#!/bin/bash

#############################################################################
# Version 3.1 -- Kirk Bauer -- 5/24/97
#############################################################################

#############################################################################
## This script was written by Kirk Bauer.  I am *absolutely* sure that this
## script could have been much more efficient than it is as far as run
## time... but it does work.   I could have written it in PERL and made it
## much better... but oh well, I don't know PERL yet.
##
## You can give this script to anybody... I wrote it for Red Hat Linux 4.1
## Systems, but I have a feeling that it would work (with a few modifications
## for other Red Hat Linux systems and maybe even other distributions.  I
## just ask that you leave my name on here and that you **send any suggestions
## or improvements to me!!!**
##
## Okay, you can now pass an argument to the script.  This argument is the
## date you want to scan the logs for.  If there are no arguments, it will
## scan for yesterday's date.  The argument must be in the form:
## "daily Apr 5" or "daily Apr 05" or "daily Apr  5" or "daily Mar 21", etc.
##
## So, here is how you send improvements and suggestions to me.  I will list
## several email addresses in order of preference:
##    kirk@kaybee.org
##    kirk@gt.ed.net
##    gt5918a@prism.gatech.edu
##
## Revision History:
##    4/5/97 Version 1.0:  First time released to the public
##    4/6/97 Version 1.1:  Changed the configuration a little
##    4/7/97 Version 1.2:  Now, you can call with an argument that
##                         specifies what date to check if you want to.
##                         (Thanks to kaja007@hotmail.com)
##    4/7/97 Version 1.3:  Made a few small changes....
##                         (Thanks to scoile@patriot.net)
##   4/18/97 Version 2.0:  (Thanks to Tim Cross tcross@bart.northnet.com.au)
##                         On my system, I now have the following packages:
##                              pam-0.57-8 and pwdb-0.54-1
##                         This script catches the extra messages that I now
##                         get.  For now, it ignores the PAM_pwdb messages,
##                         but I now process the 'su' messages.
##
##                         I also changed a few small cosmetic things, as
##                         well as added a few options for non-standard
##                         machines.
##
##                          ** Version 1.3 may be better for standard RHL 4.1
##
##   4/28/97 Version 3.0:  (Thanks to Simun Mudd simon.mudd@alltrading.es for RPM script)
##                         (Thanks to the authors of the two maillog scripts)
##                         Basically, I slightly modified some other people's
##                         scripts so that I can now process the maillog as well
##                         as do some security checks via RPM...
##   5/24/97 Version 3.1:  I changed things to work better with Red Hat Linux
##                         4.2.  Should have more reliable output now.
##                         
#############################################################################

######################################################################
#
# NOTE: Configuration moved to /etc/dailyscript.conf!
#
######################################################################

. /etc/dailyscript.conf

######################################################################
TDIR=${TMP:-$TMP2}/`basename $0`$$
COMPNAME=`hostname | cut -d. -f1`
if [ $# -eq 0 ] ; then
   # this means there were no arguments
   D=`date -d "1 day ago" +"%b %d" | sed 's/ 0/  /'`
else
   D=`echo $* | sed 's/ 0/  /' | sed 's/^\(...\) \(.\)$/\1  \2/'`
fi


echo '***************************************************************'
echo "General Daily Run -- $(hostname) -- $D"
echo '***************************************************************'
echo
echo People who logged in:
echo
last -ad | grep "$D" | grep -v ".* *ftp" | cut -c-22,34-
echo
echo '***************************************************************'
echo
echo Checking System Log Files.....
echo






TFILE=$TDIR/tmp
umask 077
mkdir $TDIR 2> /dev/null
rm -rf $TDIR/* 2> /dev/null

for i in $LOGFILES
do
   grep "^$D" $i | grep -v "last message repeated" >> $TFILE
done


for i in syslog named identd pam ftpd sshd kernel talkd telnetd PAM_pwdb $ALWAYSIGNORE
do
   grep "^$D .* $COMPNAME $i" $TFILE > $TDIR/$i
   mv $TFILE $TFILE.1
   grep -v "^$D .* $COMPNAME $i" $TFILE.1 > $TFILE
done
rm $TFILE.1 2> /dev/null


