Add auth data collector and update check last login script

Auth collector from either systemd logger or fallback /var/log/secure
(old Amazon V1).

Use this as primary last login source in check last login script

bin/check_last_login.sh

@@ -20,6 +20,8 @@ delete_accounts="";
 user_group_tpl="deluser %s %s;adduser %s %s;";
 # log base folder
 LOG="${BASE_FOLDER}/../log";
+# auth log file user;date from collect_login_data script
+AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
 
 if [ $(whoami) != "root" ]; then
 	echo "Script must be run as root user";
@@ -54,22 +56,39 @@ for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/
 		home_dir=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 6)"/.bash_logout";
 		user_create_date=$(stat -c %Z "${home_dir}");
 	fi;
+
+	# below only works if the user logged in, a lot of them are just file upload
+	# users. Use the collect script from systemd-logind or /var/log/secure
 	# Username         Port     From             Latest
 	# user             pts/35   10.110.160.230   Wed Nov  2 09:40:35 +0900 2022
 	last_login_string=$(lastlog -u ${user} | sed 1d);
 	search="Never logged in";
-	# if we have "** Never logged in**" the user never logged in
-	if [ ! -z "${last_login_string##*$search*}" ]; then
+	found="";
+	# problem with running rep check in if
+	if [ -f "${AUTH_LOG}" ]; then
+		found=$(grep "${user};" "${AUTH_LOG}");
+	fi;
+	if [ ! -z "${found}" ]; then
+		last_login_date=$(grep "${user};" "${AUTH_LOG}" | cut -d ";" -f 2 | date +"%s" -f -);
+		last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
+		if [ ${last_login} -gt ${max_age_login} ]; then
+			out_string="[!] last ssh log in ${last_login} days ago";
+			delete_user=1;
+		else
+			out_string="OK [ssh]";
+		fi;
+	elif [ ! -z "${last_login_string##*$search*}" ]; then
+		# if we have "** Never logged in**" the user never logged in
 		# find \w{3} \w{3} [\s\d]{2} \d{2}:\d{2}:\d{2} \+\d{4} \d{4}
 		# awk '{for(i=4;i<=NF;++i)printf $i FS}'
 		last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%s" -f -);
 		# date -d "Wed Nov  2 09:40:35 +0900 2022" +%s
 		last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
 		if [ ${last_login} -gt ${max_age_login} ]; then
-			out_string="[!] last logged in ${last_login} days ago";
+			out_string="[!] last terminal log in ${last_login} days ago";
 			delete_user=1;
 		else
-			out_string="OK";
+			out_string="OK [lastlog]";
 		fi;
 	elif [ ! -z "${user_create_date}" ]; then
 		user_create_date=$(echo "${user_create_date}" | date +"%s" -f -);
@@ -81,7 +100,7 @@ for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/
 			out_string="[!] Never logged in, account created ${account_age} days ago";
 			delete_user=1;
 		else
-			out_string="OK";
+			out_string="OK [first login]";
 		fi;
 	else
 		out_string="[!!!] Never logged in and we have no create date";