检查系统是否有非法新创建的用户

************************************************************
                Check /etc/passwd
************************************************************
EOF
if [ -f ${inspection_HOME}/passwd_user ] ;then
        cp ${inspection_HOME}/passwd_user ${inspection_HOME}/passwd_user_old
fi
if [ ! -f ${inspection_HOME}/passwd_user ] ;then
        echo 'This is first Check. Touch a now file!' >> ${inspection_HOME}/result/${IP}.txt
        cat /etc/passwd | awk -F : '$3>=500 {print $0}' >> ${inspection_HOME}/passwd_user
        cp ${inspection_HOME}/passwd_user ${inspection_HOME}/passwd_user_old
fi
return_value=`diff ${inspection_HOME}/passwd_user ${inspection_HOME}/passwd_user_old`
if [ ! -z "return_value" ] ;then
        echo "/etc/passwd has not new user!" >> ${inspection_HOME}/result/${IP}.txt
else
        echo "/etc/passwd has a new user!" >> ${inspection_HOME}/result/${IP}.txt
        echo ${return_value}  >> ${inspection_HOME}/result/${IP}.txt
fi

简单介绍一下思路就是，备份/etc/passwd文件，利用备份后的passwd文件和当前系统的passwd文件进行对比，如果有变化，则说明在两次检测的间隔中出现了用户的修改。