User Check

#!/bin/bash

#turn on debugging, -x starts, +x stops
set +x
#Script to check for new users/groups or deleted users/groups locally
#Written unknown author, unknown date, unspecified purpose

#Modified 20th August 2010 Andrew Stringer
#Purpose assumed to be to test for user additions/deletions, suspect logins

#Example lines from /var/log/secure
#Aug 20 08:12:55 gy--mon01 sshd[4470]: Accepted password for astringer from ::ffff:10.28.161.43 port 62538 ssh2
#Aug 20 08:13:06 gy--mon01 sudo: astringer : TTY=pts/0 ; PWD=/home/astringer ; USER=root ; COMMAND=/bin/su -l
#Aug 20 11:31:13 gy--mon01 sshd[1034]: Accepted publickey for scope from ::ffff:10.28.160.15 port 51438 ssh2
#Aug 20 11:31:13 gy--mon01 sshd[1032]: Accepted publickey for scope from ::ffff:10.28.160.15 port 51438 ssh2
#Aug 20 11:53:21 gy--mon01 useradd[9128]: new group: name=testaccount, gid=11112
#Aug 20 11:53:21 gy--mon01 useradd[9128]: new user: name=testaccount, uid=11112, gid=11112, home=/home/testaccount, shell=/bin/bash
#Aug 20 11:54:32 gy--mon01 userdel[10615]: delete user `testaccount'
#Aug 20 11:54:32 gy--mon01 userdel[10615]: remove group `testaccount'
#Aug 20 09:51:15 gy--cms01 sshd[28429]: Failed password for invalid user rgs_ftp from ::ffff:172.27.208.30 port 30902 ssh2


SECLOG=/var/log/secure
#SECLOG=/root/scripts/test.log
TMPLOG=/tmp/user.log-$$

#Use %e to have space padded dates, eg. ' 1' or '23', %d gives '01' or '23'
#secure log file uses dates like ' 2' not '02'
#DAY=`date +%b" "%d`
DAY=`date +%b" "%e`


grep "${DAY}" ${SECLOG} | grep -i "useradd\|userdel\|invalid\|fail" 1> /dev/null
TRIGGER=$?

#echo ${TRIGGER}

if [ ${TRIGGER} -eq 0 ];
then
        echo "Suspicious account activity detected!" > ${TMPLOG};
        echo "*************************************" >> ${TMPLOG};
        echo "Check ${SECLOG} on `hostname -s` to investigate failed logins or user addition or deletion." >> ${TMPLOG};
        echo " " >> ${TMPLOG};

        grep "${DAY}" ${SECLOG} | grep -i "useradd\|userdel\|invalid"  >> ${TMPLOG};

        mailx -s "Suspicious account activity - `hostname -s`" ww-noc@domain.com < ${TMPLOG}

        #debug - echo mailmsg
        #cat ${TMPLOG}

        #Clean up tmp files
        rm ${TMPLOG}
fi




# call security script to check for file modification on sshd_config file.
# script tamper.sh is in /etc/ssh directory
cd /etc/ssh/
./tamper.sh


exit 0

rb/usercheck.txt · Last modified: 16/08/2018 00:49 by andrew