(RHEL, Bash) List users and check if they have logged on during the last 2 months

gacanepa · October 3, 2013, 8:02pm

Hi everyone,
At work we were told to check the list of users of an application server and delete all those that have left the company or don't need access to the application anymore. Here's what I came up with. Would you be as kind as to tell me your opinion and whether there is a faster / easier way to accomplish the same thing?
1) Save the list of user names (1st field in /etc/passwd) in a text file (~500 users).
2) Merge /var/log/wtmp and /var/log/wtmp.1 (logrotate is configured to keep only 1 rotated wtmp log) into a single file with

cat /var/log/wtmp.1 /var/log/wtmp > wtmp

3) Convert the wtmp file (which is of type data):

gacanepa@Gabriel-PC ~ $ file /var/log/wtmp
/var/log/wtmp: data

to a plain text file sorted by 1st field (user names) and filtered by last occurrence of user name:

last -f wtmp | sort -uk1,1 > wtmp.txt

4) Check one by one the list of users created in step #1 to see whether they appear in the wtmp.txt file. If they don't appear in this file, which lists the logins for the current and past month, it means they haven't logged on during the same period, and we can consider deleting them.
5) Each "inactive user" is logged into
Some points to consider:
1) Here's the section of /var/log/wtmp in our logrotate.conf file:

# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
    rotate 1
}

Unfortunately, we can't edit it.
2) For the same reasons as above we can't use chage either to disable accounts.
I hope I made myself clear enough :). Any suggestions will be more than welcome.

sea · October 3, 2013, 9:22pm

If the users are supposed to login localy, you could try (as root):

cat /etc/passwd|sed s,:,\ ,g|awk '{print $3" "$1}'|sort -r > var

while read line;do
    uid=$(echo $line|awk '{print $1}')
    usr=$(echo $line|awk '{print $2}')
    [[ $uid -ge 1000 ]] && \
        echo "User $usr, last login: $(ls -la /home/$usr/.xsession-errors|awk '{print $6$7}')"
done < var

Hope this helps

gacanepa · October 3, 2013, 9:39pm

sea:

If the users are supposed to login localy, you could try (as root):

cat /etc/passwd|sed s,:,\ ,g|awk '{print $3" "$1}'|sort -r > var

while read line;do
   uid=$(echo $line|awk '{print $1}')
   usr=$(echo $line|awk '{print $2}')
   [[ $uid -ge 1000 ]] && \
   echo "User $usr, last login: $(ls -la /home/$usr/.xsession-errors|awk '{print $6$7}')"
done < var

Hope this helps

Unfortunately I can't login as root at work and this script is supposed to run under normal user permissions. But I will keep your suggestion in mind in case I need to do the same thing at home (where I DO have root privileges ).
In the meanwhile, my script is working just fine. I was just wondering if there was a more effective way of getting the job done with normal user permissions:).

sea · October 3, 2013, 9:41pm

If you have sudo access, just place in sudo in front of the ls command, invoked in the echo line...

Sorry dont any wtmp files available..

gacanepa · October 3, 2013, 9:51pm

No root and no sudo access either :(. Sorry I forgot to mention that in my first post.
Thank you sea for taking the time to share your knowledge with me. I will bookmark this thread for my future reference.
Someone over at linuxquestions.org pointed me in the right direction. With that information and sea's help, I believe I have my answer so I'll mark this thread as solved.