Add auth data collector and update check last login script
Auth collector from either systemd logger or fallback /var/log/secure (old Amazon V1). Use this as primary last login source in check last login script
This commit is contained in:
Clemens Schwaighofer
2
auth-log/.gitignore
vendored
Normal file
2
auth-log/.gitignore
vendored
Normal file
@@ -0,0 +1,2 @@
|
||||
*
|
||||
!.gitignore
|
||||
@@ -20,6 +20,8 @@ delete_accounts="";
|
||||
user_group_tpl="deluser %s %s;adduser %s %s;";
|
||||
# log base folder
|
||||
LOG="${BASE_FOLDER}/../log";
|
||||
# auth log file user;date from collect_login_data script
|
||||
AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
|
||||
|
||||
if [ $(whoami) != "root" ]; then
|
||||
echo "Script must be run as root user";
|
||||
@@ -54,22 +56,39 @@ for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/
|
||||
home_dir=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 6)"/.bash_logout";
|
||||
user_create_date=$(stat -c %Z "${home_dir}");
|
||||
fi;
|
||||
|
||||
# below only works if the user logged in, a lot of them are just file upload
|
||||
# users. Use the collect script from systemd-logind or /var/log/secure
|
||||
# Username Port From Latest
|
||||
# user pts/35 10.110.160.230 Wed Nov 2 09:40:35 +0900 2022
|
||||
last_login_string=$(lastlog -u ${user} | sed 1d);
|
||||
search="Never logged in";
|
||||
# if we have "** Never logged in**" the user never logged in
|
||||
if [ ! -z "${last_login_string##*$search*}" ]; then
|
||||
found="";
|
||||
# problem with running rep check in if
|
||||
if [ -f "${AUTH_LOG}" ]; then
|
||||
found=$(grep "${user};" "${AUTH_LOG}");
|
||||
fi;
|
||||
if [ ! -z "${found}" ]; then
|
||||
last_login_date=$(grep "${user};" "${AUTH_LOG}" | cut -d ";" -f 2 | date +"%s" -f -);
|
||||
last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
|
||||
if [ ${last_login} -gt ${max_age_login} ]; then
|
||||
out_string="[!] last ssh log in ${last_login} days ago";
|
||||
delete_user=1;
|
||||
else
|
||||
out_string="OK [ssh]";
|
||||
fi;
|
||||
elif [ ! -z "${last_login_string##*$search*}" ]; then
|
||||
# if we have "** Never logged in**" the user never logged in
|
||||
# find \w{3} \w{3} [\s\d]{2} \d{2}:\d{2}:\d{2} \+\d{4} \d{4}
|
||||
# awk '{for(i=4;i<=NF;++i)printf $i FS}'
|
||||
last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%s" -f -);
|
||||
# date -d "Wed Nov 2 09:40:35 +0900 2022" +%s
|
||||
last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
|
||||
if [ ${last_login} -gt ${max_age_login} ]; then
|
||||
out_string="[!] last logged in ${last_login} days ago";
|
||||
out_string="[!] last terminal log in ${last_login} days ago";
|
||||
delete_user=1;
|
||||
else
|
||||
out_string="OK";
|
||||
out_string="OK [lastlog]";
|
||||
fi;
|
||||
elif [ ! -z "${user_create_date}" ]; then
|
||||
user_create_date=$(echo "${user_create_date}" | date +"%s" -f -);
|
||||
@@ -81,7 +100,7 @@ for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/
|
||||
out_string="[!] Never logged in, account created ${account_age} days ago";
|
||||
delete_user=1;
|
||||
else
|
||||
out_string="OK";
|
||||
out_string="OK [first login]";
|
||||
fi;
|
||||
else
|
||||
out_string="[!!!] Never logged in and we have no create date";
|
||||
|
||||
94
bin/collect_login_data.sh
Executable file
94
bin/collect_login_data.sh
Executable file
@@ -0,0 +1,94 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# * check we are root
|
||||
# if we are not root, bail out
|
||||
# if [ $(whoami) != "root" ]; then
|
||||
if [[ "$EUID" -ne "0" ]]; then
|
||||
echo "Must be run as root or with sudo command";
