ScriptsCollections/ServerUserCreate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
39da44b546fd1cdd7cb0cbf867b368aee26253ed
ServerUserCreate/bin/collect_login_data.sh

142 lines
4.1 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# * check we are root
# if we are not root, bail out
# if [ $(whoami) != "root" ]; then
if [[ "$EUID" -ne "0" ]]; then
echo "Must be run as root or with sudo command";
exit;
fi;
# base folder
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
# auth log file
AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
if [ ! -f "${AUTH_LOG}" ]; then
touch "${AUTH_LOG}";
fi;
# debug flag
DEBUG=0;
# check all logs flag
RUN_FULL_LOG=0;
# option parsing
while getopts ":fd" opt; do
case "${opt}" in
f|full)
echo "[!!!] Run through all log files to collect data";
RUN_FULL_LOG=1;
;;
d|deubg)
DEBUG=1;
;;
esac;
done;
function prD()
{
message="${1}";
debug=${2:-0};
lb_off=${3:-0};
if [ ${debug} -eq 1 ]; then
if [ ${lb_off} -eq 1 ]; then
echo -n "${message}";
else
echo "${message}";
fi;
fi;
}
function parseLog()
{
# do we have a key entry, if not add new with last log date
# clean up date from YYYY nam dd to YYYY-MM-DD HH:II:SS
line="${1}";
auth_log="${2}";
start_year="${3}";
logger="${4}";
debug=${5:-0};
#prD "Line: $line" ${debug};
# auth user has . at the end, remove that one
if [ "${logger}" = "systemd" ]; then
# 2022-11-18T20:04:08+0900
auth_date=$(echo "${line}" | cut -d " " -f 1);
# Note, instead of cut with dot, remove last dot in line
auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | sed -e "s/\.$//");
else
auth_date=$(echo "${line}" | cut -c 1-6)" ${start_year} "$(echo "${line}" | cut -c 8-15);
auth_user=$(echo "${line}" | cut -d ")" -f 2 | cut -d " " -f 6 | cut -d "(" -f 1);
fi;
auth_date=$(echo "${auth_date}" | date +"%F %T" -f -);
# $(printf "USER: %-20s: %19s" "${auth_user}" "${auth_date}")
# prD "USER: $auth_user | DATE: $auth_date" ${debug} 1;
printf -v msg "Source: %-10s | Year: %4s | Last auth user: %-20s: %19s" "${logger}" "${start_year}" "${auth_user}" "${auth_date}"
prD "${msg}" ${debug} 1;
# find auth user in current auth file
# if not there attach, else replace date only
found=$(grep "${auth_user};" "${auth_log}");
if [ -z "${found}" ]; then
prD " | Write new" ${debug};
echo "${auth_user};${auth_date}" >> "${auth_log}";
else
prD " | Replace old" ${debug};
sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${auth_log}";
fi;
}
printf -v msg "Run date: %s %s" $(date +"%F %T")
prD "${msg}" ${DEBUG};
# Collector script for login information via journalctl
# if no systemd installed, try to get info from /var/log/secure or /var/log/auth.log
readonly init_version=$(/proc/1/exe --version | head -n 1);
if [ -z "${init_version##*systemd*}" ]; then
LOG_TARGET="systemd";
# for journalctl
START_DATE=$(date +%F -d "1 day ago");
END_DATE=$(date +%F);
OPT_START_DATE='';
if [ $RUN_FULL_LOG -eq 0 ]; then
OPT_START_DATE="-S ${START_DATE}";
OPT_END_DATE="-U ${END_DATE}";
fi;
# READ as other format so we get the YEAR -o short-iso
START_YEAR=$(date +%Y -d "1 day ago");
journalctl -u systemd-logind --no-pager -o short-iso ${OPT_START_DATE} ${OPT_END_DATE} | grep ": New session" |
while read line; do
# # Nov 21 14:15:46 we.are.hostname.com systemd-logind[1865]: New session 12345 of user some^user.
# date: 5 chars
# time: 8 chars
# hostname
# systemd-logind pid ...
# " of user <username>"
# we want date + time + username
# prefix year with start date year
parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG};
done;
else
LOG_TARGET="syslog";
# for secure/auth log
if [ $RUN_FULL_LOG -eq 1 ]; then
# we loop over EACH file and get the DATE so we can have the correct YEAR
for sfile in $(ls -1 /var/log/secure*bz2); do
tz=$(stat -c %Z "${sfile}");
START_YEAR=$(date +%Y -d @${tz});
bunzip2 -ck "${sfile}" | grep ": session opened for user" | grep " by (uid=0)" |
while read line; do
parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG};
done;
done;
# read all
START_DATE="sshd"
fi;
START_YEAR=$(date +%Y -d "1 day ago");
cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" | grep " by (uid=0)" |
while read line; do
parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG};
done;
fi;
# __END__
Reference in New Issue View Git Blame Copy Permalink