#!/usr/bin/ksh ############################################################### # Description: Script to report successful and un-successful # login attempts on any given server # # NOTE: # This was originaly a script called "audit" by a guy named Kevin Tuitt. # A great script but ran for about a half an hour. I modified it a bit. # It now runs in about five minutes (depends on the server your using). # # Doug Burton - 4/15/2003 # # # Check logins every night at 11:50pm. # 50 23 * * * /usr/local/bin/chk_logins # # http://home.tampabay.rr.com/batcave/ ############################################################### MAILTO="root" ###### Temp files ###### TEMPDIR="~/tmp" ### A nice place to put files. lastb > $TEMPDIR/lastbfile & lastb -R > $TEMPDIR/lastbrfile & last > $TEMPDIR/lastfile & last -R > $TEMPDIR/lastrfile ###### Date info ###### LASTDATE=`date '+%a %b %Oe'` SUDATE=`date '+%m/%d'` DATE=`date +%m%d` ###### The Stuff ###### header () { echo "\n\nStarting user audit on : `date`\n" echo "User Audit on Host : `uname -n`" } # End header login_totals () { echo "Number of Failed Logins : $(grep "$LASTDATE" $TEMPDIR/lastbfile | wc -l)" echo "Number of Successful Logins : $(grep "$LASTDATE" $TEMPDIR/lastfile | wc -l)" echo "===============================================================" } # End login_totals failed_root_logins () { echo "***** Login Report *****\n" NUMBER=$(grep "$LASTDATE" $TEMPDIR/lastbrfile | grep root | wc -l) echo "Failed root login attempts : $NUMBER\n" if [ $NUMBER -gt 0 ] then echo "$(grep "$LASTDATE" $TEMPDIR/lastbrfile | grep root)" else : fi echo "----------------------------------" } # End failed_root_logins failed_other_logins () { NUMBER=$(grep "$LASTDATE" $TEMPDIR/lastbrfile | grep -v root | wc -l) echo "Failed other login attempts : $NUMBER \n" if [ $NUMBER -gt 0 ] then echo "$(grep "$LASTDATE" $TEMPDIR/lastbrfile | grep -v root)" else : fi echo "----------------------------------" } # End failed_other_logins ok_root_logins () { NUMBER=$(grep "$LASTDATE" $TEMPDIR/lastrfile | grep root | wc -l) echo "Successful root logins : $NUMBER \n" if [ $NUMBER -gt 0 ] then echo "$(grep "$LASTDATE" $TEMPDIR/lastrfile | grep root)" else echo " --> nothing to report <--" fi echo "----------------------------------" } # End ok_root_logins ok_other_logins () { NUMBER=$(grep "$LASTDATE" $TEMPDIR/lastrfile | grep -v root | wc -l) echo "Successful other logins : $NUMBER \n" if [ $NUMBER -gt 0 ] then echo "$(grep "$LASTDATE" $TEMPDIR/lastrfile | grep -v root)" else echo " --> nothing to report <--" fi echo "===============================================================" } # End ok_other_logins ftp_report () { echo "***** FTP Report *****\n" NUMBER=$(grep "$LASTDATE" $TEMPDIR/lastbrfile | grep ftp | wc -l) echo "Failed ftp login attempts : $NUMBER \n" if [ $NUMBER -gt 0 ] then echo "$(grep "$LASTDATE" $TEMPDIR/lastbrfile | grep ftp)" else : fi echo "----------------------------------" NUMBER=$(grep "$LASTDATE" $TEMPDIR/lastrfile | grep ftp | wc -l) echo "Successful ftp logins : $NUMBER \n" if [ $NUMBER -gt 0 ] then echo "$(grep "$LASTDATE" $TEMPDIR/lastrfile | grep ftp)" else : fi echo "----------------------------------" echo "Files transfered by FTP\n" grep "$LASTDATE" /var/adm/syslog/xferlog echo "===============================================================" } # end of ftp_report su_report () { echo "***** SU Report *****\n" cat /var/adm/sulog | grep "$SUDATE" echo "===============================================================" } # End su_report remshd_report () { echo "***** REMSHD Report *****\n" NUMBER=$(grep "$LASTDATE" $TEMPDIR/lastbrfile | grep remshd | wc -l) echo "Failed remshd login attempts : $NUMBER \n" if [ $NUMBER -gt 0 ] then echo "$(grep "$LASTDATE" $TEMPDIR/lastbrfile | grep remshd)" else : fi echo "----------------------------------" NUMBER=$(grep "$LASTDATE" $TEMPDIR/lastrfile | grep remshd | wc -l) echo "Successful remshd logins : $NUMBER \n" if [ $NUMBER -gt 0 ] then echo "$(grep "$LASTDATE" $TEMPDIR/lastrfile | grep remshd)" else : fi echo "===============================================================" } # End remshd_report rexecd_report () { echo "***** REXECD Report *****\n" NUMBER=$(grep "$LASTDATE" $TEMPDIR/lastbrfile | grep rexecd | wc -l) echo "Failed rexecd login attempts : $NUMBER \n" if [ $NUMBER -gt 0 ] then echo "$(grep "$LASTDATE" $TEMPDIR/lastbrfile | grep rexecd)" else : fi echo "----------------------------------" NUMBER=$(grep "$LASTDATE" $TEMPDIR/lastrfile | grep rexecd | wc -l) echo "Successful rexecd logins : $NUMBER\n" if [ $NUMBER -gt 0 ] then echo "$(grep "$LASTDATE" $TEMPDIR/lastrfile | grep rexecd)" else : fi echo "===============================================================" } # End rexecd_report console_report () { echo "***** CONSOLE Report *****\n" NUMBER=$(grep "$LASTDATE" $TEMPDIR/lastbrfile | grep console | wc -l) echo "Failed console login attempts : $NUMBER \n" if [ $NUMBER -gt 0 ] then echo "$(grep "$LASTDATE" $TEMPDIR/lastbrfile | grep console)" else : fi echo "----------------------------------" NUMBER=$(grep "$LASTDATE" $TEMPDIR/lastrfile | grep console | wc -l) echo "Successful console logins : $NUMBER \n" if [ $NUMBER -gt 0 ] then echo "$(grep "$LASTDATE" $TEMPDIR/lastrfile | grep console)" else : fi echo "===============================================================" } # End console_report boot_report () { echo "***** BOOT Report *****\n" NUMBER=$(grep "$LASTDATE" $TEMPDIR/lastrfile | grep boot | wc -l) echo "reboots : $NUMBER \n" if [ $NUMBER -gt 0 ] then echo "$(grep "$LASTDATE" $TEMPDIR/lastrfile | grep boot)" else : fi echo "------------------------- Report ends -------------------------" } # End boot_report stuff () { header login_totals failed_root_logins ok_root_logins failed_other_logins ok_other_logins ftp_report su_report remshd_report rexecd_report console_report boot_report } # End stuff stuff | mailx -s "`uname -n`: Auditing information" $MAILTO rm $TEMPDIR/lastbfile rm $TEMPDIR/lastbrfile rm $TEMPDIR/lastfile rm $TEMPDIR/lastrfile