#!/bin/bash # Name: report-access-user.sh # Description: Report what hosts a user has access to. # Last Modified: 2017-08-08 # Recent Changes:-Initial Release ############################################################################################### ##### Customize These Variables ##### # IPA admin user admin_user="admin" ##### End of Customize Variables ##### #===================================== # Functions; Main starts after #===================================== function show_usage { echo -e "\n==== Report: User Access ====" echo -e "\nDescription: Report what hosts a user has to." echo -e "\n--Usage--" echo -e "./report-access-user.sh -u USERNAME" echo -e "\n-OPTIONS-" echo -e "-h => Display usage." echo -e "-u USERNAME => Name of user to check access for." echo -e "\n--Other Requirements--" echo -e "-> FreeIPA admin access." echo -e } #======================= # Get Script Arguments #======================= # Reset POSIX variable in case it has been used previously in this shell OPTIND=1 while getopts "hu:" opt; do case "${opt}" in h) # -h (help) argument show_usage exit 0 ;; u) #-u USERNAME argument user_name="${OPTARG}" ;; *) # invalid argument show_usage exit 0 ;; esac done #=================== # Pre-checks: Make sure we have good options set #=================== # See if we have a kerberos ticket, if not, prompt login /usr/bin/klist -s if [[ $? -ne 0 ]]; then echo ">>No kerberos ticket found for (${admin_user}), login as ${admin_user} now:" /usr/bin/kinit ${admin_user} echo fi #=================== # Main starts here #=================== echo -e "================================================" echo -e "####========= Report: User Access ==========####" echo -e "================================================" echo echo -e "This script will report all hosts that a given user has access to." ## If no username given, prompt ## if [[ -z "${user_name}" ]]; then echo -en "-> Username to check access for: " read user_name fi echo -e "-> Checking access for: ${user_name}" ipa user-show ${user_name} > /dev/null 2>&1 if [[ $? -ne 0 ]]; then echo -e ">> ERROR! Was unable to get information on username: ${user_name}" echo -e ">> Ensure you have the correct username. Exiting..." exit 1 fi #- Get all of the groups a user is a part of user_groups="$(ipa user-show ${user_name} | awk -F: '/Member of groups/ {print $2}' | sed 's/,//g')" # For each group, determine if it is part of a HBAC rule for group in $(echo ${user_groups}); do echo -e "\n>> Group: ${group}" # Check if a group is in a HBAC Rule hbac_rules="$(ipa group-show ${group} | awk -F: '/Member of HBAC rule/ {print $2}' | sed 's/,//g')" if [[ -z ${hbac_rules} ]]; then # No rules found, move on to next group name echo -e "-> Group (${group}) is NOT in any HBAC rules." continue fi # Group is a part of HBAC Rule(s), For each hbac rule check for system groups for rule in $(echo ${hbac_rules}); do echo -e "--> HBAC Rule: ${rule}" # Get all host groups host_groups="$(ipa hbacrule-show ${rule} | awk -F: '/Host Groups/ {print $2}' | sed 's/,//g')" if [[ -z ${host_groups} ]]; then # No host groups; Check to see if this is an "all" host group host_category="$(ipa hbacrule-show ${rule} | awk -F: '/Host category/ {print $2}' | sed 's/,//g')" if [[ $(echo ${host_category} | awk '{print $1}') == "all" ]]; then # Access is 'all' hosts, display that and move to the next rule echo -e "----> Host access is: All" continue else # Access is not configured, display that and move to the next rule echo -e "----> No host groups in rule and not set to access 'all' hosts either." continue fi fi # For each host group, display the associated hosts for hostgroup_name in $(echo ${host_groups}); do echo -e "----> Host Group: ${hostgroup_name}" # Get all hosts and display them host_names="$(ipa hostgroup-show ${hostgroup_name} | awk -F: '/Member hosts/ {print $2}')" echo -e "------> Hosts: ${host_names}\n" done # End of 'For each host group' loop done # End of 'For each hbac rule' loop done # End of 'For each group' loop echo -e "\n====================================" echo -e "=- Report: User Access Completed. -=" echo -e "===================================="