Can anyone please help me in writing a shell script that would check if a particular user(xyz) has logged in, and if yes, the audit daemon needs to be started. When the user logs off the dameon needs to shutdown , and the report needs to be e-mailed to a set of users.
Welcome to the forum ! 
Sure, show us what have you tried so far.
#! /bin/sh
echo "The current users are:"
who | awk '{print $1}' | sort > temp1
more temp1
grep -c 'gayathri' temp1 > temp2
more temp2
ifile="temp2"
line_1=$(head -1 $ifile)
echo $line_1
if [ "$line_1" -gt 0 ]
then
echo "id logged in"
else
echo "id not logged in"
fi
~
~
~
~
~
~
That's what I have tried
The use of temporary files can be avoided. The main part we can't guess is which audit daemon you are using and how to start and stop it.
if who | awk '$1 == "gayathri" { exit 0 } END [ exit 1 }'
then
echo logged in
else
echo not
fi
The use of exit within the awk script is a bit arcane; if that bothers you, perhaps you could simply try
if who | grep '^gayathri ' >/dev/null; then ...
to look for "gayathri" at beginning of line, followed by a space. The redirection to >/dev/null is because you don't really actually want to see the output, you just care whether there was a match (in which case grep returns a true value) or not.
if who | awk '$1 == "gayathri" { exit 0 } END [ exit 1 }'
then
echo logged in
else
echo not
fi
This is not correct though,
END block in awk will always execute, so in the above case its going to be exit 1 always though there is a match
you could do something like this:
USER=whoevertheuseris
[ who | grep -q $USER ] && start daemon.
I'm wondering though, how are you gonna start this?
Ususally, i login as root to /etc/security/audit and kick off the auditing by giving audit start and shut it down by audit shutdown.
The main question is, do you run it in a cron job every five minutes and if so how do you check whether the action should be to start or not, and when to send a report (and how)? If you run it in a loop the state (auditing or not) is easier to handle, but it might be less robust.
auditing=false
while true; do
loggedin=$(who | grep '^gayathri ')
if $auditing then
case $loggedin in '') audit stop; auditing=false; send report;; esac
else
case $loggedin in '') ;; *) audit start; auditing=true;; esac
fi
sleep 300
done
But what if this script is terminated because the load gets too high or something? Then you don't know what the state is when you restart it.
Sorry for the awk faux pas; the correct way to code that would be something like
who | awk 'BEGIN { rc=1; } $1 == "gayathri" { rc=0; } END { exit rc }'
... but I guess the grep version is really better.
Yep. That was my question as well.
Maybe, but Awk looks awksome offcourse. But I think both these problems might be an overkill for the problem gayathri is trying to solve; it's probably better to kick off the audit monitor and exclude those he doesn't want to monitor there.
Era, thanks...when I tried to execute, I get the error:
0403-057 Syntax error at line 8 : `else' is not expected
However, I do not find anything wrong with the syntax. Any idea what it could mean??
Gayathri
auditing=false
while true; do
loggedin=$(who | grep '^gayathri ')
if $auditing
then
case $loggedin in '') audit stop; auditing=false; send report;; esac
else
case $loggedin in '') ;; *) audit start; auditing=true;; esac
fi
sleep 300
done
It worked well now!
if $auditing then
Or in the same line modification should be as
if $auditing; then
Clearly not my day today. Sorry for the error again.