#!/usr/bin/env bash # * check we are root # if we are not root, bail out # if [ $(whoami) != "root" ]; then if [[ "$EUID" -ne "0" ]]; then echo "Must be run as root or with sudo command"; exit; fi; # base folder BASE_FOLDER=$(dirname $(readlink -f $0))"/"; # auth log file AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log"; if [ ! -f "${AUTH_LOG}" ]; then touch "${AUTH_LOG}"; fi; # run full log check flag RUN_FULL_LOG=0; if [ ! -z "${1}" ] && [ "${1}" = "FULL" ]; then echo "[!!!] Run through all log files to collect data"; RUN_FULL_LOG=1; fi; # Collector script for login information via journalctl # if no systemd installed, try to get info from /var/log/secure or /var/log/auth.log readonly init_version=$(/proc/1/exe --version | head -n 1); if [ -z "${init_version##*systemd*}" ]; then LOG_TARGET="systemd"; # for journalctl START_DATE=$(date +%F -d "1 day ago"); END_DATE=$(date +%F); START_YEAR=$(date +%Y -d "1 day ago"); OPT_START_DATE=''; if [ $RUN_FULL_LOG -eq 0 ]; then OPT_START_DATE="-S ${START_DATE}"; OPT_END_DATE="-U ${END_DATE}"; fi; journalctl -u systemd-logind --no-pager ${OPT_START_DATE} ${OPT_END_DATE} | grep ": New session" | while read line; do # # Nov 21 14:15:46 we.are.hostname.com systemd-logind[1865]: New session 12345 of user some^user. # date: 5 chars # time: 8 chars # hostname # systemd-logind pid ... # " of user " # we want date + time + username # prefix year with start date year # echo "L: $line"; # do we have a key entry, if not add new with last log date # clean up date from YYYY nam dd to YYYY-MM-DD HH:II:SS # auth_date=$(echo "${line}" | cut -c 1-15 | date +"%F %T" -f -); # auth_date=$($(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15)) | date +"%F %T" -f -; auth_date=$(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15); auth_date=$(echo "${auth_date}" | date +"%F %T" -f -); # auth user has . at the end, remove that one auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | cut -d "." -f 1); # echo -n "USER: $auth_user | DATE: $auth_date"; # find auth user in current auth file # if not there attach, else replace date only found=$(grep "${auth_user};" "${AUTH_LOG}"); if [ -z "${found}" ]; then # echo -n " | Write new"; echo "${auth_user};${auth_date}" >> "${AUTH_LOG}"; else # echo -n " | Replace old"; sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${AUTH_LOG}"; fi; # echo " [***]"; done; else LOG_TARGET="syslog"; # for secure/auth log START_DATE=$(date +"%b %e" -d "1 day ago") cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" | while read line; do # Nov 21 14:15:56 some.hostname.com sshd[12345]: pam_unix(sshd:session): session opened for user some-user(uid=6789) by (uid=0) auth_date=$($(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15) | date +"%F %T" -f -); auth_user=$(echo "${line}" | cut -d ")" -f 2 | cut -d " " -f 6 | cut -d "(" -f 1); # find auth user in current auth file # if not there attach, else replace date only if [ -z grep "${auth_user}" "${AUTH_LOG}" ]; then cat "${auth_user};${auth_date}" >> "${AUTH_LOG}"; else sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${AUTH_LOG}"; fi; done; fi; # __END__