#!/bin/ksh

# $Id: chk_security,v 1.1 2023/03/27 16:20:34 root Exp root $
#
# (c) Copyright Fortra, LLC. and its group of companies.
#

hold4now=`grep "\$\I\d\:" ${0} | awk '{print $3,$4,$5,$6}' `
# echo "Running help `grep "\$\I\d\:" ${0} | awk '{print $3,$4,$5,$6}' ` "

#&& Used to check various security issues for AIX remote user connection

function usage {
echo ""
echo "Running help ${hold4now}"
echo ""
echo "usage: $0 [options]
  where options may be any of:
        -b List the counts of recent attempts to connect to linux server
        -U List of invalid users attempts to connect to linux server
        -r List of attempts to connect root to linux server
        -f List the location of the security database for possible 
           deletion/removal if it gets too big. (achive or compress copy?) AIX
        -i Sort by ip addresses uniq count and sort again by the number of 
           times an ip shows up. AIX
        -d List by date uniq count. AIX
           (Can be piped to 'sort -n' to see which date is higher)
        -u Sort by user uniq count. AIX
        -l Normal list of all security data AIX
        -H Help
        -h Help
"
}

if [ "x${1}x" = "xx" ]; then
   usage
fi

while getopts "bUrfidulHh" opt ; do
  case $opt in
        b)      if [ -f /var/mail/root ]; then
                   grep " Ban " /var/mail/root \
                   | awk '{print $NF}' \
                   | sort  \
                   | uniq -c
                fi ; exit ;;
        U)      if [ -f /var/log/auth.log ]; then
                   grep -i "for invalid user" /var/log/auth.log \
                   | grep -v preauth \
                   | awk '{print $13, $4, $9, $10, $11}' \
                   | sort -n \
                   | uniq -c 
                fi  ; exit ;;
        r)      if [ -f /var/log/auth.log ]; then
                   grep -i " Failed password for root " /var/log/auth.log  \
                   | awk '{print $11, $6, $7, $8, $9 }' \
                   | sort -n \
                   | uniq -c
                fi  ; exit ;;
        f)      ls -al /etc/security/failedlogin ; exit ;;
        i)      /usr/sbin/acct/fwtmp < /etc/security/failedlogin \
                | awk '{print  $8, $1, $2 }' \
                | sort \
                | uniq -c \
                | sort -n ; exit ;;
        d)      /usr/sbin/acct/fwtmp < /etc/security/failedlogin \
                | awk '{print $(NF-5), $(NF-4), $(NF-3), $(NF-1), $(NF) }' \
                | uniq -c ; exit ;;
        u)      /usr/sbin/acct/fwtmp < /etc/security/failedlogin \
                | awk '{print  $1 }' \
                | sort \
                | uniq -c ; exit ;;
        l)      /usr/sbin/acct/fwtmp < /etc/security/failedlogin ; exit ;;
        H)      usage;  exit ;;
        h)      usage;  exit ;;
        ?)      usage;  exit ;;
  esac
done

exit

## If the /etc/security/failedlogin file gets too big, 
## it needs to be deleted.
if [ "x${1}x" = "xx" ]; then

fi
if [ "x${1}x" = "xfilex" ]; then
fi
if [ "x${1}x" = "xdatex" ]; then

fi
if [ "x${1}x" = "xipx" ]; then
   
fi

#& 
#& # chk_security
#&
#& Running help chk_security,v #.# YYYY/MM/DD hh:mm:ss
#&
#& usage: usage [options]
#&   where options may be any of:
#&         -f List the location of the security database for possible
#&            deletion/removal if it gets too big. (achive or compress copy?)
#&         -i Sort by ip addresses uniq count and sort again by the number of
#&            times an ip shows up.
#&         -d List by date uniq count.
#&            (Can be piped to 'sort -n' to see which date is higher)
#&         -l Normal list of all security data
#&         -H Help
#&         -h Help
#&

