    This shows me the two events that I need but it outputs it to one big long line in the email. Does anyone have any experience with logsend that may be able to help me format the output to separate lines for each entry?

    Thanks again.

  10. #9


    Here is what I ended up doing. We decided that it wouldn't be very efficient to have yet another daemon running, (Logsend).

    a=`date +"%b %d"`
    ssh user@server sudo cat /var/log/messages | grep "$a" | egrep '(new account added)|(account deleted)' >> /tmp/useradd-alert.log

    find /tmp/useradd-alert.log -size +1c -exec mutt -s "useradd alert" -a /tmp/useradd-alert.log < /dev/null \;

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts