Update collector script with debug output, list rejected ssh users
In the check script print out current rejected (not allowed) ssh users Collect log info script has now debug output and proper options flags
This commit is contained in:
Clemens Schwaighofer
46
Readme.md
46
Readme.md
@@ -21,6 +21,7 @@ Alternate download: `git clone http://gitlab-ap.factory.tools/scripts-collection
|
||||
## Folders
|
||||
|
||||
Inside the base folder there are
|
||||
|
||||
* ssh-keygen for temporary holding the PEM/PUB files
|
||||
* zip file which holds the created user list, password and PEM/PUB files
|
||||
|
||||
@@ -56,7 +57,8 @@ It can also be left empty. It is not used at the moment
|
||||
The file can hold comments. The first character in the line must be a *#*
|
||||
|
||||
Example file
|
||||
```
|
||||
|
||||
```csv
|
||||
user1;some.name;group-a;;hostname
|
||||
user2;othername;group-a;;
|
||||
# I am a comment
|
||||
@@ -99,7 +101,8 @@ Then run the script without any options
|
||||
`$> /root/bin/user_create.sh`
|
||||
|
||||
Sample output for above example file
|
||||
```
|
||||
|
||||
```txt
|
||||
++ Create 'some.name:group-a'
|
||||
> Create ssh key-pair '/root/users/ssh-keygen/hostname#group-a#some.name#ed25519.pem'
|
||||
Generating public/private rsa key pair.
|
||||
@@ -125,7 +128,8 @@ The key's randomart image is:
|
||||
```
|
||||
|
||||
If the public pem file is already provided the output will be a bit different
|
||||
```
|
||||
|
||||
```txt
|
||||
++ Create 'some.name:group-a'
|
||||
< Use existing public ssh key '/root/users/ssh-keygen/hostname#group-a#some.name#ed25519.pem.pub'
|
||||
> Create .ssh folder
|
||||
@@ -136,7 +140,8 @@ If the public pem file is already provided the output will be a bit different
|
||||
There is no SSH key generate output but *Use existing public ssh key* information line
|
||||
|
||||
If the user has been created, the creating will be skipped
|
||||
```
|
||||
|
||||
```txt
|
||||
-- Skip 'some.name:group-a'
|
||||
```
|
||||
|
||||
@@ -145,7 +150,8 @@ If the user has been created, the creating will be skipped
|
||||
The generated users and the passwords are stored in the '*user_password.YYYYMMDD-hhmmss.txt*' file
|
||||
|
||||
For above the output will be
|
||||
```
|
||||
|
||||
```csv
|
||||
2020-11-27 13:51:01;sever.hostname.org;hostname;some.name;Aeh9uph8Oo
|
||||
2020-11-27 13:51:02;sever.hostname.org;;othername;AePejoo9ch
|
||||
2020-11-27 13:51:02;sever.hostname.org;;username;setpassword
|
||||
@@ -155,7 +161,8 @@ Note that the *sever.hostname.org* is set from the hostname of the server where
|
||||
The name *hostname* is set if the hostname field in hser `user_list.txt` file is set
|
||||
|
||||
If a existing pem public key is used, the entry for a new user will be
|
||||
```
|
||||
|
||||
```csv
|
||||
2020-11-27 13:53:18;sever.hostname.org;;some.name;[ALREADY SET]
|
||||
```
|
||||
|
||||
@@ -181,7 +188,6 @@ The SSH PEM key password can be reset or changed with
|
||||
To remove the password use this `-N ""`
|
||||
|
||||
**NOTE**
|
||||
|
||||
If the command is used like this it will be stored in the history file.
|
||||
For scurity reason it is recommended to not give the -P and -N options when changing the password.
|
||||
|
||||
@@ -192,3 +198,29 @@ The public key part can be extracted from the SSH PEM key with
|
||||
`$> ssh-keygen -y -f [PEM].pem > [PEM].pem.pub`
|
||||
|
||||
*[PEM]* is the placeholder for the filename
|
||||
|
||||
## Last login check scripts
|
||||
|
||||
There are two scripts that can be user to check if and when the user has logged in the last time.
|
||||
|
||||
Because of users who do not open shells (for example sftp users) we cannot rely on lastlog, so a script called `collect_login_data.sh` exists that parses the systemd logind info or /var/log/secure for user authentication data.
|
||||
|
||||
Data is stored in `auth-log/user_auth.log` folder as `user;last login date`
|
||||
|
||||
This script should be run every day via crontab as root:
|
||||
|
||||
```crontab
|
||||
0 1 * * * root /root/users/bin/collect_login_data.sh
|
||||
```
|
||||
|
||||
The script `check_last_login.sh` will go through the sshallow groups users and flag out those that have not logged in, in the last 60 days and recommend to lock them. The script will also check for user accounts that never logged in and where created in the last 30 days and recomment to lock them too.
|
||||
|
||||
This script will first check the `auth-log/user_auth.log` file, then lastlog output and finally check for creation time in passwd file or home director for when the user was created.
|
||||
|
||||
Currently only information is printed out and no action is done itself.
