Update collector script with debug output, list rejected ssh users
In the check script print out current rejected (not allowed) ssh users Collect log info script has now debug output and proper options flags
This commit is contained in:
Clemens Schwaighofer
46
Readme.md
46
Readme.md
@@ -21,6 +21,7 @@ Alternate download: `git clone http://gitlab-ap.factory.tools/scripts-collection
|
||||
## Folders
|
||||
|
||||
Inside the base folder there are
|
||||
|
||||
* ssh-keygen for temporary holding the PEM/PUB files
|
||||
* zip file which holds the created user list, password and PEM/PUB files
|
||||
|
||||
@@ -56,7 +57,8 @@ It can also be left empty. It is not used at the moment
|
||||
The file can hold comments. The first character in the line must be a *#*
|
||||
|
||||
Example file
|
||||
```
|
||||
|
||||
```csv
|
||||
user1;some.name;group-a;;hostname
|
||||
user2;othername;group-a;;
|
||||
# I am a comment
|
||||
@@ -99,7 +101,8 @@ Then run the script without any options
|
||||
`$> /root/bin/user_create.sh`
|
||||
|
||||
Sample output for above example file
|
||||
```
|
||||
|
||||
```txt
|
||||
++ Create 'some.name:group-a'
|
||||
> Create ssh key-pair '/root/users/ssh-keygen/hostname#group-a#some.name#ed25519.pem'
|
||||
Generating public/private rsa key pair.
|
||||
@@ -125,7 +128,8 @@ The key's randomart image is:
|
||||
```
|
||||
|
||||
If the public pem file is already provided the output will be a bit different
|
||||
```
|
||||
|
||||
```txt
|
||||
++ Create 'some.name:group-a'
|
||||
< Use existing public ssh key '/root/users/ssh-keygen/hostname#group-a#some.name#ed25519.pem.pub'
|
||||
> Create .ssh folder
|
||||
@@ -136,7 +140,8 @@ If the public pem file is already provided the output will be a bit different
|
||||
There is no SSH key generate output but *Use existing public ssh key* information line
|
||||
|
||||
If the user has been created, the creating will be skipped
|
||||
```
|
||||
|
||||
```txt
|
||||
-- Skip 'some.name:group-a'
|
||||
```
|
||||
|
||||
@@ -145,7 +150,8 @@ If the user has been created, the creating will be skipped
|
||||
The generated users and the passwords are stored in the '*user_password.YYYYMMDD-hhmmss.txt*' file
|
||||
|
||||
For above the output will be
|
||||
```
|
||||
|
||||
```csv
|
||||
2020-11-27 13:51:01;sever.hostname.org;hostname;some.name;Aeh9uph8Oo
|
||||
2020-11-27 13:51:02;sever.hostname.org;;othername;AePejoo9ch
|
||||
2020-11-27 13:51:02;sever.hostname.org;;username;setpassword
|
||||
@@ -155,7 +161,8 @@ Note that the *sever.hostname.org* is set from the hostname of the server where
|
||||
The name *hostname* is set if the hostname field in hser `user_list.txt` file is set
|
||||
|
||||
If a existing pem public key is used, the entry for a new user will be
|
||||
```
|
||||
|
||||
```csv
|
||||
2020-11-27 13:53:18;sever.hostname.org;;some.name;[ALREADY SET]
|
||||
```
|
||||
|
||||
@@ -181,7 +188,6 @@ The SSH PEM key password can be reset or changed with
|
||||
To remove the password use this `-N ""`
|
||||
|
||||
**NOTE**
|
||||
|
||||
If the command is used like this it will be stored in the history file.
|
||||
For scurity reason it is recommended to not give the -P and -N options when changing the password.
|
||||
|
||||
@@ -192,3 +198,29 @@ The public key part can be extracted from the SSH PEM key with
|
||||
`$> ssh-keygen -y -f [PEM].pem > [PEM].pem.pub`
|
||||
|
||||
*[PEM]* is the placeholder for the filename
|
||||
|
||||
## Last login check scripts
|
||||
|
||||
There are two scripts that can be user to check if and when the user has logged in the last time.
|
||||
|
||||
Because of users who do not open shells (for example sftp users) we cannot rely on lastlog, so a script called `collect_login_data.sh` exists that parses the systemd logind info or /var/log/secure for user authentication data.
|
||||
|
||||
Data is stored in `auth-log/user_auth.log` folder as `user;last login date`
|
||||
|
||||
This script should be run every day via crontab as root:
|
||||
|
||||
```crontab
|
||||
0 1 * * * root /root/users/bin/collect_login_data.sh
|
||||
```
|
||||
|
||||
The script `check_last_login.sh` will go through the sshallow groups users and flag out those that have not logged in, in the last 60 days and recommend to lock them. The script will also check for user accounts that never logged in and where created in the last 30 days and recomment to lock them too.
|
||||
|
||||
This script will first check the `auth-log/user_auth.log` file, then lastlog output and finally check for creation time in passwd file or home director for when the user was created.
|
||||
|
||||
Currently only information is printed out and no action is done itself.
|
||||
|
||||
The script can be put into the crontab and run once a month, it prints to STDOUT so a mail pipe with a proper subject is recommended
|
||||
|
||||
```crontab
|
||||
0 2 1 * * root /root/users/bin/check_last_login.sh | mail -s "$(hostname): user account check"
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user