# If this file still has stuff in it, we should definately look at it....
if [ -s $TFILE ] ; then
   echo "###########################################################"
   echo "###  Unmatched entries in /var/log/messages!!!!!!!!!!   ###"
   echo "###########################################################"
   echo
   cat $TFILE
   echo
   echo "###########################################################"
   echo
   echo
fi


# PAM_pwdb messages...
echo "PAM_pwdb Messages:"

   # (su) sessions
   echo "   Sucessful SU's:"
   sed -n "s/$D .*:.*:.* $COMPNAME PAM_pwdb\[.*\]: (su) session opened for user \([^ ]*\) by \([^(]*\)(uid=.*)/      \2 -> \1/p" $TDIR/PAM_pwdb | sort
   cp $TDIR/PAM_pwdb $TFILE
   grep -v ": (su) session .* for user" $TFILE | grep -v "user unknown" | grep -v "structure is no longer" | grep -v "session closed" > $TDIR/PAM_pwdb
   echo

   # failed authentications...
   echo "   Authentication Failures:"
   sed -n "s/$D .*:.*:.* $COMPNAME PAM_pwdb\[.*\]: [^ ]* authentication failure; \([^(]*(uid=[^)]*)\) -> \([^ ]*\) for \([^ ]*\) service/      \3: \1 -> \2/p" $TDIR/PAM_pwdb | sort
   cp $TDIR/PAM_pwdb $TFILE
   grep -v "authentication failure" $TFILE  > $TDIR/PAM_pwdb
   echo

   # sucessful logins...
   echo "   Sucessful Logins:"
   LAST="XXXX"
   TOTAL=1
   for i in XX XX XX `sed -n "s/$D .*:.*:.* $COMPNAME PAM_pwdb\[.*\]: (login) session opened for user \([^ ]*\) by [^(]*(uid=.*)/\1/p" $TDIR/PAM_pwdb | sort`
   do
      if [ $i = $LAST ] ; then
         TOTAL=$[$TOTAL+1]
      else
         if [ $i != "XX" ] ; then
            echo "      $i Logged in $TOTAL time(s)"
         fi
         LAST=$i
         TOTAL=1
      fi
   done
   cp $TDIR/PAM_pwdb $TFILE 
   grep -v "session opened" $TFILE  > $TDIR/PAM_pwdb
   echo

   # anything else?
   if [ -s $TDIR/PAM_pwdb ] ; then
      echo "   ** Other PAM_pwdb Messages **"
      cat $TDIR/PAM_pwdb | sed "s/\(.*\)/      \1/"
      echo
   fi
echo
echo



# Syslog messages...
T=`grep "restart" $TDIR/syslog | wc -l`
echo "Syslogd Restarted:$T Time(s)..."
grep -v "restart" $TDIR/syslog | grep -v "$COMPNAME syslog: gethostby" | tee $TFILE.1 | grep -v "FAILED LOGIN" > $TFILE 
echo 'Failed login(s) due to invalid username:'
grep "FAILED LOGIN" $TFILE.1 | sed "s/$D .*:.*:.* $COMPNAME syslog: FAILED LOGIN .* FROM \(.*\) FOR \(.*\), .*/   Failed Login:  \2 from \1/"
if [ -s $TFILE ] ; then
   echo "Other Syslogd Problems:"
   cat $TFILE | sed "s/\(.*\)/   \1/"
fi


# Named messages...
if [ -e /usr/sbin/named ] ; then
   echo
   echo "----- named ------"
   echo
   T=`grep "Malformed response" $TDIR/named | wc -l`
   echo "Named had$T Malformed Response(s)..."
   mv $TDIR/named $TFILE
   grep -v "Malformed response" $TFILE | grep -v "owner.*invalid" > $TDIR/named

   T=`grep "learnt" $TDIR/named | wc -l`
   echo "Named had$T Learned Response(s)..."
   mv $TDIR/named $TFILE
   grep -v "learnt" $TFILE  > $TDIR/named

