I need a report that shows all the local users on each Linux machine. I’ve searched and found several threads on Windows accounts, but none for Linux. Anyone have any suggestions on how to get started? I think what I need is to read the /etc/passwd file on each machine and report the contents. I’m not a Linux or TEM expert by any means.
This is great! I would have never figured this out.
Next is to try and figure out how I can turn /usr/bin/getent passwd {{1000..60000}
to a relevance statement to pick out the local users within those ranges.
Yes. The auditors I deal with have Windows backgrounds and no *nix. So they don’t understand the daemons and what accounts can actually login. Trying to get them a report to show local users if they exist on the system.
I don’t have a Linux box handy, but as a proof of concept, here’s a way to filter by UID/GID I came up with using the “/etc/group” file on my Mac.
preceding texts of firsts ":" of lines whose ((it > 1 AND it < 20) of (following text of lasts ":" of preceding texts of lasts ":" of it as integer)) of file "/etc/group"
This is parsing the lines to extract just the GID (you could do the same with relevance earlier in this thread for UID in the /etc/passwd file). You can plug the range you’re looking for into the (it > 1 AND it < 20) area. It’ll then return lines where the GID is in that range and give you whatever comes before the first colon on those lines.
Edit:
Found a Linux box, put this together for /etc/passwd:
preceding texts of firsts ":" of lines whose ((it >= 1000 AND it <= 6000) of (preceding texts of first ":" of following texts of firsts "x:" of it as integer)) of file "/etc/passwd"
I was thinking about this and parsing and trying to get the user that has /bin/bash at the end.
My test system has this in the /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
games:x:12:100:Games account:/var/games:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
messagebus:x:100:101:User for D-Bus:/var/run/dbus:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
dnsmasq:x:101:65534:dnsmasq:/var/lib/empty:/bin/false
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
uuidd:x:102:102:User for uuidd:/var/run/uuidd:/bin/false
ntp:x:74:103:NTP daemon:/var/lib/ntp:/bin/false
squid:x:31:65534:WWW-proxy squid:/var/cache/squid:/bin/false
polkituser:x:103:104:PolicyKit:/var/run/PolicyKit:/bin/false
nagios:x:104:105:User for Nagios:/var/lib/nagios:/bin/bash
haldaemon:x:105:107:User for haldaemon:/var/run/hald:/bin/false
avahi:x:106:108:User for Avahi:/var/run/avahi-daemon:/bin/false
sabayon-admin:x:107:109:Sabayon user:/var/lib/sabayon-admin:/sbin/nologin
gdm:x:108:110:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
walkup:x:1000:100::/home/walkup:/bin/bash
usbmux:x:109:65534:usbmuxd daemon:/var/lib/usbmuxd:/sbin/nologin
suse-ncc:x:110:111:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
news:x:9:13:News system:/etc/news:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
salt:x:111:114:salt-master daemon:/var/lib/salt:/bin/false
My real user is walkup but then there is also nagios for the nagios monitoring system.
When I used your last example I got this:
Q: preceding texts of firsts “:” of lines whose ((it >= 1000 AND it <= 6000) of (preceding texts of first “:” of following texts of firsts “x:” of it as integer)) of file “/etc/passwd”
A: postfix
A: walkup
A: usbmux
T: 1113
Wasn’t sure how postfix and usbmux showed up so thought about getting the shell value. I might be overcomplicating this.
Hah – they show up because both users end in x. They’re an edge case because I told it "give me whatever comes after the first “x:” of the line. In their case, there are two occurrences of “x:” and we want the second one. There’s only one ":x:" so changing the relevance so it reads following texts of firsts ":x:" should fix it.
q: preceding texts of firsts ":" of lines whose ((it >= 1000 AND it <= 6000) of (preceding texts of first ":" of following texts of firsts ":x:" of it as integer)) of file "/etc/passwd"
A: walkup
T: 1.325 ms
I: plural substring