ScriptsCollections/ServerUserCreate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
27516a64742eac2e0607433fc7233d1097862d20
ServerUserCreate/bin/collect_login_data.sh
Clemens Schwaighofer 27516a6474 Add auth data collector and update check last login script 
Auth collector from either systemd logger or fallback /var/log/secure
(old Amazon V1).

Use this as primary last login source in check last login script
2022-11-21 16:38:54 +09:00

95 lines
3.3 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# * check we are root
# if we are not root, bail out
# if [ $(whoami) != "root" ]; then
if [[ "$EUID" -ne "0" ]]; then
echo "Must be run as root or with sudo command";
exit;
fi;
# base folder
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
# auth log file
AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
if [ ! -f "${AUTH_LOG}" ]; then
touch "${AUTH_LOG}";
fi;
# run full log check flag
RUN_FULL_LOG=0;
if [ ! -z "${1}" ] && [ "${1}" = "FULL" ]; then
echo "[!!!] Run through all log files to collect data";
RUN_FULL_LOG=1;
fi;
# Collector script for login information via journalctl
# if no systemd installed, try to get info from /var/log/secure or /var/log/auth.log
readonly init_version=$(/proc/1/exe --version | head -n 1);
if [ -z "${init_version##*systemd*}" ]; then
LOG_TARGET="systemd";
# for journalctl
START_DATE=$(date +%F -d "1 day ago");
END_DATE=$(date +%F);
START_YEAR=$(date +%Y -d "1 day ago");
OPT_START_DATE='';
if [ $RUN_FULL_LOG -eq 0 ]; then
OPT_START_DATE="-S ${START_DATE}";
OPT_END_DATE="-U ${END_DATE}";
fi;
journalctl -u systemd-logind --no-pager ${OPT_START_DATE} ${OPT_END_DATE} | grep ": New session" |
while read line; do
# # Nov 21 14:15:46 we.are.hostname.com systemd-logind[1865]: New session 12345 of user some^user.
# date: 5 chars
# time: 8 chars
# hostname
# systemd-logind pid ...
# " of user <username>"
# we want date + time + username
# prefix year with start date year
# echo "L: $line";
# do we have a key entry, if not add new with last log date
# clean up date from YYYY nam dd to YYYY-MM-DD HH:II:SS
# auth_date=$(echo "${line}" | cut -c 1-15 | date +"%F %T" -f -);
# auth_date=$($(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15)) | date +"%F %T" -f -;
auth_date=$(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15);
auth_date=$(echo "${auth_date}" | date +"%F %T" -f -);
# auth user has . at the end, remove that one
auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | cut -d "." -f 1);
# echo -n "USER: $auth_user | DATE: $auth_date";
# find auth user in current auth file
# if not there attach, else replace date only
found=$(grep "${auth_user};" "${AUTH_LOG}");
if [ -z "${found}" ]; then
# echo -n " | Write new";
echo "${auth_user};${auth_date}" >> "${AUTH_LOG}";
else
# echo -n " | Replace old";
sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${AUTH_LOG}";
fi;
# echo " [***]";
done;
else
LOG_TARGET="syslog";
# for secure/auth log
START_DATE=$(date +"%b %e" -d "1 day ago")
cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" |
while read line; do
# Nov 21 14:15:56 some.hostname.com sshd[12345]: pam_unix(sshd:session): session opened for user some-user(uid=6789) by (uid=0)
auth_date=$($(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15) | date +"%F %T" -f -);
auth_user=$(echo "${line}" | cut -d ")" -f 2 | cut -d " " -f 6 | cut -d "(" -f 1);
# find auth user in current auth file
# if not there attach, else replace date only
if [ -z grep "${auth_user}" "${AUTH_LOG}" ]; then
cat "${auth_user};${auth_date}" >> "${AUTH_LOG}";
else
sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${AUTH_LOG}";
fi;
done;
fi;
# __END__
Reference in New Issue View Git Blame Copy Permalink