AWS accunt scripts, deploy akamai scripts
A new last logged in, last created script has been added to check which users we have to disable. - checks in group sshallow - if last login older than 60days, remove account from ssh group - if we have account create date, check if never logged in and older than 30 days, remove account from ssh group Both dates can be set separate Update create script to add create date in Y-m-d (%F) format as comment to the passwd file Also add user to sshallow group (group always exists, is created on server creation)
This commit is contained in:
Clemens Schwaighofer
80
bin/check_last_login.sh
Executable file
80
bin/check_last_login.sh
Executable file
@@ -0,0 +1,80 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Checks for last access of users in sshallow group
|
||||
# if user login >30days, remoe user from sshallow group and write log
|
||||
|
||||
# which group holds the ssh allowed login users (outside of admin users)
|
||||
ssh_group='sshallow';
|
||||
# date now for compare
|
||||
now=$(date +"%s");
|
||||
# max age for last login or account create without login
|
||||
max_age_login=60;
|
||||
max_age_create=30;
|
||||
# one day in seconds
|
||||
day=86400;
|
||||
# delete account strings
|
||||
delete_accounts="";
|
||||
|
||||
if [ $(whoami) != "root" ]; then
|
||||
echo "Script must be run as root user";
|
||||
exit;
|
||||
fi;
|
||||
echo "[START] =============>";
|
||||
echo "Max age last login: ${max_age_login} days";
|
||||
echo "Max age no login : ${max_age_create} days";
|
||||
for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
|
||||
# for user in clemens test42; do
|
||||
account_age=0;
|
||||
out_string="";
|
||||
#echo "* Checking user ${user}";
|
||||
# check user create time, if we have set it in comment
|
||||
user_create_date=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 5);
|
||||
# if empty try last password set time
|
||||
if [ -z "${user_create_date}" ]; then
|
||||
# user L 11/09/2020 0 99999 7 -1
|
||||
user_create_date=$(passwd -S ${user} | cut -d " " -f 3);
|
||||
fi;
|
||||
# last try is user home .bash_logout
|
||||
if [ -z "${user_create_date}" ]; then
|
||||
home_dir=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 6)"/.bash_logout";
|
||||
user_create_date=$(stat -c %Z "${home_dir}");
|
||||
fi;
|
||||
# Username Port From Latest
|
||||
# user pts/35 10.110.160.230 Wed Nov 2 09:40:35 +0900 2022
|
||||
last_login_string=$(lastlog -u ${user} | sed 1d);
|
||||
search="Never logged in";
|
||||
# if we have "** Never logged in**" the user never logged in
|
||||
if [ ! -z "${last_login_string##*$search*}" ]; then
|
||||
# find \w{3} \w{3} [\s\d]{2} \d{2}:\d{2}:\d{2} \+\d{4} \d{4}
|
||||
# awk '{for(i=4;i<=NF;++i)printf $i FS}'
|
||||
last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%s" -f -);
|
||||
# date -d "Wed Nov 2 09:40:35 +0900 2022" +%s
|
||||
last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
|
||||
if [ ${last_login} -gt ${max_age_login} ]; then
|
||||
out_string="[!] last logged in ${last_login} days ago. Locking account";
|
||||
delete_accounts="${delete_accounts}deluser ${user} ${ssh_group};";
|
||||
else
|
||||
out_string="OK";
|
||||
fi;
|
||||
elif [ ! -z "${user_create_date}" ]; then
|
||||
user_create_date=$(echo "${user_create_date}" | date +"%s" -f -);
|
||||
# if all empty, we continue with only check if user has last login date
|
||||
# else get days since creation
|
||||
#account_age=$[ ($(date +"%s")-$(date -d "${user_create_date}" +"%s"))/24 ];
|
||||
