************************************************************ Check /etc/passwd ************************************************************ EOF if [ -f ${inspection_HOME}/passwd_user ] ;then cp ${inspection_HOME}/passwd_user ${inspection_HOME}/passwd_user_old fi if [ ! -f ${inspection_HOME}/passwd_user ] ;then echo 'This is first Check. Touch a now file!' >> ${inspection_HOME}/result/${IP}.txt cat /etc/passwd | awk -F : '$3>=500 {print $0}' >> ${inspection_HOME}/passwd_user cp ${inspection_HOME}/passwd_user ${inspection_HOME}/passwd_user_old fi return_value=`diff ${inspection_HOME}/passwd_user ${inspection_HOME}/passwd_user_old` if [ ! -z "return_value" ] ;then echo "/etc/passwd has not new user!" >> ${inspection_HOME}/result/${IP}.txt else echo "/etc/passwd has a new user!" >> ${inspection_HOME}/result/${IP}.txt echo ${return_value} >> ${inspection_HOME}/result/${IP}.txt fi
简单介绍一下思路就是,备份/etc/passwd文件,利用备份后的passwd文件和当前系统的passwd文件进行对比,如果有变化,则说明在两次检测的间隔中出现了用户的修改。
转载于:https://blog.51cto.com/songknight/1274837