Justin,
I think the crucial question is how AIX logs first time logins? (Or does it log them at all?) If you can find a log message (or series of messages) that represents this, then Splunk can alert on it.
If AIX does not provide this level of logging information, then perhaps you can script it (or get very close). Here's something that may work:
Can you write a script that looks at /etc/passwd
and /etc/security/passwd
and dumps a list of users with their flags
and lastupdate
values? When an AIX sysadmin changes a users password, flags
get ADMCHG
set. When the user resets it, ADMCHG
is cleared. That along with lastupdate
could tell you when the user changed their password from an administrator-set one. This isn't strictly first-time logins - but it is a close approximation. Running this as a scripted input into Splunk would probably give you the information to be able to alert.
Ok so here's how I have it set up...
For users that are not local, I use Quest to capture login activity in the /var/adm/syslog/auth.log file.
Also I just want to capture if the /etc/password has been modified if a user was created locally.
Thank you! This may be as close as I can get to a solution. I'm going to see if this might do the trick.