ScriptsCollections/ServerUserCreate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
87d53cdb13625c848883aa6ed806f5bef7ec5337
ServerUserCreate/bin/collect_login_data.sh
Clemens Schwaighofer 6e53d1bdec Update collector script with debug output, list rejected ssh users 
In the check script print out current rejected (not allowed) ssh users

Collect log info script has now debug output and proper options flags
2022-11-22 09:33:52 +09:00

141 lines
4.1 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# * check we are root
# if we are not root, bail out
# if [ $(whoami) != "root" ]; then
if [[ "$EUID" -ne "0" ]]; then
echo "Must be run as root or with sudo command";
exit;
fi;
# base folder
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
# auth log file
AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
if [ ! -f "${AUTH_LOG}" ]; then
touch "${AUTH_LOG}";
fi;
# debug flag
DEBUG=0;
# check all logs flag
RUN_FULL_LOG=0;
# option parsing
while getopts ":fd" opt; do
case "${opt}" in
f|full)
echo "[!!!] Run through all log files to collect data";
RUN_FULL_LOG=1;
;;
d|deubg)
DEBUG=1;
;;
esac;
done;
function prD()
{
message="${1}";
debug=${2:-0};
lb_off=${3:-0};
if [ ${debug} -eq 1 ]; then
if [ ${lb_off} -eq 1 ]; then
echo -n "${message}";
else
echo "${message}";
fi;
fi;
}
function parseLog()
{
# do we have a key entry, if not add new with last log date
# clean up date from YYYY nam dd to YYYY-MM-DD HH:II:SS
line="${1}";
auth_log="${2}";
start_year="${3}";
logger="${4}";
debug=${5:-0};
#prD "Line: $line" ${debug};
# auth user has . at the end, remove that one
if [ "${logger}" = "systemd" ]; then
# 2022-11-18T20:04:08+0900
auth_date=$(echo "${line}" | cut -d " " -f 1);
auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | cut -d "." -f 1);
else
auth_date=$(echo "${line}" | cut -c 1-6)" ${start_year} "$(echo "${line}" | cut -c 8-15);
auth_user=$(echo "${line}" | cut -d ")" -f 2 | cut -d " " -f 6 | cut -d "(" -f 1);
fi;
auth_date=$(echo "${auth_date}" | date +"%F %T" -f -);
# $(printf "USER: %-20s: %19s" "${auth_user}" "${auth_date}")
# prD "USER: $auth_user | DATE: $auth_date" ${debug} 1;
printf -v msg "Source: %-10s | Year: %4s | Last auth user: %-20s: %19s" "${logger}" "${start_year}" "${auth_user}" "${auth_date}"
prD "${msg}" ${debug} 1;
# find auth user in current auth file
# if not there attach, else replace date only
found=$(grep "${auth_user};" "${auth_log}");
if [ -z "${found}" ]; then
prD " | Write new" ${debug};
echo "${auth_user};${auth_date}" >> "${auth_log}";
else
prD " | Replace old" ${debug};
sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${auth_log}";
fi;
}
printf -v msg "Run date: %s %s" $(date +"%F %T")
prD "${msg}" ${DEBUG};
# Collector script for login information via journalctl
# if no systemd installed, try to get info from /var/log/secure or /var/log/auth.log
readonly init_version=$(/proc/1/exe --version | head -n 1);
if [ -z "${init_version##*systemd*}" ]; then
LOG_TARGET="systemd";
# for journalctl
START_DATE=$(date +%F -d "1 day ago");
END_DATE=$(date +%F);
OPT_START_DATE='';
if [ $RUN_FULL_LOG -eq 0 ]; then
OPT_START_DATE="-S ${START_DATE}";
OPT_END_DATE="-U ${END_DATE}";
fi;
# READ as other format so we get the YEAR -o short-iso
START_YEAR=$(date +%Y -d "1 day ago");
journalctl -u systemd-logind --no-pager -o short-iso ${OPT_START_DATE} ${OPT_END_DATE} | grep ": New session" |
while read line; do
# # Nov 21 14:15:46 we.are.hostname.com systemd-logind[1865]: New session 12345 of user some^user.
# date: 5 chars
# time: 8 chars
# hostname
# systemd-logind pid ...
# " of user <username>"
# we want date + time + username
# prefix year with start date year
parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG};
done;
else
LOG_TARGET="syslog";
# for secure/auth log
if [ $RUN_FULL_LOG -eq 1 ]; then
# we loop over EACH file and get the DATE so we can have the correct YEAR
for sfile in $(ls -1 /var/log/secure*bz2); do
tz=$(stat -c %Z "${sfile}");
START_YEAR=$(date +%Y -d @${tz});
bunzip2 -ck "${sfile}" | grep ": session opened for user" | grep " by (uid=0)" |
while read line; do
parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG};
done;
done;
# read all
START_DATE="sshd"
fi;
START_YEAR=$(date +%Y -d "1 day ago");
cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" | grep " by (uid=0)" |
while read line; do
parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG};
done;
fi;
# __END__
Reference in New Issue View Git Blame Copy Permalink