#!/bin/bash # Name: report-access-host.sh # Description: Report what users/groups have access to a host # Last Modified: 2017-08-03 # Recent Changes:-Initial Release ############################################################################################### ##### Customize These Variables ##### # IPA admin user admin_user="admin" ##### End of Customize Variables ##### #===================================== # Functions; Main starts after #===================================== function show_usage { echo -e "\n==== Report: Host Access ====" echo -e "\nDescription: Report what users/groups have access to a host." echo -e "\n--Usage--" echo -e "./report-access-host.sh -n HOSTNAME" echo -e "\n-OPTIONS-" echo -e "-h => Display usage." echo -e "-n HOSTNAME => Name of host to check access for." echo -e "\n--Other Requirements--" echo -e "-> FreeIPA admin access." echo -e } #======================= # Get Script Arguments #======================= # Reset POSIX variable in case it has been used previously in this shell OPTIND=1 while getopts "hn:" opt; do case "${opt}" in h) # -h (help) argument show_usage exit 0 ;; n) #-n HOSTNAME argument system_name="${OPTARG}" ;; *) # invalid argument show_usage exit 0 ;; esac done #=================== # Pre-checks: Make sure we have good options set #=================== # See if we have a kerberos ticket, if not, prompt login /usr/bin/klist -s if [[ $? -ne 0 ]]; then echo ">>No kerberos ticket found for (${admin_user}), login as ${admin_user} now:" /usr/bin/kinit ${admin_user} echo fi #=================== # Main starts here #=================== echo -e "================================================" echo -e "####========= Report: Host Access ==========####" echo -e "================================================" echo echo -e "This script will report all users/groups that have access to a given host." ## If no hostname given, prompt ## if [[ -z "${system_name}" ]]; then echo -en "-> Hostname to check access for: " read system_name fi echo -e "-> Checking access for: ${system_name}" ipa host-show ${system_name} > /dev/null 2>&1 if [[ $? -ne 0 ]]; then echo -e ">> ERROR! Was unable to get information on hostname: ${system_name}" echo -e ">> Ensure you have the correct hostname. Exiting..." exit 1 fi # Get the HBAC rule a host is a part of hbac_rule="$(ipa host-show ${system_name} | awk -F: '/HBAC rule/ {print $2}')" # Get all user groups in the HBAC rule (remove commas so we can parse in a for loop) user_groups="$(ipa hbacrule-show ${hbac_rule} | awk -F: '/User Groups/ {print $2}' | sed 's/,//g')" echo -e "\n>> HBAC Rule Controlling Access: ${hbac_rule}" echo -e "\nThe following groups/users have access to the system via the HBAC rule." # For each user group, display the group name and user accounts for group_name in $(echo ${user_groups}); do echo -e "\n>> Group Name: ${group_name}" # Get group's user list user_list="$(ipa group-show ${group_name} | awk -F: '/Member users/ {print $2}')" # Display all users echo -e "--> Users in Group: ${user_list}" done echo -e "\n====================================" echo -e "=- Report: Host Access Completed. -=" echo -e "===================================="