ScriptsCollections/ServerUserCreate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add multiple groups to check last login script

Browse Source 
Currently fixed group names sshallow, sshforward and reject sshreject
This commit is contained in:
Clemens Schwaighofer
2022-12-01 06:43:43 +09:00
parent 6e53d1bdec
commit fe08fa10c2
2 changed files with 74 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Readme.md
View File

@@ -213,7 +213,7 @@ This script should be run every day via crontab as root:
0 1 * * * root /root/users/bin/collect_login_data.sh 0 1 * * * root /root/users/bin/collect_login_data.sh
``` ```
The script `check_last_login.sh` will go through the sshallow groups users and flag out those that have not logged in, in the last 60 days and recommend to lock them. The script will also check for user accounts that never logged in and where created in the last 30 days and recomment to lock them too. The script `check_last_login.sh` will go through the ssh allow groups (sshallow/sshforward) users and flag out those that have not logged in, in the last 60 days and recommend to lock them. The script will also check for user accounts that never logged in and where created in the last 30 days and recomment to lock them too.
This script will first check the `auth-log/user_auth.log` file, then lastlog output and finally check for creation time in passwd file or home director for when the user was created. This script will first check the `auth-log/user_auth.log` file, then lastlog output and finally check for creation time in passwd file or home director for when the user was created.
@@ -222,5 +222,5 @@ Currently only information is printed out and no action is done itself.
The script can be put into the crontab and run once a month, it prints to STDOUT so a mail pipe with a proper subject is recommended The script can be put into the crontab and run once a month, it prints to STDOUT so a mail pipe with a proper subject is recommended
```crontab ```crontab
0 2 1 * * root /root/users/bin/check_last_login.sh | mail -s "$(hostname): user account check" 0 2 1 * * root /root/users/bin/check_last_login.sh | mail -s "User Account check: $(hostname)"
``` ```

141
bin/check_last_login.sh
View File

@@ -5,8 +5,8 @@
# base folder # base folder
BASE_FOLDER=$(dirname $(readlink -f $0))"/"; BASE_FOLDER=$(dirname $(readlink -f $0))"/";
# which group holds the ssh allowed login users (outside of admin users) # which groups holds the ssh allowed login users (outside of admin users)
ssh_group='sshallow'; ssh_groups=('sshforward' 'sshallow');
ssh_reject_group='sshreject'; ssh_reject_group='sshreject';
# date now for compare # date now for compare
now=$(date +"%s"); now=$(date +"%s");
@@ -38,78 +38,81 @@ echo "Hostname : "$(hostname);
echo "Run date : "$(date +"%F %T"); echo "Run date : "$(date +"%F %T");
echo "Max age last login: ${max_age_login} days"; echo "Max age last login: ${max_age_login} days";
echo "Max age no login : ${max_age_create} days"; echo "Max age no login : ${max_age_create} days";
for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do for ssh_group in ${ssh_groups[@]}; do
# for user in clemens test42; do echo "--------------------->"
account_age=0; echo "Checking Group : ${ssh_group}";
delete_user=0; for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
out_string=""; account_age=0;
#echo "* Checking user ${user}"; delete_user=0;
# check user create time, if we have set it in comment out_string="";
user_create_date=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 5); #echo "* Checking user ${user}";
# if empty try last password set time # check user create time, if we have set it in comment
if [ -z "${user_create_date}" ]; then user_create_date=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 5);
# user L 11/09/2020 0 99999 7 -1 # if empty try last password set time
user_create_date=$(passwd -S ${user} | cut -d " " -f 3); if [ -z "${user_create_date}" ]; then
fi; # user L 11/09/2020 0 99999 7 -1
# last try is user home .bash_logout user_create_date=$(passwd -S ${user} | cut -d " " -f 3);
if [ -z "${user_create_date}" ]; then fi;
home_dir=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 6)"/.bash_logout"; # last try is user home .bash_logout
user_create_date=$(stat -c %Z "${home_dir}"); if [ -z "${user_create_date}" ]; then
fi; home_dir=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 6)"/.bash_logout";
user_create_date=$(stat -c %Z "${home_dir}");
fi;
