Listing 1 Alert to IT for policy violations during VPN log-in

#!/bin/bash



function getip {
 echo $AD | sed -f /opt/vpnscan/bin/fixip.sed.in
}


function timetofn {
  date | sed -f /opt/vpnscan/bin/fixdate.sed.in
}


function nocrlf
{
exec sed -e :a -e '$!N;s/\n/\\\|/;ta' -e 'P;D' \
  </opt/vpnscan/etc/services.deny
}



#
# get all of the variables that drive this script
#

source ../etc/vpnscan.cf


#
# get the list of denied services
#
FAILSTR=$(nocrlf)

#
# test echo to verify services.deny file format
#
echo $FAILSTR


#
# test echo for diag testing of swatch.conf
#
echo "all args $*"


# /bin/sh will only see the first 9 args
# /bin/bash will go past 9, using shift

# first, kill the first 13 tokens in the syslog statement
shift 13

# now, arg 1 is the userid
#      arg 3 is the public (internet) address


AD=$3



WHO=$1


# Trim the mask off the ip
IP=$(getip)


# get the date with underscores instead of spaces
NOW=$(timetofn)


# dump the ip into the input file for snort
echo $IP >$BASEDIR/tmp/scan_$NOW 



/opt/nessus/bin/nessus -T html -x -q $NESSUSSERVER 1241 \
  $NESSUSUSR $NESSUSPWD $BASEDIR/tmp/scan_$NOW \
  $REPORTDIR/$WHO\_$IP\_$NOW.html 




rm -f $BASEDIR/tmp/scan_$NOW 


if (cat $REPORTDIR/$WHO\_$IP\_$NOW.html | grep "$FAILSTR$")
then


    mutt -a $REPORTDIR/$WHO\_$IP\_$NOW.html -s  \
      "Userid $WHO failed Security Scan on VPN connect" \
      $ALERTUSR <$BASEDIR/bin/failscan.msg.in


    echo $WHO\_$IP\_$NOW >>/var/log/swatcher.log
fi