-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathshow-users.sh
executable file
·251 lines (231 loc) · 8.67 KB
/
show-users.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
#!/bin/bash
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# Nagios Plugin to list all currently logged on users to a system.
# Initial version by Hari Sekhon, 2007
# Modified by Rob MacKenzie, SFU - rmackenz@sfu.ca
# Added the -w and -c options to check for number of users.
# Modified by maltris - m@maltris.org
# Cleaned up the code
version=0.6
# This makes coding much safer as a varible typo is caught
# with an error rather than passing through
set -u
# Unset LANG, it serves the purpose of returning the same results
# if this is run with the check_mk_agent or from the commandline
# otherwise the "who"-command will return differently formatted dates
#
# With LANG=en_US.UTF-8:
# root pts/0 2017-10-04 16:12 (127.0.0.1)
# With LANG not set:
# root pts/0 Oct 4 16:12 (127.0.0.1)
unset LANG
# Note: resisted urge to use <<<, instead sticking with |
# in case anyone uses this with an older version of bash
# so no bash bashers please on this
# Standard Nagios exit codes
OK=0
WARNING=1
CRITICAL=2
UNKNOWN=3
usage(){
echo "usage: ${0##*/} [--simple] [ --mandatory username ] [ --unauthorized username ] [ --whitelist username ]"
echo
echo "returns a list of users on the local machine"
echo
echo " -s, --simple show users without the number of sessions"
echo " -m username, --mandatory username"
echo " Mandatory users. Return CRITICAL if any of these users are not"
echo " currently logged in"
echo " -b username, --blacklist username"
echo " Unauthorized users. Returns CRITICAL if any of these users are"
echo " logged in. This can be useful if you have a policy that states"
echo " that you may not have a root shell but must instead only use "
echo " 'sudo command'. Specifying '-u root' would alert on root having"
echo " a session and hence catch people violating such a policy."
echo " -a username, --whitelist username"
echo " Whitelist users. This is exceptionally useful. If you define"
echo " a bunch of users here that you know you use, and suddenly"
echo " there is a user session open for another account it could"
echo " alert you to a compromise. If you run this check say every"
echo " 3 minutes, then any attacker has very little time to evade"
echo " detection before this trips."
echo
echo " -m,-u and -w can be specified multiple times for multiple users"
echo " or you can use a switch a single time with a comma separated"
echo " list."
echo " -w integer, --warning integer"
echo " Set WARNING status if more than INTEGER users are logged in"
echo " -c integer, --critical integer"
echo " Set CRITICAL status if more than INTEGER users are logged in"
echo
echo
echo " -V --version Print the version number and exit"
echo
exit $UNKNOWN
}
simple=""
mandatory_users=""
unauthorized_users=""
whitelist_users=""
warning_users=0
critical_users=0
while [ "$#" -ge 1 ]; do
case "$1" in
-h|--help) usage
;;
-V|--version) echo "$version"
exit $UNKNOWN
;;
-s|--simple) simple=true
;;
-m|--mandatory) if [ "$#" -ge 2 ]; then
if [ -n "$mandatory_users" ]; then
mandatory_users="$mandatory_users $2"
else
mandatory_users="$2"
fi
shift
else
usage
fi
;;
-b|--blacklist) if [ "$#" -ge 2 ]; then
if [ -n "$unauthorized_users" ]; then
unauthorized_users="$unauthorized_users $2"
else
unauthorized_users="$2"
fi
shift
else
usage
fi
;;
-a|--whitelist) if [ "$#" -ge 2 ]; then
if [ -n "$whitelist_users" ]; then
whitelist_users="$whitelist_users $2"
else
whitelist_users="$2"
fi
shift
else
usage
fi
;;
-w|--warning) if [ "$#" -ge 2 ]; then
if [ "$2" -ge 1 ]; then
warning_users="$2"
fi
shift
else
usage
fi
;;
-c|--critical) if [ "$#" -ge 2 ]; then
if [ "$2" -ge 1 ]; then
critical_users="$2"
fi
shift
else
usage
fi
;;
*) usage
;;
esac
shift
done
mandatory_users="$(echo "$mandatory_users" | tr ',' ' ')"
unauthorized_users="$(echo "$unauthorized_users" | tr ',' ' ')"
whitelist_users="$(echo "$whitelist_users" | tr ',' ' ')"
# Must be a list of usernames only.
userlist="$(who --ips|awk '{print $1" "$6}'|sort)"
usercount="$(who|wc -l)"
errormsg=""
exitcode=$OK
if [ -n "$userlist" ]; then
if [ -n "$mandatory_users" ]; then
missing_users=""
for user in $mandatory_users; do
if ! echo "$userlist"|grep "^$user$" >/dev/null 2>&1; then
missing_users="$missing_users $user"
exitcode=$CRITICAL
fi
done
for user in $(echo "$missing_users"|tr " " "\\n"|sort -u); do
errormsg="${errormsg}user '$user' not logged in. "
done
fi
if [ -n "$unauthorized_users" ]; then
blacklisted_users=""
for user in $unauthorized_users; do
if echo "$userlist"|sort -u|grep "^$user$" >/dev/null 2>&1; then
blacklisted_users="$blacklisted_users $user"
exitcode=$CRITICAL
fi
done
for user in $(echo "$blacklisted_users"|tr " " "\\n"|sort -u); do
errormsg="${errormsg}Unauthorized user '$user' is logged in! "
done
fi
if [ -n "$whitelist_users" ]; then
unwanted_users=""
for user in $(echo "$userlist"|sort -u); do
if ! echo "$whitelist_users"|tr " " "\\n"|grep "^$user$" >/dev/null 2>&1; then
unwanted_users="$unwanted_users $user"
exitcode="$CRITICAL"
fi
done
for user in $(echo "$unwanted_users"|tr " " "\\n"|sort -u); do
errormsg="${errormsg}Unauthorized user '$user' detected! "
done
fi
if [ "$warning_users" -ne 0 ] || [ "$critical_users" -ne 0 ]; then
unwanted_users=$(who)
if [ "$usercount" -ge "$critical_users" ] && [ "$critical_users" -ne 0 ]; then
exitcode="$CRITICAL"
elif [ "$usercount" -ge "$warning_users" ] && [ "$warning_users" -ne 0 ]; then
exitcode="$WARNING"
fi
OLDIFS="$IFS"
IFS=$'\n'
for user in $unwanted_users; do
errormsg="${errormsg} --- $user"
done
IFS="$OLDIFS"
fi
if [ "$simple" == "true" ]; then
finallist=$(echo "$userlist"|uniq)
else
finallist=$(echo "$userlist"|uniq -c|awk '{print $2" "$3" ("$1")"}' | sed ':a;N;$!ba;s/\n/, /g')
fi
else
finallist="no users logged in"
fi
if [ "$exitcode" -eq $OK ]; then
echo "USERS OK: $finallist"
exit $OK
elif [ "$exitcode" -eq $WARNING ]; then
echo "USERS WARNING: [users: $finallist] $errormsg"
exit $WARNING
elif [ "$exitcode" -eq $CRITICAL ]; then
echo "USERS CRITICAL: [users: $finallist] $errormsg"
exit $CRITICAL
else
echo "USERS UNKNOWN: $errormsg [users: $finallist]"
exit $UNKNOWN
fi
exit $UNKNOWN