ScriptsCollections/ServerUserCreate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add auth data collector and update check last login script

Browse Source 
Auth collector from either systemd logger or fallback /var/log/secure
(old Amazon V1).

Use this as primary last login source in check last login script
This commit is contained in:
Clemens Schwaighofer
2022-11-21 16:38:54 +09:00
parent 9f61b3c523
commit 27516a6474
3 changed files with 120 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
auth-log/.gitignore vendored Normal file
View File

@@ -0,0 +1,2 @@
*
!.gitignore

29
bin/check_last_login.sh
View File

@@ -20,6 +20,8 @@ delete_accounts="";
user_group_tpl="deluser %s %s;adduser %s %s;"; user_group_tpl="deluser %s %s;adduser %s %s;";
# log base folder # log base folder
LOG="${BASE_FOLDER}/../log"; LOG="${BASE_FOLDER}/../log";
# auth log file user;date from collect_login_data script
AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
if [ $(whoami) != "root" ]; then if [ $(whoami) != "root" ]; then
echo "Script must be run as root user"; echo "Script must be run as root user";
@@ -54,22 +56,39 @@ for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/
home_dir=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 6)"/.bash_logout"; home_dir=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 6)"/.bash_logout";
user_create_date=$(stat -c %Z "${home_dir}"); user_create_date=$(stat -c %Z "${home_dir}");
fi; fi;
# below only works if the user logged in, a lot of them are just file upload
# users. Use the collect script from systemd-logind or /var/log/secure
# Username Port From Latest # Username Port From Latest
# user pts/35 10.110.160.230 Wed Nov 2 09:40:35 +0900 2022 # user pts/35 10.110.160.230 Wed Nov 2 09:40:35 +0900 2022
last_login_string=$(lastlog -u ${user} | sed 1d); last_login_string=$(lastlog -u ${user} | sed 1d);
search="Never logged in"; search="Never logged in";
# if we have "** Never logged in**" the user never logged in found="";
if [ ! -z "${last_login_string##*$search*}" ]; then # problem with running rep check in if
if [ -f "${AUTH_LOG}" ]; then
found=$(grep "${user};" "${AUTH_LOG}");
fi;
if [ ! -z "${found}" ]; then
last_login_date=$(grep "${user};" "${AUTH_LOG}" | cut -d ";" -f 2 | date +"%s" -f -);
last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
if [ ${last_login} -gt ${max_age_login} ]; then
out_string="[!] last ssh log in ${last_login} days ago";
delete_user=1;
else
out_string="OK [ssh]";
fi;
elif [ ! -z "${last_login_string##*$search*}" ]; then
# if we have "** Never logged in**" the user never logged in
# find \w{3} \w{3} [\s\d]{2} \d{2}:\d{2}:\d{2} \+\d{4} \d{4} # find \w{3} \w{3} [\s\d]{2} \d{2}:\d{2}:\d{2} \+\d{4} \d{4}
# awk '{for(i=4;i<=NF;++i)printf $i FS}' # awk '{for(i=4;i<=NF;++i)printf $i FS}'
last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%s" -f -); last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%s" -f -);
# date -d "Wed Nov 2 09:40:35 +0900 2022" +%s # date -d "Wed Nov 2 09:40:35 +0900 2022" +%s
last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}"); last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
if [ ${last_login} -gt ${max_age_login} ]; then if [ ${last_login} -gt ${max_age_login} ]; then
out_string="[!] last logged in ${last_login} days ago"; out_string="[!] last terminal log in ${last_login} days ago";
delete_user=1; delete_user=1;
else else
out_string="OK"; out_string="OK [lastlog]";
fi; fi;
elif [ ! -z "${user_create_date}" ]; then elif [ ! -z "${user_create_date}" ]; then
user_create_date=$(echo "${user_create_date}" | date +"%s" -f -); user_create_date=$(echo "${user_create_date}" | date +"%s" -f -);
@@ -81,7 +100,7 @@ for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/
out_string="[!] Never logged in, account created ${account_age} days ago"; out_string="[!] Never logged in, account created ${account_age} days ago";
delete_user=1; delete_user=1;
else else
out_string="OK"; out_string="OK [first login]";
fi; fi;
else else
out_string="[!!!] Never logged in and we have no create date"; out_string="[!!!] Never logged in and we have no create date";

