#!/usr/bin/env bash # * check we are root # if we are not root, bail out # if [ $(whoami) != "root" ]; then if [[ "$EUID" -ne "0" ]]; then echo "Must be run as root or with sudo command"; exit; fi; # base folder BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/"; # auth log file AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log"; if [ ! -f "${AUTH_LOG}" ]; then touch "${AUTH_LOG}"; fi; # debug flag DEBUG=0; # check all logs flag RUN_FULL_LOG=0; # option parsing while getopts ":fd" opt; do case "${opt}" in f) # full echo "[!!!] Run through all log files to collect data"; RUN_FULL_LOG=1; ;; d) # deubg DEBUG=1; ;; \?) echo ""; echo "-f Collect all log data again"; echo "-d Debug output"; exit 1; ;; esac; done; function prD() { message="${1}"; debug=${2:-0}; lb_off=${3:-0}; if [ "${debug}" -eq 1 ]; then if [ "${lb_off}" -eq 1 ]; then echo -n "${message}"; else echo "${message}"; fi; fi; } function parseLog() { # do we have a key entry, if not add new with last log date # clean up date from YYYY nam dd to YYYY-MM-DD HH:II:SS line="${1}"; auth_log="${2}"; start_year="${3}"; logger="${4}"; debug=${5:-0}; #prD "Line: $line" ${debug}; # auth user has . at the end, remove that one if [ "${logger}" = "systemd" ]; then # 2022-11-18T20:04:08+0900 auth_date=$(echo "${line}" | cut -d " " -f 1); # Note, instead of cut with dot, remove last dot in line auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | sed -e "s/\.$//"); else auth_date=$(echo "${line}" | cut -c 1-6)" ${start_year} "$(echo "${line}" | cut -c 8-15); auth_user=$(echo "${line}" | cut -d ")" -f 2 | cut -d " " -f 6 | cut -d "(" -f 1); fi; auth_date=$(echo "${auth_date}" | date +"%F %T" -f -); # $(printf "USER: %-20s: %19s" "${auth_user}" "${auth_date}") # prD "USER: $auth_user | DATE: $auth_date" ${debug} 1; printf -v msg "Source: %-10s | Year: %4s | Last auth user: %-20s: %19s" "${logger}" "${start_year}" "${auth_user}" "${auth_date}" prD "${msg}" "${debug}" 1; # find auth user in current auth file # if not there attach, else replace date only found=$(grep "${auth_user};" "${auth_log}"); if [ -z "${found}" ]; then prD " | Write new" "${debug}"; echo "${auth_user};${auth_date}" >> "${auth_log}"; else prD " | Replace old" "${debug}"; sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${auth_log}"; fi; } printf -v msg "Run date: %s" "$(date +"%F %T")" prD "${msg}" ${DEBUG}; # Collector script for login information via journalctl # if no systemd installed, try to get info from /var/log/secure or /var/log/auth.log init_version=$(/proc/1/exe --version | head -n 1); readonly init_version; if [ -z "${init_version##*systemd*}" ]; then LOG_TARGET="systemd"; # for journalctl START_DATE=$(date +%F -d "1 day ago"); END_DATE=$(date +%F); OPT_START_DATE=''; if [ $RUN_FULL_LOG -eq 0 ]; then OPT_START_DATE="-S ${START_DATE}"; OPT_END_DATE="-U ${END_DATE}"; fi; # READ as other format so we get the YEAR -o short-iso START_YEAR=$(date +%Y -d "1 day ago"); journalctl -u systemd-logind --no-pager -o short-iso "${OPT_START_DATE}" "${OPT_END_DATE}" | grep ": New session" | while read -r line; do # # Nov 21 14:15:46 we.are.hostname.com systemd-logind[1865]: New session 12345 of user some^user. # date: 5 chars # time: 8 chars # hostname # systemd-logind pid ... # " of user " # we want date + time + username # prefix year with start date year parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG}; done; else LOG_TARGET="syslog"; # for secure/auth log if [ $RUN_FULL_LOG -eq 1 ]; then # we loop over EACH file and get the DATE so we can have the correct YEAR for sfile in /var/log/secure*bz2; do tz=$(stat -c %Z "${sfile}"); START_YEAR=$(date +%Y -d @"${tz}"); bunzip2 -ck "${sfile}" | grep ": session opened for user" | grep " by (uid=0)" | while read -r line; do parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG}; done; done; # read all START_DATE="sshd" fi; START_YEAR=$(date +%Y -d "1 day ago"); grep "${START_DATE}" "/var/log/secure" | grep ": session opened for user" | grep " by (uid=0)" | while read -r line; do parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG}; done; fi; # __END__