#!/bin/bash # # Copyright Hari Sekhon 2007 # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # # Nagios Plugin to list all currently logged on users to a system. # Modified by Rob MacKenzie, SFU - rmackenz@sfu.ca # Added the -w and -c options to check for number of users. version=0.3 # This makes coding much safer as a varible typo is caught # with an error rather than passing through set -u # Note: resisted urge to use <<<, instead sticking with | # in case anyone uses this with an older version of bash # so no bash bashers please on this # Standard Nagios exit codes OK=0 WARNING=1 CRITICAL=2 UNKNOWN=3 usage(){ echo "usage: ${0##*/} [--simple] [ --mandatory username ] [ --unauthorized username ] [ --whitelist username ]" echo echo "returns a list of users on the local machine" echo echo " -s, --simple show users without the number of sessions" echo " -m username, --mandatory username" echo " Mandatory users. Return CRITICAL if any of these users are not" echo " currently logged in" echo " -b username, --blacklist username" echo " Unauthorized users. Returns CRITICAL if any of these users are" echo " logged in. This can be useful if you have a policy that states" echo " that you may not have a root shell but must instead only use " echo " 'sudo command'. Specifying '-u root' would alert on root having" echo " a session and hence catch people violating such a policy." echo " -a username, --whitelist username" echo " Whitelist users. This is exceptionally useful. If you define" echo " a bunch of users here that you know you use, and suddenly" echo " there is a user session open for another account it could" echo " alert you to a compromise. If you run this check say every" echo " 3 minutes, then any attacker has very little time to evade" echo " detection before this trips." echo echo " -m,-u and -w can be specified multiple times for multiple users" echo " or you can use a switch a single time with a comma separated" echo " list." echo " -w integer, --warning integer" echo " Set WARNING status if more than INTEGER users are logged in" echo " -c integer, --critical integer" echo " Set CRITICAL status if more than INTEGER users are logged in" echo echo echo " -V --version Print the version number and exit" echo exit $UNKNOWN } simple="" mandatory_users="" unauthorized_users="" whitelist_users="" warning_users=0 critical_users=0 while [ "$#" -ge 1 ]; do case "$1" in -h|--help) usage ;; -V|--version) echo $version exit $UNKNOWN ;; -s|--simple) simple=true ;; -m|--mandatory) if [ "$#" -ge 2 ]; then if [ -n "$mandatory_users" ]; then mandatory_users="$mandatory_users $2" else mandatory_users="$2" fi shift else usage fi ;; -b|--blacklist) if [ "$#" -ge 2 ]; then if [ -n "$unauthorized_users" ]; then unauthorized_users="$unauthorized_users $2" else unauthorized_users="$2" fi shift else usage fi ;; -a|--whitelist) if [ "$#" -ge 2 ]; then if [ -n "$whitelist_users" ]; then whitelist_users="$whitelist_users $2" else whitelist_users="$2" fi shift else usage fi ;; -w|--warning) if [ "$#" -ge 2 ]; then if [ $2 -ge 1 ]; then warning_users=$2 fi shift else usage fi ;; -c|--critical) if [ "$#" -ge 2 ]; then if [ $2 -ge 1 ]; then critical_users=$2 fi shift else usage fi ;; *) usage ;; esac shift done mandatory_users="`echo $mandatory_users | tr ',' ' '`" unauthorized_users="`echo $unauthorized_users | tr ',' ' '`" whitelist_users="`echo $whitelist_users | tr ',' ' '`" # Must be a list of usernames only. userlist="`who|grep -v "^ *$"|awk '{print $1}'|sort`" usercount="`who|wc -l`" errormsg="" exitcode=$OK if [ -n "$userlist" ]; then if [ -n "$mandatory_users" ]; then missing_users="" for user in $mandatory_users; do if ! echo "$userlist"|grep "^$user$" >/dev/null 2>&1; then missing_users="$missing_users $user" exitcode=$CRITICAL fi done for user in `echo $missing_users|tr " " "\n"|sort -u`; do errormsg="${errormsg}user '$user' not logged in. " done fi if [ -n "$unauthorized_users" ]; then blacklisted_users="" for user in $unauthorized_users; do if echo "$userlist"|sort -u|grep "^$user$" >/dev/null 2>&1; then blacklisted_users="$blacklisted_users $user" exitcode=$CRITICAL fi done for user in `echo $blacklisted_users|tr " " "\n"|sort -u`; do errormsg="${errormsg}Unauthorized user '$user' is logged in! " done fi if [ -n "$whitelist_users" ]; then unwanted_users="" for user in `echo "$userlist"|sort -u`; do if ! echo $whitelist_users|tr " " "\n"|grep "^$user$" >/dev/null 2>&1; then unwanted_users="$unwanted_users $user" exitcode=$CRITICAL fi done for user in `echo $unwanted_users|tr " " "\n"|sort -u`; do errormsg="${errormsg}Unauthorized user '$user' detected! " done fi if [ $warning_users -ne 0 -o $critical_users -ne 0 ]; then unwanted_users=`who` if [ $usercount -ge $critical_users -a $critical_users -ne 0 ]; then exitcode=$CRITICAL elif [ $usercount -ge $warning_users -a $warning_users -ne 0 ]; then exitcode=$WARNING fi OLDIFS="$IFS" IFS=$'\n' for user in $unwanted_users; do errormsg="${errormsg} --- $user" done IFS="$OLDIFS" fi if [ "$simple" == "true" ] then finallist=`echo "$userlist"|uniq` else finallist=`echo "$userlist"|uniq -c|awk '{print $2"("$1")"}'` fi else finallist="no users logged in" fi if [ "$exitcode" -eq $OK ]; then echo "USERS OK:" $finallist exit $OK elif [ "$exitcode" -eq $WARNING ]; then echo "USERS WARNING: [users: "$finallist"]" $errormsg exit $WARNING elif [ "$exitcode" -eq $CRITICAL ]; then echo "USERS CRITICAL: [users: "$finallist"]" $errormsg exit $CRITICAL else echo "USERS UNKNOWN:" $errormsg"[users: "$finallist"]" exit $UNKNOWN fi exit $UNKNOWN