User Check


#turn on debugging, -x starts, +x stops
set +x
#Script to check for new users/groups or deleted users/groups locally
#Written unknown author, unknown date, unspecified purpose

#Modified 20th August 2010 Andrew Stringer
#Purpose assumed to be to test for user additions/deletions, suspect logins

#Example lines from /var/log/secure
#Aug 20 08:12:55 gy--mon01 sshd[4470]: Accepted password for astringer from ::ffff: port 62538 ssh2
#Aug 20 08:13:06 gy--mon01 sudo: astringer : TTY=pts/0 ; PWD=/home/astringer ; USER=root ; COMMAND=/bin/su -l
#Aug 20 11:31:13 gy--mon01 sshd[1034]: Accepted publickey for scope from ::ffff: port 51438 ssh2
#Aug 20 11:31:13 gy--mon01 sshd[1032]: Accepted publickey for scope from ::ffff: port 51438 ssh2
#Aug 20 11:53:21 gy--mon01 useradd[9128]: new group: name=testaccount, gid=11112
#Aug 20 11:53:21 gy--mon01 useradd[9128]: new user: name=testaccount, uid=11112, gid=11112, home=/home/testaccount, shell=/bin/bash
#Aug 20 11:54:32 gy--mon01 userdel[10615]: delete user `testaccount'
#Aug 20 11:54:32 gy--mon01 userdel[10615]: remove group `testaccount'
#Aug 20 09:51:15 gy--cms01 sshd[28429]: Failed password for invalid user rgs_ftp from ::ffff: port 30902 ssh2


#Use %e to have space padded dates, eg. ' 1' or '23', %d gives '01' or '23'
#secure log file uses dates like ' 2' not '02'
#DAY=`date +%b" "%d`
DAY=`date +%b" "%e`

grep "${DAY}" ${SECLOG} | grep -i "useradd\|userdel\|invalid\|fail" 1> /dev/null

#echo ${TRIGGER}

if [ ${TRIGGER} -eq 0 ];
        echo "Suspicious account activity detected!" > ${TMPLOG};
        echo "*************************************" >> ${TMPLOG};
        echo "Check ${SECLOG} on `hostname -s` to investigate failed logins or user addition or deletion." >> ${TMPLOG};
        echo " " >> ${TMPLOG};

        grep "${DAY}" ${SECLOG} | grep -i "useradd\|userdel\|invalid"  >> ${TMPLOG};

        mailx -s "Suspicious account activity - `hostname -s`" < ${TMPLOG}

        #debug - echo mailmsg
        #cat ${TMPLOG}

        #Clean up tmp files
        rm ${TMPLOG}

# call security script to check for file modification on sshd_config file.
# script is in /etc/ssh directory
cd /etc/ssh/

exit 0

rb/usercheck.txt · Last modified: 15/08/2018 23:49 by andrew