niltonvasques/audit_ssh_logins.sh

## audit_ssh_logins.sh
#!/bin/bash

# ssh_sha256_owners.txt file should be generated by finding the SHA256 fingerprint
# for each line present inside .ssh/authorized_keys with
# ssh-keygen -lf /tmp/user_key.pub >> ssh_sha256_owners.txt

RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m' # No Color
EMPTY="                                                                                           "

AUTH_FILE=/var/log/auth.log*

LOGINS=$(grep 'Accepted publickey' $AUTH_FILE)

while IFS= read -r line
do
        echo "$line"
        key=$(echo "$line" | grep "SHA256.*" -o)
        grep $key ssh_sha256_owners.txt --color=auto
done < <(printf '%s\n' "$LOGINS")

echo "All accepted keys found: "
LOGINS=$(grep 'Accepted publickey' $AUTH_FILE | grep "SHA256.*" -o | sort | uniq)
while IFS= read -r line
do
        echo "$line"
        grep "$line" ssh_sha256_owners.txt --color=auto
        if [ $? != 0 ]; then
                printf "${RED}SSH KEY NOT FOUND IN THE WHITELIST !!!${NC}\n"
        fi
done < <(printf '%s\n' "$LOGINS")
	#!/bin/bash

	# ssh_sha256_owners.txt file should be generated by finding the SHA256 fingerprint
	# for each line present inside .ssh/authorized_keys with
	# ssh-keygen -lf /tmp/user_key.pub >> ssh_sha256_owners.txt

	RED='\033[0;31m'
	GREEN='\033[0;32m'
	NC='\033[0m' # No Color
	EMPTY=" "

	AUTH_FILE=/var/log/auth.log*

	LOGINS=$(grep 'Accepted publickey' $AUTH_FILE)

	while IFS= read -r line
	do
	echo "$line"
	key=$(echo "$line" \| grep "SHA256.*" -o)
	grep $key ssh_sha256_owners.txt --color=auto
	done < <(printf '%s\n' "$LOGINS")

	echo "All accepted keys found: "
	LOGINS=$(grep 'Accepted publickey' $AUTH_FILE \| grep "SHA256.*" -o \| sort \| uniq)
	while IFS= read -r line
	do
	echo "$line"
	grep "$line" ssh_sha256_owners.txt --color=auto
	if [ $? != 0 ]; then
	printf "${RED}SSH KEY NOT FOUND IN THE WHITELIST !!!${NC}\n"
	fi
	done < <(printf '%s\n' "$LOGINS")