diff --git a/Readme.md b/Readme.md index 996e725..421f763 100644 --- a/Readme.md +++ b/Readme.md @@ -21,6 +21,7 @@ Alternate download: `git clone http://gitlab-ap.factory.tools/scripts-collection ## Folders Inside the base folder there are + * ssh-keygen for temporary holding the PEM/PUB files * zip file which holds the created user list, password and PEM/PUB files @@ -56,7 +57,8 @@ It can also be left empty. It is not used at the moment The file can hold comments. The first character in the line must be a *#* Example file -``` + +```csv user1;some.name;group-a;;hostname user2;othername;group-a;; # I am a comment @@ -99,7 +101,8 @@ Then run the script without any options `$> /root/bin/user_create.sh` Sample output for above example file -``` + +```txt ++ Create 'some.name:group-a' > Create ssh key-pair '/root/users/ssh-keygen/hostname#group-a#some.name#ed25519.pem' Generating public/private rsa key pair. @@ -125,7 +128,8 @@ The key's randomart image is: ``` If the public pem file is already provided the output will be a bit different -``` + +```txt ++ Create 'some.name:group-a' < Use existing public ssh key '/root/users/ssh-keygen/hostname#group-a#some.name#ed25519.pem.pub' > Create .ssh folder @@ -136,7 +140,8 @@ If the public pem file is already provided the output will be a bit different There is no SSH key generate output but *Use existing public ssh key* information line If the user has been created, the creating will be skipped -``` + +```txt -- Skip 'some.name:group-a' ``` @@ -145,7 +150,8 @@ If the user has been created, the creating will be skipped The generated users and the passwords are stored in the '*user_password.YYYYMMDD-hhmmss.txt*' file For above the output will be -``` + +```csv 2020-11-27 13:51:01;sever.hostname.org;hostname;some.name;Aeh9uph8Oo 2020-11-27 13:51:02;sever.hostname.org;;othername;AePejoo9ch 2020-11-27 13:51:02;sever.hostname.org;;username;setpassword @@ -155,7 +161,8 @@ Note that the *sever.hostname.org* is set from the hostname of the server where The name *hostname* is set if the hostname field in hser `user_list.txt` file is set If a existing pem public key is used, the entry for a new user will be -``` + +```csv 2020-11-27 13:53:18;sever.hostname.org;;some.name;[ALREADY SET] ``` @@ -181,7 +188,6 @@ The SSH PEM key password can be reset or changed with To remove the password use this `-N ""` **NOTE** - If the command is used like this it will be stored in the history file. For scurity reason it is recommended to not give the -P and -N options when changing the password. @@ -192,3 +198,29 @@ The public key part can be extracted from the SSH PEM key with `$> ssh-keygen -y -f [PEM].pem > [PEM].pem.pub` *[PEM]* is the placeholder for the filename + +## Last login check scripts + +There are two scripts that can be user to check if and when the user has logged in the last time. + +Because of users who do not open shells (for example sftp users) we cannot rely on lastlog, so a script called `collect_login_data.sh` exists that parses the systemd logind info or /var/log/secure for user authentication data. + +Data is stored in `auth-log/user_auth.log` folder as `user;last login date` + +This script should be run every day via crontab as root: + +```crontab +0 1 * * * root /root/users/bin/collect_login_data.sh +``` + +The script `check_last_login.sh` will go through the sshallow groups users and flag out those that have not logged in, in the last 60 days and recommend to lock them. The script will also check for user accounts that never logged in and where created in the last 30 days and recomment to lock them too. + +This script will first check the `auth-log/user_auth.log` file, then lastlog output and finally check for creation time in passwd file or home director for when the user was created. + +Currently only information is printed out and no action is done itself. + +The script can be put into the crontab and run once a month, it prints to STDOUT so a mail pipe with a proper subject is recommended + +```crontab +0 2 1 * * root /root/users/bin/check_last_login.sh | mail -s "$(hostname): user account check" +``` diff --git a/bin/check_last_login.sh b/bin/check_last_login.sh index 8625b4d..9ef49fe 100755 --- a/bin/check_last_login.sh +++ b/bin/check_last_login.sh @@ -111,6 +111,11 @@ for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/ fi; printf "* Checking user %-20s: %s\n" "${user}" "${out_string}"; done; +echo "--------------------->" +echo "Showing current SSH Reject users:" +for user in $(cat /etc/group|grep "${ssh_reject_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do + echo "${user}"; +done; if [ ! -z "${delete_accounts}" ]; then echo "--------------------->" echo "% Run list below to move users to reject ssh group"; diff --git a/bin/collect_login_data.sh b/bin/collect_login_data.sh index 1e27e00..0a5e1ce 100755 --- a/bin/collect_login_data.sh +++ b/bin/collect_login_data.sh @@ -15,12 +15,36 @@ AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log"; if [ ! -f "${AUTH_LOG}" ]; then touch "${AUTH_LOG}"; fi; -# run full log check flag +# debug flag +DEBUG=0; +# check all logs flag RUN_FULL_LOG=0; -if [ ! -z "${1}" ] && [ "${1}" = "FULL" ]; then - echo "[!!!] Run through all log files to collect data"; - RUN_FULL_LOG=1; -fi; +# option parsing +while getopts ":fd" opt; do + case "${opt}" in + f|full) + echo "[!!!] Run through all log files to collect data"; + RUN_FULL_LOG=1; + ;; + d|deubg) + DEBUG=1; + ;; + esac; +done; + +function prD() +{ + message="${1}"; + debug=${2:-0}; + lb_off=${3:-0}; + if [ ${debug} -eq 1 ]; then + if [ ${lb_off} -eq 1 ]; then + echo -n "${message}"; + else + echo "${message}"; + fi; + fi; +} function parseLog() { @@ -30,9 +54,9 @@ function parseLog() auth_log="${2}"; start_year="${3}"; logger="${4}"; - debug="${5}"; + debug=${5:-0}; - # echo "L: $line"; + #prD "Line: $line" ${debug}; # auth user has . at the end, remove that one if [ "${logger}" = "systemd" ]; then # 2022-11-18T20:04:08+0900 @@ -44,21 +68,25 @@ function parseLog() fi; auth_date=$(echo "${auth_date}" | date +"%F %T" -f -); - # echo -n "USER: $auth_user | DATE: $auth_date"; - + # $(printf "USER: %-20s: %19s" "${auth_user}" "${auth_date}") + # prD "USER: $auth_user | DATE: $auth_date" ${debug} 1; + printf -v msg "Source: %-10s | Year: %4s | Last auth user: %-20s: %19s" "${logger}" "${start_year}" "${auth_user}" "${auth_date}" + prD "${msg}" ${debug} 1; # find auth user in current auth file # if not there attach, else replace date only found=$(grep "${auth_user};" "${auth_log}"); if [ -z "${found}" ]; then - # echo -n " | Write new"; + prD " | Write new" ${debug}; echo "${auth_user};${auth_date}" >> "${auth_log}"; else - # echo -n " | Replace old"; + prD " | Replace old" ${debug}; sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${auth_log}"; fi; - # echo " [***]"; } +printf -v msg "Run date: %s %s" $(date +"%F %T") +prD "${msg}" ${DEBUG}; + # Collector script for login information via journalctl # if no systemd installed, try to get info from /var/log/secure or /var/log/auth.log readonly init_version=$(/proc/1/exe --version | head -n 1); @@ -84,7 +112,7 @@ if [ -z "${init_version##*systemd*}" ]; then # " of user " # we want date + time + username # prefix year with start date year - parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" 0; + parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG}; done; else LOG_TARGET="syslog"; @@ -96,7 +124,7 @@ else START_YEAR=$(date +%Y -d @${tz}); bunzip2 -ck "${sfile}" | grep ": session opened for user" | grep " by (uid=0)" | while read line; do - parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" 0; + parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG}; done; done; # read all @@ -105,7 +133,7 @@ else START_YEAR=$(date +%Y -d "1 day ago"); cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" | grep " by (uid=0)" | while read line; do - parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" 0; + parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG}; done; fi;