|
||||
|
||||
The script can be put into the crontab and run once a month, it prints to STDOUT so a mail pipe with a proper subject is recommended
|
||||
|
||||
```crontab
|
||||
0 2 1 * * root /root/users/bin/check_last_login.sh | mail -s "$(hostname): user account check"
|
||||
```
|
||||
|
||||
@@ -111,6 +111,11 @@ for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/
|
||||
fi;
|
||||
printf "* Checking user %-20s: %s\n" "${user}" "${out_string}";
|
||||
done;
|
||||
echo "--------------------->"
|
||||
echo "Showing current SSH Reject users:"
|
||||
for user in $(cat /etc/group|grep "${ssh_reject_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
|
||||
echo "${user}";
|
||||
done;
|
||||
if [ ! -z "${delete_accounts}" ]; then
|
||||
echo "--------------------->"
|
||||
echo "% Run list below to move users to reject ssh group";
|
||||
|
||||
@@ -15,12 +15,36 @@ AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
|
||||
if [ ! -f "${AUTH_LOG}" ]; then
|
||||
touch "${AUTH_LOG}";
|
||||
fi;
|
||||
# run full log check flag
|
||||
# debug flag
|
||||
DEBUG=0;
|
||||
# check all logs flag
|
||||
RUN_FULL_LOG=0;
|
||||
if [ ! -z "${1}" ] && [ "${1}" = "FULL" ]; then
|
||||
echo "[!!!] Run through all log files to collect data";
|
||||
RUN_FULL_LOG=1;
|
||||
fi;
|
||||
# option parsing
|
||||
while getopts ":fd" opt; do
|
||||
case "${opt}" in
|
||||
f|full)
|
||||
echo "[!!!] Run through all log files to collect data";
|
||||
RUN_FULL_LOG=1;
|
||||
;;
|
||||
d|deubg)
|
||||
DEBUG=1;
|
||||
;;
|
||||
esac;
|
||||
done;
|
||||
|
||||
function prD()
|
||||
{
|
||||
message="${1}";
|
||||
debug=${2:-0};
|
||||
lb_off=${3:-0};
|
||||
if [ ${debug} -eq 1 ]; then
|
||||
if [ ${lb_off} -eq 1 ]; then
|
||||
echo -n "${message}";
|
||||
else
|
||||
echo "${message}";
|
||||
fi;
|
||||
fi;
|
||||
}
|
||||
|
||||
function parseLog()
|
||||
{
|
||||
@@ -30,9 +54,9 @@ function parseLog()
|
||||
auth_log="${2}";
|
||||
start_year="${3}";
|
||||
logger="${4}";
|
||||
debug="${5}";
|
||||
debug=${5:-0};
|
||||
|
||||
# echo "L: $line";
|
||||
#prD "Line: $line" ${debug};
|
||||
# auth user has . at the end, remove that one
|
||||
if [ "${logger}" = "systemd" ]; then
|
||||
# 2022-11-18T20:04:08+0900
|
||||
@@ -44,21 +68,25 @@ function parseLog()
|
||||
fi;
|
||||
auth_date=$(echo "${auth_date}" | date +"%F %T" -f -);
|
||||
|
||||
# echo -n "USER: $auth_user | DATE: $auth_date";
|
||||
|
||||
# $(printf "USER: %-20s: %19s" "${auth_user}" "${auth_date}")
|
||||
# prD "USER: $auth_user | DATE: $auth_date" ${debug} 1;
|
||||
printf -v msg "Source: %-10s | Year: %4s | Last auth user: %-20s: %19s" "${logger}" "${start_year}" "${auth_user}" "${auth_date}"
|
||||
prD "${msg}" ${debug} 1;
|
||||
# find auth user in current auth file
|
||||
# if not there attach, else replace date only
|
||||
found=$(grep "${auth_user};" "${auth_log}");
|
||||
if [ -z "${found}" ]; then
|
||||
# echo -n " | Write new";
|
||||
prD " | Write new" ${debug};
|
||||
echo "${auth_user};${auth_date}" >> "${auth_log}";
|
||||
else
|
||||
# echo -n " | Replace old";
|
||||
prD " | Replace old" ${debug};
|
||||
sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${auth_log}";
|
||||
fi;
|
||||
# echo " [***]";
|
||||
}
|
||||
|
||||
printf -v msg "Run date: %s %s" $(date +"%F %T")
|
||||
prD "${msg}" ${DEBUG};
|
||||
|
||||
# Collector script for login information via journalctl
|
||||
# if no systemd installed, try to get info from /var/log/secure or /var/log/auth.log
|
||||
readonly init_version=$(/proc/1/exe --version | head -n 1);
|
||||
@@ -84,7 +112,7 @@ if [ -z "${init_version##*systemd*}" ]; then
|
||||
# " of user <username>"
|
||||
# we want date + time + username
|
||||
# prefix year with start date year
|
||||
parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" 0;
|
||||
parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG};
|
||||
done;
|
||||
else
|
||||
LOG_TARGET="syslog";
|
||||
@@ -96,7 +124,7 @@ else
|
||||
START_YEAR=$(date +%Y -d @${tz});
|
||||
bunzip2 -ck "${sfile}" | grep ": session opened for user" | grep " by (uid=0)" |
|
||||
while read line; do
|
||||
parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" 0;
|
||||
parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG};
|
||||
done;
|
||||
done;
|
||||
# read all
|
||||
@@ -105,7 +133,7 @@ else
|
||||
START_YEAR=$(date +%Y -d "1 day ago");
|
||||
cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" | grep " by (uid=0)" |
|
||||
while read line; do
|
||||
parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" 0;
|
||||
parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG};
|
||||
done;
|
||||
fi;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user