diff --git a/bin/check_last_login.sh b/bin/check_last_login.sh new file mode 100755 index 0000000..08eaeba --- /dev/null +++ b/bin/check_last_login.sh @@ -0,0 +1,80 @@ +#!/usr/bin/env bash + +# Checks for last access of users in sshallow group +# if user login >30days, remoe user from sshallow group and write log + +# which group holds the ssh allowed login users (outside of admin users) +ssh_group='sshallow'; +# date now for compare +now=$(date +"%s"); +# max age for last login or account create without login +max_age_login=60; +max_age_create=30; +# one day in seconds +day=86400; +# delete account strings +delete_accounts=""; + +if [ $(whoami) != "root" ]; then + echo "Script must be run as root user"; + exit; +fi; +echo "[START] =============>"; +echo "Max age last login: ${max_age_login} days"; +echo "Max age no login : ${max_age_create} days"; +for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do +# for user in clemens test42; do + account_age=0; + out_string=""; + #echo "* Checking user ${user}"; + # check user create time, if we have set it in comment + user_create_date=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 5); + # if empty try last password set time + if [ -z "${user_create_date}" ]; then + # user L 11/09/2020 0 99999 7 -1 + user_create_date=$(passwd -S ${user} | cut -d " " -f 3); + fi; + # last try is user home .bash_logout + if [ -z "${user_create_date}" ]; then + home_dir=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 6)"/.bash_logout"; + user_create_date=$(stat -c %Z "${home_dir}"); + fi; + # Username Port From Latest + # user pts/35 10.110.160.230 Wed Nov 2 09:40:35 +0900 2022 + last_login_string=$(lastlog -u ${user} | sed 1d); + search="Never logged in"; + # if we have "** Never logged in**" the user never logged in + if [ ! -z "${last_login_string##*$search*}" ]; then + # find \w{3} \w{3} [\s\d]{2} \d{2}:\d{2}:\d{2} \+\d{4} \d{4} + # awk '{for(i=4;i<=NF;++i)printf $i FS}' + last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%s" -f -); + # date -d "Wed Nov 2 09:40:35 +0900 2022" +%s + last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}"); + if [ ${last_login} -gt ${max_age_login} ]; then + out_string="[!] last logged in ${last_login} days ago. Locking account"; + delete_accounts="${delete_accounts}deluser ${user} ${ssh_group};"; + else + out_string="OK"; + fi; + elif [ ! -z "${user_create_date}" ]; then + user_create_date=$(echo "${user_create_date}" | date +"%s" -f -); + # if all empty, we continue with only check if user has last login date + # else get days since creation + #account_age=$[ ($(date +"%s")-$(date -d "${user_create_date}" +"%s"))/24 ]; + account_age=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${user_create_date} ${day}"); + if [ ${account_age} -gt ${max_age_create} ]; then + out_string="[!!!] Never logged in, account created ${account_age} days ago. Locking account"; + delete_accounts="${delete_accounts}deluser ${user} ${ssh_group};"; + else + out_string="OK"; + fi; + else + out_string="[!!!] Never logged in and we have no create date"; + fi; + printf "* Checking user %-20s: %s\n" "${user}" "${out_string}"; +done; +echo "--------------------->" +echo ${delete_accounts}; +echo "[END] ===============>" + +# __END__ diff --git a/bin/user_create.sh b/bin/user_create.sh index d3905d3..8f8443e 100755 --- a/bin/user_create.sh +++ b/bin/user_create.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # * input file # user_list.txt @@ -36,18 +36,19 @@ while getopts ":ti" opt; do done; # hostname for output file only host=$(hostname); -timesamp=$(date +%Y%m%d-%H%M%S) +timestamp=$(date +%Y%m%d-%H%M%S) # character to set getween info blocks separator="#"; # base folder for all data root_folder=$(pwd)'/'; input_file='user_list.txt'; -output_file="user_password.${timesamp}.txt"; +output_file="user_password.${timestamp}.txt"; output_zip_folder='zip/'; -output_zip="users.${timesamp}.zip" +output_zip="users.${timestamp}.zip" ssh_keygen_folder='ssh-keygen/'; ssh_keygen_folder_created_pub='ssh-keygen-created-pub/'; ssh_keytype='ed25519'; +ssh_group='sshallow'; # check if ssh key folder exists if [ ! -d "${root_folder}${ssh_keygen_folder}" ]; then mkdir "${root_folder}${ssh_keygen_folder}"; @@ -66,11 +67,17 @@ if [ ! command -v zip &> /dev/null ]; then echo "Missing zip application, aborting"; exit; fi; +# check if sshallow group exists +if [ -z $(cat /etc/group|grep "${ssh_group}:") ]; then + echo "Missing ssh access group: ${ssh_group}"; + exit; +fi; # check if user list file exists if [ ! -f "${root_folder}${input_file}" ]; then echo "Missing ${root_folder}${input_file}"; exit; fi; +exit; # make sure my own folder is owned by root and 600 (except for testing) if [ $(stat -c %a .) != "600" ]; then echo "!!!! RECOMMENDED TO HAVE BASE FOLDER SET TO '600' AND USER 'root' !!!!" @@ -95,7 +102,8 @@ while read i; do _group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' '); group=$(echo "${_group}" | cut -d "," -f 1); sub_group=""; - sub_group_opt=""; + # sshallow group is always added + sub_group_opt=" -G ${ssh_group}"; # check if "," inside and extract sub groups if [ -z "${_group##*,*}" ]; then sub_group=$(echo "${_group}" | cut -d "," -f 2-); @@ -158,7 +166,8 @@ while read i; do else echo "++ Create '${user}:${group}(${sub_group})'"; if [ ${TEST} -eq 0 ]; then - useradd -s /bin/bash -g ${group}${sub_group_opt} -m ${user}; + # comment is user create time + useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -m ${user}; else echo "$> useradd -s /bin/bash -g ${group}${sub_group_opt} -m ${user}"; fi; @@ -255,3 +264,5 @@ else echo "$> rm ${root_folder}${output_file}"; echo "$> rm ${root_folder}${ssh_keygen_folder}*"; fi; + +# __END__