How to Monitor System User Account Changes

How to Monitor System User Account Changes

Need to monitor system user account changes on your Linux server? Want to track user account modifications, detect unauthorized account changes, and verify account security? This guide shows you how to monitor user account changes using built-in commands and automated monitoring with Zuzia.app.

For comprehensive user activity monitoring strategies, see User Activity and Authentication Logs Monitoring Guide. For troubleshooting authentication issues, see User Authentication Failures.

Why Monitoring User Account Changes Matters

User account changes affect system security and access control. When user accounts are modified unexpectedly, unauthorized access can be granted, security settings can be altered, and system security can be compromised. Monitoring user account changes helps you detect unauthorized modifications, track account history, maintain account security, and ensure only authorized account changes occur.

Method 1: Check User Account Status

Check user account status to see current account configuration:

View User Accounts

# List all user accounts
cat /etc/passwd

# View user account details
id username

# Check account lock status
passwd -S username

# View account expiration
chage -l username

Monitor Account Modifications

# View user account creation
sudo grep "useradd\|new user" /var/log/auth.log

# View user account deletion
sudo grep "userdel\|delete user" /var/log/auth.log

# View password changes
sudo grep "password changed\|passwd" /var/log/auth.log

# View group modifications
sudo grep "groupadd\|groupdel\|groupmod" /var/log/auth.log

Method 2: Detect Account Changes

Detect account changes to identify modifications:

Compare Account Files

# Compare current accounts with baseline
diff /etc/passwd /backup/passwd-baseline.txt

# Compare group files
diff /etc/group /backup/group-baseline.txt

# Check for new accounts
comm -13 <(sort /backup/passwd-baseline.txt) <(sort /etc/passwd)

# Check for deleted accounts
comm -23 <(sort /backup/passwd-baseline.txt) <(sort /etc/passwd)

Monitor Account Modifications

# Check account file modification time
stat /etc/passwd | grep Modify

# View recent account changes
find /etc -name "passwd\|group\|shadow" -mtime -1 -ls

# Track account modifications
ls -lt /etc/passwd /etc/group /etc/shadow

Method 3: Verify Account Security

Verify account security to ensure accounts are properly configured:

Check Account Security Settings

# View account password policies
grep -E "PASS_MIN_LEN|PASS_MAX_DAYS|PASS_WARN_AGE" /etc/login.defs

# Check for accounts with no password
awk -F: '($2 == "" ) {print $1}' /etc/shadow

# View accounts with UID 0
awk -F: '$3 == 0 {print $1}' /etc/passwd

# Check account lock status
awk -F: '($2 ~ /^!|^LOCKED/) {print $1}' /etc/shadow

Monitor Account Access

# View recent logins
last | head -20

# Check failed login attempts
lastb | head -20

# View current logged-in users
who

# Monitor account activity
w

Method 4: Automated User Account Change Monitoring with Zuzia.app

While manual account change checks work for audits, production Linux servers require automated user account change monitoring that continuously tracks account modifications, detects unauthorized changes, and alerts you when account changes occur.

How Zuzia.app User Account Change Monitoring Works

Zuzia.app automatically monitors user account changes through scheduled command execution and file comparison. The platform checks account files, compares with baselines, detects changes, and sends alerts when account modifications are detected.

Setting Up User Account Change Monitoring

1. Add Scheduled Task for Account File Monitoring

   • Command: stat -c %Y /etc/passwd
   • Frequency: Every 6 hours
   • Alert when: Account files modified

2. Configure Account Change Detection

   • Command: diff /etc/passwd /backup/passwd-baseline.txt | head -20
   • Frequency: Every 12 hours
   • Alert when: Account changes detected

3. Set Up Account Security Verification

   • Command: awk -F: '$3 == 0 {print $1}' /etc/passwd | wc -l
   • Frequency: Once daily
   • Alert when: Unauthorized root accounts detected

Custom User Account Monitoring Commands

Add these commands as scheduled tasks:

# Check for account changes
diff /etc/passwd /backup/passwd-baseline.txt

# Verify account security
awk -F: '$3 == 0 {print $1}' /etc/passwd

# Monitor account modifications
grep -E "useradd|userdel|passwd" /var/log/auth.log | tail -10

# Check account file integrity
md5sum /etc/passwd /etc/group /etc/shadow

Best Practices

1. Monitor Account Changes Continuously

Use Zuzia.app for continuous account change monitoring. Set up alerts before account issues become critical. Review account changes regularly.

2. Maintain Account Baselines

Keep accurate account baselines. Store baselines securely. Update baselines when authorized changes occur.

3. Verify Account Security

Monitor account security settings. Check for unauthorized accounts. Verify account access controls. Respond to account security issues quickly.

Troubleshooting

Unauthorized Account Changes Detected

When unauthorized changes are detected:

1. Review account changes: diff /etc/passwd /backup/passwd-baseline.txt
2. Identify modified accounts
3. Verify changes are authorized
4. Restore accounts if unauthorized

Account Security Issues

When account security issues occur:

1. Check account security: awk -F: '$3 == 0 {print $1}' /etc/passwd
2. Review account access: last | head -20
3. Fix account security issues
4. Verify account security restored

FAQ

Related guides, recipes, and problems

• Related guides

  • User Activity and Authentication Logs Monitoring Guide
  • Server Security Events Monitoring and Intrusion Detection

• Related recipes

  • Monitor User Login Activity
  • Check Configuration File Changes

• Related problems

  • User Authentication Failures
  • Configuration Drift Causing Issues