#!/bin/bash # # A Munin Plugin to show auth stuff # Created by Dominik Schulz # http://developer.gauner.org/munin/ # Based on a work of "jintxo" # # Parameters understood: # # config (required) # autoconf (optional - used by munin-config) # # # Magic markers (optional - used by munin-config and installation # scripts): # #%# family=auto #%# capabilities=autoconf ############################# # Configuration ############################# MAXLABEL=20 STAT_FILE=/var/lib/munin/plugin-state/plugin-auth.state EXPR_BIN=/usr/bin/expr ############################# if [ "$1" = "autoconf" ]; then echo yes exit 0 fi if [ "$1" = "config" ]; then echo 'graph_title Auth Log Parser' echo 'graph_args --base 1000 -l 0' echo 'graph_vlabel Daily Auth Counters' echo 'graph_category system' echo 'illegal_user.label Illegal User' echo 'possible_breakin.label Breakin Attempt' echo 'authentication_failure.label Authentication Fail' echo 'valid_login.label Valid Login' exit 0 fi ############################# # Initialization ############################# if [ ! -r $STAT_FILE ]; then echo "ILL=0" > $STAT_FILE echo "POS=0" >> $STAT_FILE echo "AUT=0" >> $STAT_FILE echo "VAL=0" >> $STAT_FILE fi TODAY="`date '+%b'` `date '+%d' | sed 's/0\([0-9]\)/ \1/'`" ############################# ############################# # Illegal User ############################# echo -en "illegal_user.value " NEW_ILL=$(grep "Illegal user\|no such user" /var/log/auth.log | grep "^$TODAY" | wc -l) OLD_ILL=$(grep ILL $STAT_FILE | cut -f2 -d '=') ILL=$($EXPR_BIN $NEW_ILL - $OLD_ILL) if [ $ILL -gt 0 ]; then echo "$ILL" else echo "0" fi echo -n ############################# # Possible Breakins ############################# echo -en "possible_breakin.value " NEW_POS=$(grep -i "breakin attempt" /var/log/auth.log | grep "^$TODAY" | wc -l) OLD_POS=$(grep POS $STAT_FILE | cut -f2 -d '=') POS=$($EXPR_BIN $NEW_POS - $OLD_POS) if [ $POS -gt 0 ]; then echo "$POS" else echo "0" fi echo -n ############################# # Authentication Failures ############################# echo -en "authentication_failure.value " NEW_AUT=$(grep "authentication failure" /var/log/auth.log | grep "^$TODAY" | wc -l) OLD_AUT=$(grep AUT $STAT_FILE | cut -f2 -d '=') AUT=$($EXPR_BIN $NEW_AUT - $OLD_AUT) if [ $AUT -gt 0 ]; then echo "$AUT" else echo "0" fi echo -n ############################# # Valid Logins ############################# echo -en "valid_login.value " NEW_VAL=$(grep "sshd.*Accepted" /var/log/auth.log | grep "^$TODAY" | wc -l) OLD_VAL=$(grep VAL $STAT_FILE | cut -f2 -d '=') VAL=$($EXPR_BIN $NEW_VAL - $OLD_VAL) if [ $VAL -gt 0 ]; then echo "$VAL" else echo "0" fi echo -n ### # Save the current values ### echo "ILL=$NEW_ILL" > $STAT_FILE echo "POS=$NEW_POS" >> $STAT_FILE echo "AUT=$NEW_AUT" >> $STAT_FILE echo "VAL=$NEW_VAL" >> $STAT_FILE