#!/usr/bin/env bash

# Checks for last access of users in sshallow group
# if user login >30days, remoe user from sshallow group and write log

# base folder
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
# which groups holds the ssh allowed login users (outside of admin users)
ssh_groups=('sshforward' 'sshallow');
ssh_reject_group='sshreject';
# date now for compare
now=$(date +"%s");
# max age for last login or account create without login
max_age_login=60;
max_age_create=30;
# one day in seconds
day=86400;
# delete account strings
delete_accounts="";
user_group_tpl="gpasswd -d %s %s;gpasswd -a %s %s;";
# log base folder
LOG="${BASE_FOLDER}/../log";
# auth log file user;date from collect_login_data script
AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";

if [ $(whoami) != "root" ]; then
	echo "Script must be run as root user";
	exit;
fi;
if [ ! -d "${LOG}" ]; then
	echo "log folder ${LOG} not found";
	exit;
fi;
LOG="${LOG}/check_ssh_user."$(date +"%F_%H%m%S")".log";
exec &> >(tee -a "${LOG}");
echo "[START] =============>";
echo "Hostname          : "$(hostname);
echo "Run date          : "$(date +"%F %T");
echo "Max age last login: ${max_age_login} days";
echo "Max age no login  : ${max_age_create} days";
for ssh_group in ${ssh_groups[@]}; do
echo "--------------------->"
echo "Checking Group    : ${ssh_group}";
	for username in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
		# check that user exists in passwd
		if ! id "${username}" &>/dev/null; then
			echo "[!] User $username does not exists in /etc/passwd file";
			continue;
		fi;
		account_age=0;
		delete_user=0;
		out_string="";
		#echo "* Checking user ${username}";
		# check user create time, if we have set it in comment
		user_create_date=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 5);
		# if empty try last password set time
		if [ -z "${user_create_date}" ]; then
			# user L 11/09/2020 0 99999 7 -1
			user_create_date=$(passwd -S ${username} | cut -d " " -f 3);
		fi;
		# last try is user home .bash_logout
		if [ -z "${user_create_date}" ]; then
			home_dir=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 6)"/.bash_logout";
			user_create_date=$(stat -c %Z "${home_dir}");
		fi;

		# below only works if the user logged in, a lot of them are just file upload
		# users. Use the collect script from systemd-logind or /var/log/secure
		# Username         Port     From             Latest
		# user             pts/35   10.110.160.230   Wed Nov  2 09:40:35 +0900 2022
		last_login_string=$(lastlog -u ${username} | sed 1d);
		search="Never logged in";
		found="";
		# problem with running rep check in if
		if [ -f "${AUTH_LOG}" ]; then
			found=$(grep "${username};" "${AUTH_LOG}");
		fi;
		if [ ! -z "${found}" ]; then
			last_login_date=$(grep "${username};" "${AUTH_LOG}" | cut -d ";" -f 2 | date +"%s" -f -);
			last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
			if [ ${last_login} -gt ${max_age_login} ]; then
				out_string="[!] last ssh log in ${last_login} days ago";
				delete_user=1;
			else
				out_string="OK [ssh]";
			fi;
		elif [ ! -z "${last_login_string##*$search*}" ]; then
			# if we have "** Never logged in**" the user never logged in
			# find \w{3} \w{3} [\s\d]{2} \d{2}:\d{2}:\d{2} \+\d{4} \d{4}
			# awk '{for(i=4;i<=NF;++i)printf $i FS}'
			last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%s" -f -);
			# date -d "Wed Nov  2 09:40:35 +0900 2022" +%s
			last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
			if [ ${last_login} -gt ${max_age_login} ]; then
				out_string="[!] last terminal log in ${last_login} days ago";
				delete_user=1;
			else
				out_string="OK [lastlog]";
			fi;
		elif [ ! -z "${user_create_date}" ]; then
			user_create_date=$(echo "${user_create_date}" | date +"%s" -f -);
			# if all empty, we continue with only check if user has last login date
			# else get days since creation
			#account_age=$[ ($(date +"%s")-$(date -d "${user_create_date}" +"%s"))/24 ];
			account_age=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${user_create_date} ${day}");
			if [ ${account_age} -gt ${max_age_create} ]; then
				out_string="[!] Never logged in, account created ${account_age} days ago";
				delete_user=1;
			else
				out_string="OK [first login]";
			fi;
		else
			out_string="[!!!] Never logged in and we have no create date";
		fi;
		# build delete output
		if [ ${delete_user} = 1 ]; then
			delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${username}" "${ssh_group}" "${username}" "${ssh_reject_group}")$'\n';
		fi;
		printf "* Checking user %-20s: %s\n" "${username}" "${out_string}";
	done;
done;
echo "--------------------->"
echo "Showing current SSH Reject users:"
for user in $(cat /etc/group|grep "${ssh_reject_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
	echo "${username}";
done;
if [ ! -z "${delete_accounts}" ]; then
	echo "--------------------->"
	echo "% Run list below to move users to reject ssh group";
	echo "";
	echo "${delete_accounts}";
fi;
echo "[END] ===============>"

# __END__