Created
December 18, 2013 14:33
-
-
Save nohtyp/8023300 to your computer and use it in GitHub Desktop.
user audit script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
#Create user list | |
cat /etc/passwd | awk -F : '{print $1}' > list | |
#Parse list and create organized list | |
USER=`cat list| while read line; do echo -n $line ;printf " "; done` | |
PWNEVER="PWNEVER.log" | |
if [ -f "$PWNEVER" ]; then | |
mv $PWNEVER $PWNEVER.1 | |
fi | |
if [ -f "$HOSTNAME.log" ]; then | |
mv $HOSTNAME.log $HOSTNAME.log.1 | |
fi | |
NUMBER=5 | |
#Get current date | |
TDATE=$(date) | |
echo "Report Date" "[" $TDATE "]" "on" $HOSTNAME >$HOSTNAME.log ; printf "\n" >> $HOSTNAME.log | |
#Loop through user list | |
for i in $USER | |
do | |
#Get user's id | |
USERID=$(id -u $i) | |
#Get user's last login | |
LLOG=$(last -dn1 $i | sed s/wtmp\ begins//g) | |
#Parse list for password column | |
LACCOUNT=`grep $i /etc/shadow | awk -F : '{print $2}'` | |
#Get account's Password expiration date | |
USREXPACCT=$(chage -l $i | grep "Password [Ee]xpires" | awk -F : '{print $2}' ) | |
#Get account's Password expiration month | |
USREXPMONTH=$(chage -l $i | grep "Password [Ee]xpires" | awk -F " " '{print $4}' ) | |
#Get account's Password expiration day | |
USREXPDAY=$(chage -l $i | grep "Password [Ee]xpires" | awk -F " " '{print $5}' | sed s/\,//g ) | |
#Get account's Password expiration year | |
USREXYEAR=$(chage -l $i | grep "Password [Ee]xpires" | awk -F " " '{print $6}') | |
#Get current month | |
CURMONTH=$(date | awk -F " " '{print $2}') | |
#Get current day | |
CURDAY=$(date | awk -F " " '{print $3}') | |
#Get current year | |
CURYEAR=$(date | awk -F " " '{print $6}') | |
#Substitute user's month for a number | |
case "$USREXPMONTH" in | |
Jan) MONTH=1 ;; | |
Feb) MONTH=2 ;; | |
Mar) MONTH=3 ;; | |
Apr) MONTH=4 ;; | |
May) MONTH=5 ;; | |
Jun) MONTH=6 ;; | |
Jul) MONTH=7 ;; | |
Aug) MONTH=8 ;; | |
Sep) MONTH=9 ;; | |
Oct) MONTH=10 ;; | |
Nov) MONTH=11 ;; | |
Dec) MONTH=12 ;; | |
*) MONTH=0;; | |
esac | |
#Substitute current month for a number | |
case "$CURMONTH" in | |
Jan) CMONTH=1 ;; | |
Feb) CMONTH=2 ;; | |
Mar) CMONTH=3 ;; | |
Apr) CMONTH=4 ;; | |
May) CMONTH=5 ;; | |
Jun) CMONTH=6 ;; | |
Jul) CMONTH=7 ;; | |
Aug) CMONTH=8 ;; | |
Sep) CMONTH=9 ;; | |
Oct) CMONTH=10 ;; | |
Nov) CMONTH=11 ;; | |
Dec) CMONTH=12 ;; | |
*) CMONTH=0 ;; | |
esac | |
#Check if the 2nd column contains an !(account is disabled) | |
if [ "${LACCOUNT:0:1}" = "!" ] ; then | |
continue | |
elif [ "$USERID" -gt $NUMBER ] && [ "$USREXPACCT" != " never" ]; then | |
echo $i":"$USERID >> $HOSTNAME.log | |
echo "Last Login:"$LLOG >>$HOSTNAME.log | |
if [ "$MONTH" -eq "$CMONTH" ] && [ "$USREXPDAY" != "$CURDAY" ] && [ "$USREXYEAR" -eq "$CURYEAR" ] ; then | |
if [ "$USREXPDAY" -lt "$CURDAY" ]; then | |
echo $i"'s password expired on the $USREXPDAY of this month." >>$HOSTNAME.log;printf "\n">>$HOSTNAME.log | |
else | |
echo $i"'s password expires on the $USREXPDAY of this month." >>$HOSTNAME.log; printf "\n" >> $HOSTNAME.log | |
fi | |
elif [ "$MONTH" -eq "$CMONTH" ] && [ "$USREXPDAY" -eq "$CURDAY" ] && [ "$USREXYEAR" -eq "$CURYEAR" ] ; then | |
echo $i"'s" "password has expired today" >> $HOSTNAME.log; printf "\n" >> $HOSTNAME.log | |
elif [ "$MONTH" -lt "$CMONTH" ] && [ "$USREXYEAR" -le "$CURYEAR" ]; then | |
echo $i"'s password expired $USREXPMONTH $USREXPDAY, $USREXYEAR" >> $HOSTNAME.log; printf"\n" >>$HOSTNAME.log | |
elif [ "$MONTH" -gt "$CMONTH" ] && [ "$USREXYEAR" -lt "$CURYEAR" ]; then | |
echo $i"'s password expired $USREXPMONTH $USREXPDAY, $USREXYEAR" >> $HOSTNAME.log; printf "\n" >>$HOSTNAME.log | |
else [ "$MONTH" -gt "$CMONTH" ] && [ "$USREXYEAR" -ge "$CURYEAR" ] | |
echo $i"'s password expires $USREXPMONTH $USREXPDAY, $USREXYEAR" >>$HOSTNAME.log;printf "\n" >>$HOSTNAME.log | |
fi | |
else | |
echo $i":" $USERID ": password set to expire$USREXPACCT">> PWNEVER.log | |
fi | |
done | |
#mail <email> -s "Account Report on $HOSTNAME" < $HOSTNAME.log | |
#mail <email> -s "Account Report on $HOSTNAME" < PWNEVER.log |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment