101 lines
2.8 KiB
Bash
Executable File
101 lines
2.8 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# * check we are root
|
|
# if we are not root, bail out
|
|
# if [ $(whoami) != "root" ]; then
|
|
if [[ "$EUID" -ne "0" ]]; then
|
|
echo "Must be run as root or with sudo command";
|
|
exit;
|
|
fi;
|
|
|
|
# base folder
|
|
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
|
|
# auth log file
|
|
AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
|
|
if [ ! -f "${AUTH_LOG}" ]; then
|
|
touch "${AUTH_LOG}";
|
|
fi;
|
|
# run full log check flag
|
|
RUN_FULL_LOG=0;
|
|
if [ ! -z "${1}" ] && [ "${1}" = "FULL" ]; then
|
|
echo "[!!!] Run through all log files to collect data";
|
|
RUN_FULL_LOG=1;
|
|
fi;
|
|
|
|
function parseLog()
|
|
{
|
|
# do we have a key entry, if not add new with last log date
|
|
# clean up date from YYYY nam dd to YYYY-MM-DD HH:II:SS
|
|
line="${1}";
|
|
auth_log="${2}";
|
|
debug="${3}";
|
|
START_YEAR=$(date +%Y -d "1 day ago");
|
|
|
|
# echo "L: $line";
|
|
|
|
auth_date=$(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15);
|
|
auth_date=$(echo "${auth_date}" | date +"%F %T" -f -);
|
|
# auth user has . at the end, remove that one
|
|
auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | cut -d "." -f 1);
|
|
|
|
# echo -n "USER: $auth_user | DATE: $auth_date";
|
|
|
|
# find auth user in current auth file
|
|
# if not there attach, else replace date only
|
|
found=$(grep "${auth_user};" "${auth_log}");
|
|
if [ -z "${found}" ]; then
|
|
# echo -n " | Write new";
|
|
echo "${auth_user};${auth_date}" >> "${auth_log}";
|
|
else
|
|
# echo -n " | Replace old";
|
|
sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${auth_log}";
|
|
fi;
|
|
# echo " [***]";
|
|
}
|
|
|
|
# Collector script for login information via journalctl
|
|
# if no systemd installed, try to get info from /var/log/secure or /var/log/auth.log
|
|
readonly init_version=$(/proc/1/exe --version | head -n 1);
|
|
if [ -z "${init_version##*systemd*}" ]; then
|
|
LOG_TARGET="systemd";
|
|
# for journalctl
|
|
START_DATE=$(date +%F -d "1 day ago");
|
|
END_DATE=$(date +%F);
|
|
OPT_START_DATE='';
|
|
if [ $RUN_FULL_LOG -eq 0 ]; then
|
|
OPT_START_DATE="-S ${START_DATE}";
|
|
OPT_END_DATE="-U ${END_DATE}";
|
|
fi;
|
|
journalctl -u systemd-logind --no-pager ${OPT_START_DATE} ${OPT_END_DATE} | grep ": New session" |
|
|
while read line; do
|
|
# # Nov 21 14:15:46 we.are.hostname.com systemd-logind[1865]: New session 12345 of user some^user.
|
|
# date: 5 chars
|
|
# time: 8 chars
|
|
# hostname
|
|
# systemd-logind pid ...
|
|
# " of user <username>"
|
|
# we want date + time + username
|
|
# prefix year with start date year
|
|
parseLog "${line}" "${AUTH_LOG}" 0;
|
|
done;
|
|
else
|
|
LOG_TARGET="syslog";
|
|
# for secure/auth log
|
|
if [ $RUN_FULL_LOG -eq 1 ]; then
|
|
bunzip2 -ck /var/log/secure*.bz2 | grep ": session opened for user" |
|
|
while read line; do
|
|
parseLog "${line}" "${AUTH_LOG}" 0;
|
|
done;
|
|
# read all
|
|
START_DATE="sshd"
|
|
else
|
|
START_DATE=$(date +"%b %e" -d "1 day ago")
|
|
fi;
|
|
cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" |
|
|
while read line; do
|
|
parseLog "${line}" "${AUTH_LOG}" 0;
|
|
done;
|
|
fi;
|
|
|
|
# __END__
|