Register
It is currently Sat Sep 20, 2014 10:03 pm

capture blank field in line from /var/log/secure


All times are UTC - 6 hours


Post new topic Reply to topic  [ 4 posts ] 
Author Message
 PostPosted: Fri Jan 07, 2011 10:10 am   

Joined: Wed May 19, 2010 9:56 am
Posts: 21
Hello all,

An unsuccessful login via a tty by a known user and an unknown user will generate an almost exact line in /var/log/secure with the exception of the last field. To see this specifically do Ctrl-Alt-F2, for example. Now login with a known user and log out. Next attempt a login with a bogus user name which fails. Go back to your GUI enviroment (Ctrl-Alt-F7) and then tail /var/log/secure. For the known user the last field will be "user=some_name_here". The unknown user will not have a "user=" field.

How do I capture the two via different variables in bash?

For example:
KNOWN_USER=`syntax that finds the user= field.`
echo There is a user= field and the user is mmouse.

UNKNOWN_USER=`syntax that does NOT find the user= field`
echo There is NO user= field and an unknown user tried to login.

If been exploring using sed to grab (or not grab) that last field, but haven't hit upon the right syntax yet.

If some of you better scripters have ideas it would be super to hear from you.

Thanks.


Top
 Profile  
 PostPosted: Fri Jan 07, 2011 12:46 pm   
Moderator
User avatar

Joined: Wed May 03, 2006 2:05 pm
Posts: 242
Hi Geelsu!

The output in my current /var/log/secure doesn't seem to match what you're describing. Could you maybe give us a couple of sample lines, with a known and an unknown user?

Here's an example that may help. First, my log entries look like this:
Code:
## Bad user...
Jan  7 12:21:26 localhost sshd[7259]: Invalid user bob from 127.0.0.1
Jan  7 12:21:26 localhost sshd[7260]: input_userauth_request: invalid user bob
Jan  7 12:21:27 localhost sshd[7259]: pam_unix(sshd:auth): check pass; user unknown
Jan  7 12:21:27 localhost sshd[7259]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=jwcos532-beta
Jan  7 12:21:27 localhost sshd[7259]: pam_succeed_if(sshd:auth): error retrieving information about user bob
Jan  7 12:21:28 localhost sshd[7259]: Failed password for invalid user bob from 127.0.0.1 port 53585 ssh2
Jan  7 12:21:29 localhost sshd[7260]: Connection closed by 127.0.0.1


## Good user...
Jan  7 12:27:36 localhost sshd[7459]: Accepted password for cchocula from 127.0.0.1 port 58892 ssh2
Jan  7 12:27:36 localhost sshd[7459]: pam_unix(sshd:session): session opened for user cchocula by (uid=0)
Jan  7 12:27:40 localhost sshd[7459]: pam_unix(sshd:session): session closed for user cchocula


We *could* just go by the 'invalid user' pattern, but it looks like I get two of those per attempt. Invalid users on my system always produce a line with 'input_userauth_request: invalid user username', so we can get the bad user this way:
Code:
for UNKNOWN_USER in $(awk '/input_userauth_request/ {print $NF}' /var/log/secure); do
    echo "LOL, some noob tried logging in as $UNKNOWN_USER..."
done

## test output from the log snippet posted above:
## LOL, some noob tried logging in as bob...


While valid users produce an 'Accepted password' line that we can use:
Code:
for KNOWN_USER in $(awk '/Accepted/ {print $9}' /var/log/secure); do
    echo "$KNOWN_USER just logged in... neato."
done

## test output from the log snippet posted above:
## cchocula just logged in... neato.


I hope this helps! If you have a few lines from that log we can probably give you a more specific example.

-J


Top
 Profile YIM  
 PostPosted: Fri Jan 07, 2011 4:24 pm   

Joined: Wed May 19, 2010 9:56 am
Posts: 21
Hi Jeo,

You seem to be gaining access via ssh. My access is via the runlevel 5 GUI such as GNOME or KDE.

From /var/log/secure.

Here is what you get with a valid user.
Jan 7 09:01:07 wks90 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= user=george

Here is what you get with an INVALID user:
Jan 7 09:01:15 wks90 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=


There are other entries in /var/log/secure that show the name of the INVALID user, but this is the only one that shows what tty the attempt was made on. That is why I am trying to capture that line so I can grab the specific tty info. But I don't want to grab the line that shows george because I am a valid user.


Top
 Profile  
 PostPosted: Mon Jan 10, 2011 11:39 am   
Moderator
User avatar

Joined: Wed May 03, 2006 2:05 pm
Posts: 242
Oh, I see... Sorry, working with servers all day gets me stuck in no-X mode :)

So I think I'm seeing what you're seeing now. Is the tty what you're looking for specifically? I'm not sure how consistent the output is, and if it's a really busy system (lots of users logging in and out) then there might be lines interspersed between which would make this less accurate, but you could try something like this (disclaimer: this might be ugly... I absolutely love awk, but I don't use it like this very often!):

Code:
## Known Users
awk -F= '/user=/ {print "Known user: " $NF}') /var/log/secure

## Unknown Users
awk '/rhost=.$/ {tty=$12; getline; user=$12; print "Unknown user: " user " from " tty}' /var/log/secure


That ought to at least get you started. I hope it helps!


Top
 Profile YIM  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron


BashScripts | Promote Your Page Too
Powered by phpBB © 2011 phpBB Group
© 2003 - 2011 USA LINUX USERS GROUP