account_age=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${user_create_date} ${day}");
|
||||
if [ ${account_age} -gt ${max_age_create} ]; then
|
||||
out_string="[!!!] Never logged in, account created ${account_age} days ago. Locking account";
|
||||
delete_accounts="${delete_accounts}deluser ${user} ${ssh_group};";
|
||||
else
|
||||
out_string="OK";
|
||||
fi;
|
||||
else
|
||||
out_string="[!!!] Never logged in and we have no create date";
|
||||
fi;
|
||||
printf "* Checking user %-20s: %s\n" "${user}" "${out_string}";
|
||||
done;
|
||||
echo "--------------------->"
|
||||
echo ${delete_accounts};
|
||||
echo "[END] ===============>"
|
||||
|
||||
# __END__
|
||||
@@ -1,4 +1,4 @@
|
||||
#!/bin/bash
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# * input file
|
||||
# user_list.txt
|
||||
@@ -36,18 +36,19 @@ while getopts ":ti" opt; do
|
||||
done;
|
||||
# hostname for output file only
|
||||
host=$(hostname);
|
||||
timesamp=$(date +%Y%m%d-%H%M%S)
|
||||
timestamp=$(date +%Y%m%d-%H%M%S)
|
||||
# character to set getween info blocks
|
||||
separator="#";
|
||||
# base folder for all data
|
||||
root_folder=$(pwd)'/';
|
||||
input_file='user_list.txt';
|
||||
output_file="user_password.${timesamp}.txt";
|
||||
output_file="user_password.${timestamp}.txt";
|
||||
output_zip_folder='zip/';
|
||||
output_zip="users.${timesamp}.zip"
|
||||
output_zip="users.${timestamp}.zip"
|
||||
ssh_keygen_folder='ssh-keygen/';
|
||||
ssh_keygen_folder_created_pub='ssh-keygen-created-pub/';
|
||||
ssh_keytype='ed25519';
|
||||
ssh_group='sshallow';
|
||||
# check if ssh key folder exists
|
||||
if [ ! -d "${root_folder}${ssh_keygen_folder}" ]; then
|
||||
mkdir "${root_folder}${ssh_keygen_folder}";
|
||||
@@ -66,11 +67,17 @@ if [ ! command -v zip &> /dev/null ]; then
|
||||
echo "Missing zip application, aborting";
|
||||
exit;
|
||||
fi;
|
||||
# check if sshallow group exists
|
||||
if [ -z $(cat /etc/group|grep "${ssh_group}:") ]; then
|
||||
echo "Missing ssh access group: ${ssh_group}";
|
||||
exit;
|
||||
fi;
|
||||
# check if user list file exists
|
||||
if [ ! -f "${root_folder}${input_file}" ]; then
|
||||
echo "Missing ${root_folder}${input_file}";
|
||||
exit;
|
||||
fi;
|
||||
exit;
|
||||
# make sure my own folder is owned by root and 600 (except for testing)
|
||||
if [ $(stat -c %a .) != "600" ]; then
|
||||
echo "!!!! RECOMMENDED TO HAVE BASE FOLDER SET TO '600' AND USER 'root' !!!!"
|
||||
@@ -95,7 +102,8 @@ while read i; do
|
||||
_group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' ');
|
||||
group=$(echo "${_group}" | cut -d "," -f 1);
|
||||
sub_group="";
|
||||
sub_group_opt="";
|
||||
# sshallow group is always added
|
||||
sub_group_opt=" -G ${ssh_group}";
|
||||
# check if "," inside and extract sub groups
|
||||
if [ -z "${_group##*,*}" ]; then
|
||||
sub_group=$(echo "${_group}" | cut -d "," -f 2-);
|
||||
@@ -158,7 +166,8 @@ while read i; do
|
||||
else
|
||||
echo "++ Create '${user}:${group}(${sub_group})'";
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
useradd -s /bin/bash -g ${group}${sub_group_opt} -m ${user};
|
||||
# comment is user create time
|
||||
useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -m ${user};
|
||||
else
|
||||
echo "$> useradd -s /bin/bash -g ${group}${sub_group_opt} -m ${user}";
|
||||
fi;
|
||||
@@ -255,3 +264,5 @@ else
|
||||
echo "$> rm ${root_folder}${output_file}";
|
||||
echo "$> rm ${root_folder}${ssh_keygen_folder}*";
|
||||
fi;
|
||||
|
||||
# __END__
|
||||
|
||||
Reference in New Issue
Block a user