2020-07-31 12:57:42 -04:00
|
|
|
import os
|
|
|
|
import sys
|
|
|
|
from optparse import OptionParser
|
|
|
|
|
|
|
|
import ParseLogs
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Logalyzer. Original: https://github.com/hatRiot/logalyzer
|
|
|
|
# Converted to python3.6 by @programmerchad
|
|
|
|
#
|
|
|
|
|
|
|
|
# callback for the user flag
|
|
|
|
def user_call(option, opt_str, value, parser):
|
2020-10-13 04:25:14 -04:00
|
|
|
if len(parser.rargs) != 0:
|
2020-07-31 12:57:42 -04:00
|
|
|
value = parser.rargs[0]
|
|
|
|
else:
|
|
|
|
value = None
|
|
|
|
setattr(parser.values, option.dest, value)
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
|
|
|
|
# default location
|
|
|
|
log = '/var/log/auth.log'
|
|
|
|
|
|
|
|
# parsing options
|
|
|
|
parser = OptionParser(epilog=
|
|
|
|
"Combine flags to view user-specific information. \'-u test -i\' lists IP addresses "
|
|
|
|
"associated with user test")
|
|
|
|
parser.add_option("-u", help="Specify user. Blank lists all users.", action="callback",
|
|
|
|
callback=user_call, default=None, dest="user")
|
|
|
|
parser.add_option("--full", help="Full log dump for specified user", action="store_true",
|
|
|
|
default=False, dest="fullu")
|
|
|
|
parser.add_option("-l", help="Specify log file. Default is auth.log", default=None, dest="log")
|
|
|
|
parser.add_option("-f", help="List failures", action="store_true", default=False, dest="fail")
|
|
|
|
parser.add_option("-s", help="List success logs", action="store_true", default=False, dest="success")
|
|
|
|
parser.add_option("-c", help="List commands by user", action="store_true", default=False, dest="commands")
|
|
|
|
parser.add_option("-i", help="List IP Addresses", action="store_true", default=False, dest="ip")
|
|
|
|
|
|
|
|
# get arguments
|
|
|
|
(options, args) = parser.parse_args()
|
|
|
|
|
|
|
|
# if they're trying to access /var/log/auth.log without proper privs, bail
|
2020-10-13 04:25:14 -04:00
|
|
|
if not os.getuid() == 0 and options.log is None:
|
2020-07-31 12:57:42 -04:00
|
|
|
print("[-] Please run with SUDO")
|
|
|
|
sys.exit(1)
|
|
|
|
|
|
|
|
# check if they specified another file
|
|
|
|
if options.log is not None:
|
|
|
|
log = options.log
|
|
|
|
|
|
|
|
# parse logs
|
|
|
|
LOGS = ParseLogs.ParseLogs(log)
|
|
|
|
if LOGS is None: sys.exit(1)
|
|
|
|
|
|
|
|
# validate the user
|
|
|
|
if options.user:
|
|
|
|
if not options.user in LOGS:
|
|
|
|
print(f"[-] User \'{options.user}\' is not present in the logs.")
|
|
|
|
sys.exit(1)
|
|
|
|
|
|
|
|
# tag log location first
|
|
|
|
print('[!] Log file: ', log)
|
|
|
|
|
|
|
|
# output all commands
|
|
|
|
if options.commands and not options.user:
|
|
|
|
for i in LOGS:
|
|
|
|
for comms in LOGS[i].commands:
|
|
|
|
print(f"{i}:\t{comms}")
|
|
|
|
sys.exit(1)
|
|
|
|
|
|
|
|
# output all failures
|
|
|
|
elif options.fail and not options.user:
|
|
|
|
for i in LOGS:
|
|
|
|
for fail in LOGS[i].fail_logs:
|
|
|
|
print(f"{i}:\t{fail}")
|
|
|
|
sys.exit(1)
|
|
|
|
|
|
|
|
# output all logged IP addresses
|
|
|
|
elif options.ip and not options.user:
|
|
|
|
for i in LOGS:
|
|
|
|
for ip in LOGS[i].ips:
|
|
|
|
print(f"{i}:\t{ip}")
|
|
|
|
sys.exit(1)
|
|
|
|
|
|
|
|
# output user-specific commands
|
|
|
|
if options.commands and options.user:
|
|
|
|
print(f"[+] Commands for user \'{options.user}\'")
|
|
|
|
for com in LOGS[options.user].commands:
|
|
|
|
print("\t", com)
|
|
|
|
|
|
|
|
# output user-specific success logs
|
|
|
|
elif options.success and options.user:
|
|
|
|
print(f"[+] Successes logs for user \'{options.user}\'")
|
|
|
|
for log in LOGS[options.user].succ_logs:
|
|
|
|
print("\t", log)
|
|
|
|
|
|
|
|
# output user-specific failures
|
|
|
|
elif options.fail and options.user:
|
|
|
|
print(f"[+] Failures for user \'{options.user}\'")
|
|
|
|
for fail in LOGS[options.user].fail_logs:
|
|
|
|
print("\t", fail)
|
|
|
|
|
|
|
|
# output user-specific ip addresses
|
|
|
|
elif options.ip and options.user:
|
|
|
|
print(f"[+] Logged IPs for user \'{options.user}\'")
|
|
|
|
for i in LOGS[options.user].ips:
|
|
|
|
print("\t", i)
|
|
|
|
|
|
|
|
# print out all information regarding specified user
|
|
|
|
elif options.user is not None:
|
|
|
|
print(f"[!] Logs associated with user \'{options.user}\'")
|
|
|
|
print('[+] First log: ', LOGS[options.user].first_date())
|
|
|
|
print('[+] Last log: ', LOGS[options.user].last_date())
|
|
|
|
print("[!] Failure Logs")
|
|
|
|
for fail in LOGS[options.user].fail_logs:
|
|
|
|
print("\t", fail)
|
|
|
|
print("[!] Success Logs")
|
|
|
|
for succ in LOGS[options.user].succ_logs:
|
|
|
|
print("\t", succ)
|
|
|
|
print("[!] Associated IPs")
|
|
|
|
for ip in LOGS[options.user].ips:
|
|
|
|
print("\t", ip)
|
|
|
|
print("[!] Commands")
|
|
|
|
for comm in LOGS[options.user].commands:
|
|
|
|
print("\t", comm)
|
|
|
|
|
|
|
|
# dump the full log for the user if specified
|
|
|
|
if options.fullu and options.user:
|
|
|
|
print("[!] Full Log")
|
|
|
|
for log in LOGS[options.user].logs:
|
|
|
|
print(log)
|
|
|
|
|
|
|
|
# if they supplied us with an empty user, dump all of the logged users
|
|
|
|
elif options.user is None:
|
|
|
|
if len(LOGS) > 0:
|
|
|
|
for i in LOGS:
|
|
|
|
print(i)
|