ScriptsCollections/AwsUserCreate
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add multiple groups to check last login script

Browse Source 
Currently fixed group names sshallow, sshforward and reject sshreject
This commit is contained in:
Clemens Schwaighofer
2022-12-01 06:43:43 +09:00
parent 6e53d1bdec
commit fe08fa10c2
2 changed files with 74 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Readme.md
View File

@@ -213,7 +213,7 @@ This script should be run every day via crontab as root:
0 1 * * * root /root/users/bin/collect_login_data.sh 0 1 * * * root /root/users/bin/collect_login_data.sh
``` ```
The script `check_last_login.sh` will go through the sshallow groups users and flag out those that have not logged in, in the last 60 days and recommend to lock them. The script will also check for user accounts that never logged in and where created in the last 30 days and recomment to lock them too. The script `check_last_login.sh` will go through the ssh allow groups (sshallow/sshforward) users and flag out those that have not logged in, in the last 60 days and recommend to lock them. The script will also check for user accounts that never logged in and where created in the last 30 days and recomment to lock them too.
This script will first check the `auth-log/user_auth.log` file, then lastlog output and finally check for creation time in passwd file or home director for when the user was created. This script will first check the `auth-log/user_auth.log` file, then lastlog output and finally check for creation time in passwd file or home director for when the user was created.
@@ -222,5 +222,5 @@ Currently only information is printed out and no action is done itself.
The script can be put into the crontab and run once a month, it prints to STDOUT so a mail pipe with a proper subject is recommended The script can be put into the crontab and run once a month, it prints to STDOUT so a mail pipe with a proper subject is recommended
```crontab ```crontab
0 2 1 * * root /root/users/bin/check_last_login.sh | mail -s "$(hostname): user account check" 0 2 1 * * root /root/users/bin/check_last_login.sh | mail -s "User Account check: $(hostname)"
``` ```

11
bin/check_last_login.sh
View File

@@ -5,8 +5,8 @@
# base folder # base folder
BASE_FOLDER=$(dirname $(readlink -f $0))"/"; BASE_FOLDER=$(dirname $(readlink -f $0))"/";
# which group holds the ssh allowed login users (outside of admin users) # which groups holds the ssh allowed login users (outside of admin users)
ssh_group='sshallow'; ssh_groups=('sshforward' 'sshallow');
ssh_reject_group='sshreject'; ssh_reject_group='sshreject';
# date now for compare # date now for compare
now=$(date +"%s"); now=$(date +"%s");
@@ -38,8 +38,10 @@ echo "Hostname : "$(hostname);
echo "Run date : "$(date +"%F %T"); echo "Run date : "$(date +"%F %T");
echo "Max age last login: ${max_age_login} days"; echo "Max age last login: ${max_age_login} days";
echo "Max age no login : ${max_age_create} days"; echo "Max age no login : ${max_age_create} days";
for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do for ssh_group in ${ssh_groups[@]}; do
# for user in clemens test42; do echo "--------------------->"
echo "Checking Group : ${ssh_group}";
for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
account_age=0; account_age=0;
delete_user=0; delete_user=0;
out_string=""; out_string="";
@@ -110,6 +112,7 @@ for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/
delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${user}" "${ssh_group}" "${user}" "${ssh_reject_group}")$'\n'; delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${user}" "${ssh_group}" "${user}" "${ssh_reject_group}")$'\n';
fi; fi;
printf "* Checking user %-20s: %s\n" "${user}" "${out_string}"; printf "* Checking user %-20s: %s\n" "${user}" "${out_string}";
done;
done; done;
echo "--------------------->" echo "--------------------->"
echo "Showing current SSH Reject users:" echo "Showing current SSH Reject users:"