ScriptsCollections/ServerUserCreate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move log parsing to function because it is the same for all check types

Browse Source
This commit is contained in:
Clemens Schwaighofer
2022-11-21 17:58:31 +09:00
parent ede5f1a2b8
commit 424277ff2e
1 changed files with 36 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
bin/collect_login_data.sh
View File

@@ -22,6 +22,37 @@ if [ ! -z "${1}" ] && [ "${1}" = "FULL" ]; then
RUN_FULL_LOG=1; RUN_FULL_LOG=1;
fi; fi;
function parseLog()
{
# do we have a key entry, if not add new with last log date
# clean up date from YYYY nam dd to YYYY-MM-DD HH:II:SS
line="${1}";
auth_log="${2}";
debug="${3}";
START_YEAR=$(date +%Y -d "1 day ago");
# echo "L: $line";
auth_date=$(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15);
auth_date=$(echo "${auth_date}" | date +"%F %T" -f -);
# auth user has . at the end, remove that one
auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | cut -d "." -f 1);
# echo -n "USER: $auth_user | DATE: $auth_date";
# find auth user in current auth file
# if not there attach, else replace date only
found=$(grep "${auth_user};" "${auth_log}");
if [ -z "${found}" ]; then
# echo -n " | Write new";
echo "${auth_user};${auth_date}" >> "${auth_log}";
else
# echo -n " | Replace old";
sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${auth_log}";
fi;
# echo " [***]";
}
# Collector script for login information via journalctl # Collector script for login information via journalctl
# if no systemd installed, try to get info from /var/log/secure or /var/log/auth.log # if no systemd installed, try to get info from /var/log/secure or /var/log/auth.log
readonly init_version=$(/proc/1/exe --version | head -n 1); readonly init_version=$(/proc/1/exe --version | head -n 1);
@@ -30,7 +61,6 @@ if [ -z "${init_version##*systemd*}" ]; then
# for journalctl # for journalctl
START_DATE=$(date +%F -d "1 day ago"); START_DATE=$(date +%F -d "1 day ago");
END_DATE=$(date +%F); END_DATE=$(date +%F);
START_YEAR=$(date +%Y -d "1 day ago");
OPT_START_DATE=''; OPT_START_DATE='';
if [ $RUN_FULL_LOG -eq 0 ]; then if [ $RUN_FULL_LOG -eq 0 ]; then
OPT_START_DATE="-S ${START_DATE}"; OPT_START_DATE="-S ${START_DATE}";
@@ -46,48 +76,15 @@ if [ -z "${init_version##*systemd*}" ]; then
# " of user <username>" # " of user <username>"
# we want date + time + username # we want date + time + username
# prefix year with start date year # prefix year with start date year
parseLog "${line}" "${AUTH_LOG}" 0;
# echo "L: $line";
# do we have a key entry, if not add new with last log date
# clean up date from YYYY nam dd to YYYY-MM-DD HH:II:SS
# auth_date=$(echo "${line}" | cut -c 1-15 | date +"%F %T" -f -);
# auth_date=$($(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15)) | date +"%F %T" -f -;
auth_date=$(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15);
auth_date=$(echo "${auth_date}" | date +"%F %T" -f -);
# auth user has . at the end, remove that one
auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | cut -d "." -f 1);
# echo -n "USER: $auth_user | DATE: $auth_date";
# find auth user in current auth file
# if not there attach, else replace date only
found=$(grep "${auth_user};" "${AUTH_LOG}");
if [ -z "${found}" ]; then
# echo -n " | Write new";
echo "${auth_user};${auth_date}" >> "${AUTH_LOG}";
else
# echo -n " | Replace old";
sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${AUTH_LOG}";
fi;
# echo " [***]";
done; done;
else else
LOG_TARGET="syslog"; LOG_TARGET="syslog";
# for secure/auth log # for secure/auth log
if [ $RUN_FULL_LOG -eq 0 ]; then if [ $RUN_FULL_LOG -eq 1 ]; then
bunzip -ck /var/log/secure*.bz2 | grep ": session opened for user" | bunzip2 -ck /var/log/secure*.bz2 | grep ": session opened for user" |
while read line; do while read line; do
# Nov 21 14:15:56 some.hostname.com sshd[12345]: pam_unix(sshd:session): session opened for user some-user(uid=6789) by (uid=0) parseLog "${line}" "${AUTH_LOG}" 0;
auth_date=$($(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15) | date +"%F %T" -f -);
auth_user=$(echo "${line}" | cut -d ")" -f 2 | cut -d " " -f 6 | cut -d "(" -f 1);
# find auth user in current auth file
# if not there attach, else replace date only
if [ -z grep "${auth_user}" "${AUTH_LOG}" ]; then
cat "${auth_user};${auth_date}" >> "${AUTH_LOG}";
else
sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${AUTH_LOG}";
fi;
done; done;
# read all # read all
START_DATE="sshd" START_DATE="sshd"
@@ -96,16 +93,7 @@ else
fi; fi;
cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" | cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" |
while read line; do while read line; do
# Nov 21 14:15:56 some.hostname.com sshd[12345]: pam_unix(sshd:session): session opened for user some-user(uid=6789) by (uid=0) parseLog "${line}" "${AUTH_LOG}" 0;
auth_date=$($(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15) | date +"%F %T" -f -);
auth_user=$(echo "${line}" | cut -d ")" -f 2 | cut -d " " -f 6 | cut -d "(" -f 1);
# find auth user in current auth file
# if not there attach, else replace date only
if [ -z grep "${auth_user}" "${AUTH_LOG}" ]; then
cat "${auth_user};${auth_date}" >> "${AUTH_LOG}";
else
sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${AUTH_LOG}";
fi;
done; done;
fi; fi;