94
bin/collect_login_data.sh Executable file
View File

@@ -0,0 +1,94 @@
#!/usr/bin/env bash
# * check we are root
# if we are not root, bail out
# if [ $(whoami) != "root" ]; then
if [[ "$EUID" -ne "0" ]]; then
echo "Must be run as root or with sudo command";
exit;
fi;
# base folder
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
# auth log file
AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
if [ ! -f "${AUTH_LOG}" ]; then
touch "${AUTH_LOG}";
fi;
# run full log check flag
RUN_FULL_LOG=0;
if [ ! -z "${1}" ] && [ "${1}" = "FULL" ]; then
echo "[!!!] Run through all log files to collect data";
RUN_FULL_LOG=1;
fi;
# Collector script for login information via journalctl
# if no systemd installed, try to get info from /var/log/secure or /var/log/auth.log
readonly init_version=$(/proc/1/exe --version | head -n 1);
if [ -z "${init_version##*systemd*}" ]; then
LOG_TARGET="systemd";
# for journalctl
START_DATE=$(date +%F -d "1 day ago");
END_DATE=$(date +%F);
START_YEAR=$(date +%Y -d "1 day ago");
OPT_START_DATE='';
if [ $RUN_FULL_LOG -eq 0 ]; then
OPT_START_DATE="-S ${START_DATE}";
OPT_END_DATE="-U ${END_DATE}";
fi;
journalctl -u systemd-logind --no-pager ${OPT_START_DATE} ${OPT_END_DATE} | grep ": New session" |
while read line; do
# # Nov 21 14:15:46 we.are.hostname.com systemd-logind[1865]: New session 12345 of user some^user.
# date: 5 chars
# time: 8 chars
# hostname
# systemd-logind pid ...
# " of user <username>"
# we want date + time + username
# prefix year with start date year
# echo "L: $line";
# do we have a key entry, if not add new with last log date
# clean up date from YYYY nam dd to YYYY-MM-DD HH:II:SS
# auth_date=$(echo "${line}" | cut -c 1-15 | date +"%F %T" -f -);
# auth_date=$($(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15)) | date +"%F %T" -f -;
auth_date=$(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15);
auth_date=$(echo "${auth_date}" | date +"%F %T" -f -);
# auth user has . at the end, remove that one
auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | cut -d "." -f 1);
# echo -n "USER: $auth_user | DATE: $auth_date";
# find auth user in current auth file
# if not there attach, else replace date only
found=$(grep "${auth_user};" "${AUTH_LOG}");
if [ -z "${found}" ]; then
# echo -n " | Write new";
echo "${auth_user};${auth_date}" >> "${AUTH_LOG}";
else
# echo -n " | Replace old";
sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${AUTH_LOG}";
fi;
# echo " [***]";
done;
else
LOG_TARGET="syslog";
# for secure/auth log
START_DATE=$(date +"%b %e" -d "1 day ago")
cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" |
while read line; do
# Nov 21 14:15:56 some.hostname.com sshd[12345]: pam_unix(sshd:session): session opened for user some-user(uid=6789) by (uid=0)
auth_date=$($(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15) | date +"%F %T" -f -);
auth_user=$(echo "${line}" | cut -d ")" -f 2 | cut -d " " -f 6 | cut -d "(" -f 1);
# find auth user in current auth file
# if not there attach, else replace date only
if [ -z grep "${auth_user}" "${AUTH_LOG}" ]; then
cat "${auth_user};${auth_date}" >> "${AUTH_LOG}";
else
sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${AUTH_LOG}";
fi;
done;
fi;
# __END__