From c09e8cf79937a6af72368b47421a57fc8cbe640c Mon Sep 17 00:00:00 2001
From: Clemens Schwaighofer <clemens.schwaighofer@egplusww.com>
Date: Wed, 2 Nov 2022 15:02:17 +0900
Subject: [PATCH] AWS accunt scripts, deploy akamai scripts

A new last logged in, last created script has been added to check which
users we have to disable.
- checks in group sshallow
- if last login older than 60days, remove account from ssh group
- if we have account create date, check if never logged in and older
  than 30 days, remove account from ssh group
Both dates can be set separate

Update create script to add create date in Y-m-d (%F) format as
comment to the passwd file
Also add user to sshallow group (group always exists, is created on
server creation)
---
 bin/check_last_login.sh | 80 +++++++++++++++++++++++++++++++++++++++++
 bin/user_create.sh      | 23 ++++++++----
 2 files changed, 97 insertions(+), 6 deletions(-)
 create mode 100755 bin/check_last_login.sh

diff --git a/bin/check_last_login.sh b/bin/check_last_login.sh
new file mode 100755
index 0000000..08eaeba
--- /dev/null
+++ b/bin/check_last_login.sh
@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+
+# Checks for last access of users in sshallow group
+# if user login >30days, remoe user from sshallow group and write log
+
+# which group holds the ssh allowed login users (outside of admin users)
+ssh_group='sshallow';
+# date now for compare
+now=$(date +"%s");
+# max age for last login or account create without login
+max_age_login=60;
+max_age_create=30;
+# one day in seconds
+day=86400;
+# delete account strings
+delete_accounts="";
+
+if [ $(whoami) != "root" ]; then
+	echo "Script must be run as root user";
+	exit;
+fi;
+echo "[START] =============>";
+echo "Max age last login: ${max_age_login} days";
+echo "Max age no login  : ${max_age_create} days";
+for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
+# for user in clemens test42; do
+	account_age=0;
+	out_string="";
+	#echo "* Checking user ${user}";
+	# check user create time, if we have set it in comment
+	user_create_date=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 5);
+	# if empty try last password set time
+	if [ -z "${user_create_date}" ]; then
+		# user L 11/09/2020 0 99999 7 -1
+		user_create_date=$(passwd -S ${user} | cut -d " " -f 3);
+	fi;
+	# last try is user home .bash_logout
+	if [ -z "${user_create_date}" ]; then
+		home_dir=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 6)"/.bash_logout";
+		user_create_date=$(stat -c %Z "${home_dir}");
+	fi;
+	# Username         Port     From             Latest
+	# user             pts/35   10.110.160.230   Wed Nov  2 09:40:35 +0900 2022
+	last_login_string=$(lastlog -u ${user} | sed 1d);
+	search="Never logged in";
+	# if we have "** Never logged in**" the user never logged in
+	if [ ! -z "${last_login_string##*$search*}" ]; then
+		# find \w{3} \w{3} [\s\d]{2} \d{2}:\d{2}:\d{2} \+\d{4} \d{4}
+		# awk '{for(i=4;i<=NF;++i)printf $i FS}'
+		last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%s" -f -);
+		# date -d "Wed Nov  2 09:40:35 +0900 2022" +%s
+		last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
+		if [ ${last_login} -gt ${max_age_login} ]; then
+			out_string="[!] last logged in ${last_login} days ago. Locking account";
+			delete_accounts="${delete_accounts}deluser ${user} ${ssh_group};";
+		else
+			out_string="OK";
+		fi;
+	elif [ ! -z "${user_create_date}" ]; then
+		user_create_date=$(echo "${user_create_date}" | date +"%s" -f -);
+		# if all empty, we continue with only check if user has last login date
+		# else get days since creation
+		#account_age=$[ ($(date +"%s")-$(date -d "${user_create_date}" +"%s"))/24 ];
+		account_age=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${user_create_date} ${day}");
+		if [ ${account_age} -gt ${max_age_create} ]; then
+			out_string="[!!!] Never logged in, account created ${account_age} days ago. Locking account";
+			delete_accounts="${delete_accounts}deluser ${user} ${ssh_group};";
+		else
+			out_string="OK";
+		fi;
+	else
+		out_string="[!!!] Never logged in and we have no create date";
+	fi;
+	printf "* Checking user %-20s: %s\n" "${user}" "${out_string}";
+done;
+echo "--------------------->"
+echo ${delete_accounts};
+echo "[END] ===============>"
+
+# __END__
diff --git a/bin/user_create.sh b/bin/user_create.sh
index d3905d3..8f8443e 100755
--- a/bin/user_create.sh
+++ b/bin/user_create.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 # * input file
 # user_list.txt
@@ -36,18 +36,19 @@ while getopts ":ti" opt; do
 done;
 # hostname for output file only
 host=$(hostname);
-timesamp=$(date +%Y%m%d-%H%M%S)
+timestamp=$(date +%Y%m%d-%H%M%S)
 # character to set getween info blocks
 separator="#";
 # base folder for all data
 root_folder=$(pwd)'/';
 input_file='user_list.txt';
-output_file="user_password.${timesamp}.txt";
+output_file="user_password.${timestamp}.txt";
 output_zip_folder='zip/';
-output_zip="users.${timesamp}.zip"
+output_zip="users.${timestamp}.zip"
 ssh_keygen_folder='ssh-keygen/';
 ssh_keygen_folder_created_pub='ssh-keygen-created-pub/';
 ssh_keytype='ed25519';
+ssh_group='sshallow';
 # check if ssh key folder exists
 if [ ! -d "${root_folder}${ssh_keygen_folder}" ]; then
 	mkdir "${root_folder}${ssh_keygen_folder}";
@@ -66,11 +67,17 @@ if [ ! command -v zip &> /dev/null ]; then
 	echo "Missing zip application, aborting";
 	exit;
 fi;
+# check if sshallow group exists
+if [ -z $(cat /etc/group|grep "${ssh_group}:") ]; then
+	echo "Missing ssh access group: ${ssh_group}";
+	exit;
+fi;
 # check if user list file exists
 if [ ! -f "${root_folder}${input_file}" ]; then
 	echo "Missing ${root_folder}${input_file}";
 	exit;
 fi;
+exit;
 # make sure my own folder is owned by root and 600 (except for testing)
 if [ $(stat -c %a .) != "600" ]; then
 	echo "!!!! RECOMMENDED TO HAVE BASE FOLDER SET TO '600' AND USER 'root' !!!!"
@@ -95,7 +102,8 @@ while read i; do
 	_group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' ');
 	group=$(echo "${_group}" | cut -d "," -f 1);
 	sub_group="";
-	sub_group_opt="";
+	# sshallow group is always added
+	sub_group_opt=" -G ${ssh_group}";
 	# check if "," inside and extract sub groups
 	if [ -z "${_group##*,*}" ]; then
 		sub_group=$(echo "${_group}" | cut -d "," -f 2-);
@@ -158,7 +166,8 @@ while read i; do
 	else
 		echo "++ Create '${user}:${group}(${sub_group})'";
 		if [ ${TEST} -eq 0 ]; then
-			useradd -s /bin/bash -g ${group}${sub_group_opt} -m ${user};
+			# comment is user create time
+			useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -m ${user};
 		else
 			echo "$> useradd -s /bin/bash -g ${group}${sub_group_opt} -m ${user}";
 		fi;
@@ -255,3 +264,5 @@ else
 	echo "$> rm ${root_folder}${output_file}";
 	echo "$> rm ${root_folder}${ssh_keygen_folder}*";
 fi;
+
+# __END__