-
Notifications
You must be signed in to change notification settings - Fork 0
/
agent_ssh_reporting.sh
48 lines (40 loc) · 1.73 KB
/
agent_ssh_reporting.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!/bin/bash
#SCRIPT which monitors log files and reports the SSH activities
SSH_LOGFILE="/var/log/secure"
SUDOUSERLIST="/tmp/sudo_user_list.csv"
SSH_LOGINFILE="/tmp/ssh_details.csv"
#Getting list of sudo users who accessed the server:
grep "sudo:" "$SSH_LOGFILE" | grep -v -e pam_unix -e 'command not allowed' | awk '{print $6}' | sort | uniq > "$SUDOUSERLIST"
#Obtaining a list of commands per user in separate files:
while read SUDO_USER
do
touch /tmp/"$SUDO_USER"_SSH_DETAILS.csv
grep "sudo:.*.$SUDO_USER.*.TTY.*.USER.*.COMMAND" "$SSH_LOGFILE" | grep -v -e pam_unix -e 'command not allowed' | grep COMMAND | awk '{ print $3,s="";for (i=14;i<=NF;i++) s=s $i " "; print s }' | paste -d, - - | sed -e 's/COMMAND=//g' -e 's/ ,/,/g' > /tmp/"$SUDO_USER"_SSH_DETAILS.csv
done < $SUDOUSERLIST
#List of users made ssh connections to the server:
grep Accepted "$SSH_LOGFILE" | awk '{print $9}' | sort | uniq > "$SSH_LOGINFILE"
while read SSH_USER
do
touch /tmp/"$SUDO_USER"_SSH_LOGINS.csv
grep "Accepted.*.$SSH_USER" "$SSH_LOGFILE" | awk '{print $3","$11}' > /tmp/"$SUDO_USER"_SSH_LOGINS.csv
done
#Collating all data
tar -czf /tmp/ssh_login_reports.tar.gz /tmp/*_SSH_LOGINS.csv
tar -czf /tmp/sudo_user_reports.tar.gz /tmp/*__SSH_DETAILS.csv
#Mailing the reports to the intended mail recipient
echo "SSH Reports are attached" | mailx \
-r [email protected] \
-s 'SSH REPORTS and USAGE' \
-a /tmp/ssh_login_reports.tar.gz \
-a /tmp/sudo_user_reports.tar.gz \
-S smtp="domain.com:25" \
-S smtp-auth=login \
-S smtp-auth-user="[email protected]" \
-S smtp-auth-password="domain@int123" \
-S ssl-verify=ignore \
#Removing temporary files created
rm -fv /tmp/*_SSH_LOGINS.csv
rm -fv /tmp/*__SSH_DETAILS.csv
rm -fv $SUDOUSERLIST
rm -fv $SSH_LOGINFILE