-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathrootcheck.sh
More file actions
executable file
·27 lines (22 loc) · 956 Bytes
/
rootcheck.sh
File metadata and controls
executable file
·27 lines (22 loc) · 956 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/bin/sh
# Wrapper for rootcheck.
# 1- It will call ossec-rootcheck.
# 2- It will run a basic forensic analysis on the logs showing all last logins
#
# Author: Daniel B. Cid <daniel.cid@gmail.com>
# Last modification: Feb 10, 2016
### 1- We start by running ossec-rootcheck
./ossec-rootcheck
### 2- We try to find the log files to parse:
listoflogs="/var/log/secure /var/log/secure.1 /var/log/auth.log /var/log/auth.log.1"
logfound=""
for i in $listoflogs; do
ls -la $i >/dev/null 2>&1
if [ $? = 0 ]; then
logfound="$logfound $i"
fi
done
if [ ! "x$logfound" = "x" ]; then
echo "[INFO]: Latest successful logins to the server:"
cat $logfound | ./src/analysisd/ossec-logtest -a 2>&1 |./src/monitord/ossec-reportd -p -f group authentication_succ -r user srcip 2>&1 |grep -A 1000 "Related entries for 'Username'" |grep -v "Related entries for 'Username'" |grep -v -- "------------------------------------------------"
fi