   T=`grep "zone.*loaded" $TDIR/named | wc -l`
   echo "Named loaded$T zone(s)..."
   mv $TDIR/named $TFILE
   grep -v "zone.*loaded" $TFILE  > $TDIR/named

   grep "$D.*approved AXFR" $TDIR/named | sed "s/$D .*:.*:.* $COMPNAME named\[.*\]: approved AXFR from \[\(.*\..*\..*\..*\)\]\..* for \"\(.*\)\"/\1|\2/" > $TDIR/named.tmp
   for i in `cat $TDIR/named.tmp | sort | uniq`
   do
      echo $i | sed "s/\(.*\)|\(.*\)/   Host \1 transfered zone \2 $(grep -c "$i" $TDIR/named.tmp) times.../"
   done
   mv $TDIR/named $TFILE
   grep -v "$D.*approved AXFR" $TFILE > $TDIR/named

   if [ -s $TDIR/named ] ; then
      echo "Other Named Errors:"
      cat $TDIR/named | sed "s/\(.*\)/   \1/"
   fi
   echo
   echo
fi




# FTPd Messages.....
echo
echo "----- FTPD ------"
grep "LOGIN" $TDIR/ftpd | cut -d ',' -f 2 | sort | uniq | sed 's/^ //' > $TDIR/ftpusers
grep "LOGIN" $TDIR/ftpd | sed "s/$D .* $COMPNAME ftpd.*:.* FTP LOGIN FROM //" | sed "s/ \[.*\],//" > $TDIR/ftphost
#echo "FTP Anonymous Users Logged in:"
#grep "ANONYMOUS FTP LOGIN" $TDIR/ftpd | sed "s/$D .* $COMPNAME ftpd.*: ANONYMOUS FTP LOGIN FROM //" | sed "s/ \[.*\],//" | sed "s/^/   /"
grep "ANONYMOUS FTP LOGIN" $TDIR/ftpd | sed "s/$D .* $COMPNAME ftpd.*: ANONYMOUS FTP LOGIN FROM //" | sed "s/ \[.*\],//" | sed "s/^/   /" | sort | uniq > $TDIR/ftp.anon
echo
echo "FTP Users Logged in:"
for i in `cat $TDIR/ftpusers`
do
   for h in `grep "$i" $TDIR/ftphost | cut -d ' ' -f 1 | sort | uniq`
   do
      echo "    $(sed -n "s/$h $i/*Anonymous: /p" $TDIR/ftp.anon)$i from $h"
      echo "          Deleted `grep "$D .* $COMPNAME ftpd\[.*\]: $i of $h \[.*\] deleted" $TDIR/ftpd | wc -l` file(s)...."
      grep "$D .* $COMPNAME ftpd\[.*\]: $i of $h \[.*\] deleted" $TDIR/ftpd | grep -v "/home/$i/" | sed "s/$D .*:.*:.* $COMPNAME ftpd\[.*\]: $i of $h \[.*\] deleted \(.*\)/              \1/"
      echo "          Transfered `grep "$D .* $h .* $i ftp" /var/log/xferlog | wc -l` file(s)...."
      grep "$D .* $h .* $i ftp" /var/log/xferlog | grep -v "/home/$i/" | sed "s/.* $D .*:.*:.* .* .* $h .* \(.*\) . . . . $i ftp . ./              \1/"
      echo
   done
done
grep -v "LOGIN" $TDIR/ftpd | grep -v "deleted" | grep -v "FTP session closed" > $TDIR/ftpd.left
mv $TDIR/ftpd.left $TDIR/ftpd.left.old
grep -v "User .* timed out after" $TDIR/ftpd.left.old > $TDIR/ftpd.left
if [ -s $TDIR/ftpd.left ] ; then
   echo
   echo "Other FTPd Messages:"
   cat $TDIR/ftpd.left
fi
echo
echo "-----------------"
echo




# identd messages...
grep -v "NO-USER" $TDIR/identd | sed "s/$D .*:.*:.* $COMPNAME identd\[.*\]: //" > $TDIR/identd.tmp
sed -nf $SEDSCRIPT1 $TDIR/identd.tmp > $TDIR/identd.users
echo
echo "Identd Lookups:"
for i in `cat $TDIR/identd.users | sed "s/\(.*\)  .*/\1/" | sort | uniq`
do
   echo "   Lookups for $i:"
   for j in `grep "$i  .*" $TDIR/identd.users | sed "s/$i  \(.*\)/\1/" | sort | uniq`
   do
      echo "`grep "$i  $j" $TDIR/identd.users | wc -l` lookup(s) by $j"
   done
done
mv $TDIR/identd $TDIR/identd.tmp
grep -v "Successful lookup" $TDIR/identd.tmp | grep -v "Connection from" > $TDIR/identd
if [ -s $TDIR/identd ] ; then
   echo
   echo "Other Identd Messages:"
   cat $TDIR/identd | sed "s/\(.*\)/   \1/"
fi




