From d4bb06e3e19c4cfa37a723a521e01fe790172756 Mon Sep 17 00:00:00 2001 From: Clemens Schwaighofer Date: Thu, 21 Dec 2023 15:58:28 +0900 Subject: [PATCH] Fix lock user flow to only lock if the user is not in the reject group --- bin/check_last_login.sh | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/bin/check_last_login.sh b/bin/check_last_login.sh index 219d1fc..6fe4fd0 100755 --- a/bin/check_last_login.sh +++ b/bin/check_last_login.sh @@ -53,7 +53,7 @@ case "${1,,}" in ;; esac; -if [ "${OUTPUT_TARGET}" == "text" ]; then +if [ "${OUTPUT_TARGET}" = "text" ]; then LOG="${LOG}/check_ssh_user."$(date +"%F_%H%m%S")".log"; exec &> >(tee -a "${LOG}"); echo "[START] =============>"; @@ -62,7 +62,7 @@ if [ "${OUTPUT_TARGET}" == "text" ]; then echo "Max age last login : ${max_age_login} days"; echo "Warn age last login: ${warn_age_login} days"; echo "Max age no login : ${max_age_create} days"; -elif [ "${OUTPUT_TARGET}" == "json" ]; then +elif [ "${OUTPUT_TARGET}" = "json" ]; then echo '"Info": {' echo '"Hostname": "'$(hostname)'",'; echo '"Date": "'$(date +"%F %T")'",'; @@ -73,9 +73,9 @@ elif [ "${OUTPUT_TARGET}" == "json" ]; then echo '"Users": [' fi; for ssh_group in ${ssh_groups[@]}; do - if [ "${OUTPUT_TARGET}" == "text" ]; then + if [ "${OUTPUT_TARGET}" = "text" ]; then echo "--------------------->" - if [ "${ssh_group}" == "${ssh_reject_group}" ]; then + if [ "${ssh_group}" = "${ssh_reject_group}" ]; then echo "Showing current SSH Reject users:"; unlock_flag=1 else @@ -112,7 +112,7 @@ for ssh_group in ${ssh_groups[@]}; do continue; fi; # for json output, we need , between outputs - if [ "${OUTPUT_TARGET}" == "json" ] && [ $first_run -eq 0 ]; then + if [ "${OUTPUT_TARGET}" = "json" ] && [ $first_run -eq 0 ]; then echo ","; fi; first_run=0; @@ -172,7 +172,9 @@ for ssh_group in ${ssh_groups[@]}; do last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}"); if [ ${last_login} -gt ${max_age_login} ]; then out_string="[!] last ssh log in ${last_login} days ago"; - lock_user=1; + if [ "${ssh_group}" != "${ssh_reject_group}" ]; then + lock_user=1; + fi; elif [ ${last_login} -gt ${warn_age_login} ]; then out_string="OK [last ssh login ${last_login} days ago"; else @@ -190,7 +192,9 @@ for ssh_group in ${ssh_groups[@]}; do last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}"); if [ ${last_login} -gt ${max_age_login} ]; then out_string="[!] last terminal log in ${last_login} days ago"; - lock_user=1; + if [ "${ssh_group}" != "${ssh_reject_group}" ]; then + lock_user=1; + fi; elif [ ${last_login} -gt ${warn_age_login} ]; then out_string="OK [last terminal login ${last_login} days ago"; else @@ -201,7 +205,9 @@ for ssh_group in ${ssh_groups[@]}; do elif [ ! -z "${user_create_date}" ]; then if [ ${account_age} -gt ${max_age_create} ]; then out_string="[!] Never logged in: account created ${account_age} days ago"; - lock_user=1; + if [ "${ssh_group}" != "${ssh_reject_group}" ]; then + lock_user=1; + fi; else out_string="OK [Never logged in]"; fi; @@ -222,7 +228,7 @@ for ssh_group in ${ssh_groups[@]}; do sub_groups_string="[" sub_group_first=1 for s_group in $sub_groups; do - if [ "${sub_group_first}" == 0 ]; then + if [ "${sub_group_first}" = 0 ]; then sub_groups_string="${sub_groups_string},"; fi; sub_groups_string="${sub_groups_string}\"${s_group}\""; @@ -249,7 +255,7 @@ for ssh_group in ${ssh_groups[@]}; do esac; done; done; -if [ "${OUTPUT_TARGET}" == "text" ]; then +if [ "${OUTPUT_TARGET}" = "text" ]; then if [ ! -z "${lock_accounts}" ]; then echo "--------------------->" echo "% Run script below to move users to reject ssh group"; @@ -267,7 +273,7 @@ if [ "${OUTPUT_TARGET}" == "text" ]; then echo "bin/unlock_user.sh -s forward ${lock_accounts}"; fi; echo "[END] ===============>" -elif [ "${OUTPUT_TARGET}" == "json" ]; then +elif [ "${OUTPUT_TARGET}" = "json" ]; then # users echo "]"; # overall