# below only works if the user logged in, a lot of them are just file upload # below only works if the user logged in, a lot of them are just file upload
# users. Use the collect script from systemd-logind or /var/log/secure # users. Use the collect script from systemd-logind or /var/log/secure
# Username Port From Latest # Username Port From Latest
# user pts/35 10.110.160.230 Wed Nov 2 09:40:35 +0900 2022 # user pts/35 10.110.160.230 Wed Nov 2 09:40:35 +0900 2022
last_login_string=$(lastlog -u ${user} | sed 1d); last_login_string=$(lastlog -u ${user} | sed 1d);
search="Never logged in"; search="Never logged in";
found=""; found="";
# problem with running rep check in if # problem with running rep check in if
if [ -f "${AUTH_LOG}" ]; then if [ -f "${AUTH_LOG}" ]; then
found=$(grep "${user};" "${AUTH_LOG}"); found=$(grep "${user};" "${AUTH_LOG}");
fi;
if [ ! -z "${found}" ]; then
last_login_date=$(grep "${user};" "${AUTH_LOG}" | cut -d ";" -f 2 | date +"%s" -f -);
last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
if [ ${last_login} -gt ${max_age_login} ]; then
out_string="[!] last ssh log in ${last_login} days ago";
delete_user=1;
else
out_string="OK [ssh]";
fi; fi;
elif [ ! -z "${last_login_string##*$search*}" ]; then if [ ! -z "${found}" ]; then
# if we have "** Never logged in**" the user never logged in last_login_date=$(grep "${user};" "${AUTH_LOG}" | cut -d ";" -f 2 | date +"%s" -f -);
# find \w{3} \w{3} [\s\d]{2} \d{2}:\d{2}:\d{2} \+\d{4} \d{4} last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
# awk '{for(i=4;i<=NF;++i)printf $i FS}' if [ ${last_login} -gt ${max_age_login} ]; then
last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%s" -f -); out_string="[!] last ssh log in ${last_login} days ago";
# date -d "Wed Nov 2 09:40:35 +0900 2022" +%s delete_user=1;
last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}"); else
if [ ${last_login} -gt ${max_age_login} ]; then out_string="OK [ssh]";
out_string="[!] last terminal log in ${last_login} days ago"; fi;
delete_user=1; elif [ ! -z "${last_login_string##*$search*}" ]; then
# if we have "** Never logged in**" the user never logged in
# find \w{3} \w{3} [\s\d]{2} \d{2}:\d{2}:\d{2} \+\d{4} \d{4}
# awk '{for(i=4;i<=NF;++i)printf $i FS}'
last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%s" -f -);
# date -d "Wed Nov 2 09:40:35 +0900 2022" +%s
last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
if [ ${last_login} -gt ${max_age_login} ]; then
out_string="[!] last terminal log in ${last_login} days ago";
delete_user=1;
else
out_string="OK [lastlog]";
fi;
elif [ ! -z "${user_create_date}" ]; then
user_create_date=$(echo "${user_create_date}" | date +"%s" -f -);
# if all empty, we continue with only check if user has last login date
# else get days since creation
#account_age=$[ ($(date +"%s")-$(date -d "${user_create_date}" +"%s"))/24 ];
account_age=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${user_create_date} ${day}");
if [ ${account_age} -gt ${max_age_create} ]; then
out_string="[!] Never logged in, account created ${account_age} days ago";
delete_user=1;
else
out_string="OK [first login]";
fi;
else else
out_string="OK [lastlog]"; out_string="[!!!] Never logged in and we have no create date";
fi; fi;
elif [ ! -z "${user_create_date}" ]; then # build delete output
user_create_date=$(echo "${user_create_date}" | date +"%s" -f -); if [ ${delete_user} = 1 ]; then
# if all empty, we continue with only check if user has last login date delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${user}" "${ssh_group}" "${user}" "${ssh_reject_group}")$'\n';
# else get days since creation
#account_age=$[ ($(date +"%s")-$(date -d "${user_create_date}" +"%s"))/24 ];
account_age=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${user_create_date} ${day}");
if [ ${account_age} -gt ${max_age_create} ]; then
out_string="[!] Never logged in, account created ${account_age} days ago";
delete_user=1;
else
out_string="OK [first login]";
fi; fi;
else printf "* Checking user %-20s: %s\n" "${user}" "${out_string}";
out_string="[!!!] Never logged in and we have no create date"; done;
fi;
# build delete output
if [ ${delete_user} = 1 ]; then
delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${user}" "${ssh_group}" "${user}" "${ssh_reject_group}")$'\n';
fi;
printf "* Checking user %-20s: %s\n" "${user}" "${out_string}";
done; done;
echo "--------------------->" echo "--------------------->"
echo "Showing current SSH Reject users:" echo "Showing current SSH Reject users:"