# PAM Messages....
echo
grep -v "no username obtained" $TDIR/pam > $TFILE
if [ -s $TFILE ] ; then
   echo "PAM Messages:"
   cat $TFILE
   echo
   echo
fi

# Talkd messages...
   # the only 'talkd' messages I ever get are "Connection Refused"
   # errors... and I don't think any other talkd messages are even
   # worth looking at... so I'll ignore all of them...

# Telnetd
if [ -s $TDIR/telnetd ] ; then
   echo
   echo "Telnetd messages:"
   echo
   cat $TDIR/telnetd | sed "s/\(.*\)/   \1/"
   echo
   echo
fi


# sshd...
if [ -e /usr/sbin/sshd ] ; then
   echo "SSHD Logins and failures:"
   grep -v "Generating" $TDIR/sshd | grep -v "Wrong response" | grep -v "RSA key generation complete." | grep -v "Closing connection to" | grep -v "ROOT LOGIN" | grep -v "fatal" > $TFILE
   sed -n "s/$D .*:.*:.* $COMPNAME sshd\[.*\]: log://p" $TFILE > $TDIR/sshd
   echo >> $TDIR/sshd
   sed -n -f $SEDSCRIPT2 $TDIR/sshd
   echo
fi

# kernel...
if [ -s $TDIR/kernel ] ; then
   echo
   echo "              ************ Kernel Errors ***********"
   echo
   cat $TDIR/kernel
   echo
   echo "              **************************************"
   echo
   echo
fi





echo
echo '***************************************************************'
echo



if [ $# -eq 0 ] ; then
   # this means there were no arguments
   DA=`date -d "yesterday" +"%m/%d"`
else
   DA=`date -d "$*" +"%m/%d"`
fi
echo "All programs executed by cron:"
grep "($DA-.*:.*:.*-.*)" /var/log/cron | sed 's/.* .* CMD (\(.*\))/   \1/' | sort | uniq
echo
echo
echo


# Secure log...
grep "^$D" /var/log/secure | grep -v "warning:" | grep -v "TRIES" | grep -v "FAILED LOGIN" | sed "s/$D .*:.*:.* $COMPNAME \(.*\)\[.*\]: connect from \(.*\)/\1 \2/" > $TFILE
echo
echo "All Connections (/var/log/secure):"
for i in `sed "s/\(.*\) .*/\1/" $TFILE | sort | uniq`
do
   echo "   Connections for $i:"
   for j in `grep "$i .*" $TFILE | sed "s/$i \(.*\)/\1/" | sort | uniq`
   do
      echo "`grep "$i $j" $TFILE | wc -l` connections(s) by $j"
   done
done
mv $TDIR/identd $TDIR/identd.tmp
grep -v "Successful lookup" $TDIR/identd.tmp | grep -v "Connection from" > $TDIR/identd
if [ -s $TDIR/identd ] ; then
   echo
   echo "Other Identd Messages:"
   cat $TDIR/identd
fi
echo
echo
echo

# Look for new incoming files...

GLOBAL='Filename: %f, Size: %k, Perms: %m, Owners: %u:%g \n%p\n'
for i in $INCOMINGDIRS
do
   OLDFILE=$PERMDIR/`echo $i | sed "s=/=_=g"`
   find $i -printf "$GLOBAL" > $TFILE
   echo "New Files in $i:"
   echo
   diff $OLDFILE $TFILE
   if [ 0 -eq $? ] ; then
      echo "No new files...."
   fi
   mv $TFILE $OLDFILE
   echo
   echo
done

rm -rf $TDIR 2> /dev/null

echo
echo
echo
echo "File-systems..."
echo

df

echo
echo
echo
echo "NFS Exports....."
echo

cat /etc/exports


if [ -e /usr/bin/mailq ] ; then
   echo
   echo
   echo
   echo "Mail Queue....."
   echo
   mailq
   echo
fi
echo '***************************************************************'

$MAILSTATS -azs

$MAILLIST -y