|
||||
exit;
|
||||
fi;
|
||||
|
||||
# base folder
|
||||
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
|
||||
# auth log file
|
||||
AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
|
||||
if [ ! -f "${AUTH_LOG}" ]; then
|
||||
touch "${AUTH_LOG}";
|
||||
fi;
|
||||
# run full log check flag
|
||||
RUN_FULL_LOG=0;
|
||||
if [ ! -z "${1}" ] && [ "${1}" = "FULL" ]; then
|
||||
echo "[!!!] Run through all log files to collect data";
|
||||
RUN_FULL_LOG=1;
|
||||
fi;
|
||||
|
||||
# Collector script for login information via journalctl
|
||||
# if no systemd installed, try to get info from /var/log/secure or /var/log/auth.log
|
||||
readonly init_version=$(/proc/1/exe --version | head -n 1);
|
||||
if [ -z "${init_version##*systemd*}" ]; then
|
||||
LOG_TARGET="systemd";
|
||||
# for journalctl
|
||||
START_DATE=$(date +%F -d "1 day ago");
|
||||
END_DATE=$(date +%F);
|
||||
START_YEAR=$(date +%Y -d "1 day ago");
|
||||
OPT_START_DATE='';
|
||||
if [ $RUN_FULL_LOG -eq 0 ]; then
|
||||
OPT_START_DATE="-S ${START_DATE}";
|
||||
OPT_END_DATE="-U ${END_DATE}";
|
||||
fi;
|
||||
journalctl -u systemd-logind --no-pager ${OPT_START_DATE} ${OPT_END_DATE} | grep ": New session" |
|
||||
while read line; do
|
||||
# # Nov 21 14:15:46 we.are.hostname.com systemd-logind[1865]: New session 12345 of user some^user.
|
||||
# date: 5 chars
|
||||
# time: 8 chars
|
||||
# hostname
|
||||
# systemd-logind pid ...
|
||||
# " of user <username>"
|
||||
# we want date + time + username
|
||||
# prefix year with start date year
|
||||
|
||||
# echo "L: $line";
|
||||
|
||||
# do we have a key entry, if not add new with last log date
|
||||
# clean up date from YYYY nam dd to YYYY-MM-DD HH:II:SS
|
||||
# auth_date=$(echo "${line}" | cut -c 1-15 | date +"%F %T" -f -);
|
||||
# auth_date=$($(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15)) | date +"%F %T" -f -;
|
||||
auth_date=$(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15);
|
||||
auth_date=$(echo "${auth_date}" | date +"%F %T" -f -);
|
||||
# auth user has . at the end, remove that one
|
||||
auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | cut -d "." -f 1);
|
||||
|
||||
# echo -n "USER: $auth_user | DATE: $auth_date";
|
||||
|
||||
# find auth user in current auth file
|
||||
# if not there attach, else replace date only
|
||||
found=$(grep "${auth_user};" "${AUTH_LOG}");
|
||||
if [ -z "${found}" ]; then
|
||||
# echo -n " | Write new";
|
||||
echo "${auth_user};${auth_date}" >> "${AUTH_LOG}";
|
||||
else
|
||||
# echo -n " | Replace old";
|
||||
sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${AUTH_LOG}";
|
||||
fi;
|
||||
# echo " [***]";
|
||||
done;
|
||||
else
|
||||
LOG_TARGET="syslog";
|
||||
# for secure/auth log
|
||||
START_DATE=$(date +"%b %e" -d "1 day ago")
|
||||
cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" |
|
||||
while read line; do
|
||||
# Nov 21 14:15:56 some.hostname.com sshd[12345]: pam_unix(sshd:session): session opened for user some-user(uid=6789) by (uid=0)
|
||||
auth_date=$($(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15) | date +"%F %T" -f -);
|
||||
auth_user=$(echo "${line}" | cut -d ")" -f 2 | cut -d " " -f 6 | cut -d "(" -f 1);
|
||||
# find auth user in current auth file
|
||||
# if not there attach, else replace date only
|
||||
if [ -z grep "${auth_user}" "${AUTH_LOG}" ]; then
|
||||
cat "${auth_user};${auth_date}" >> "${AUTH_LOG}";
|
||||
else
|
||||
sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${AUTH_LOG}";
|
||||
fi;
|
||||
done;
|
||||
fi;
|
||||
|
||||
# __END__
|
||||
Reference in New Issue
Block a user