linux_wiki:freeipa_report_access_host

FreeIPA Report Access Host

General Information

Report what users/groups have access to a host.

Checklist

The Script

report-access-host.sh
#!/bin/bash
# Name: report-access-host.sh
# Description: Report what users/groups have access to a host
# Last Modified: 2017-08-03
# Recent Changes:-Initial Release
###############################################################################################
 
##### Customize These Variables #####
# IPA admin user
admin_user="admin"
##### End of Customize Variables #####
 
#=====================================
# Functions; Main starts after
#=====================================
function show_usage
{
  echo -e "\n==== Report: Host Access ===="
  echo -e "\nDescription: Report what users/groups have access to a host."
  echo -e "\n--Usage--"
  echo -e "./report-access-host.sh -n HOSTNAME"
  echo -e "\n-OPTIONS-"
  echo -e "-h                    => Display usage."
  echo -e "-n HOSTNAME           => Name of host to check access for."
  echo -e "\n--Other Requirements--"
  echo -e "-> FreeIPA admin access."
  echo -e
}
 
#=======================
# Get Script Arguments
#=======================
# Reset POSIX variable in case it has been used previously in this shell
OPTIND=1
 
while getopts "hn:" opt; do
  case "${opt}" in
    h) # -h (help) argument
      show_usage
      exit 0
    ;;
    n) #-n HOSTNAME argument
       system_name="${OPTARG}"
    ;;
    *) # invalid argument
      show_usage
      exit 0
    ;;
  esac
done
 
#===================
# Pre-checks: Make sure we have good options set
#===================
# See if we have a kerberos ticket, if not, prompt login
/usr/bin/klist -s
if [[ $? -ne 0 ]]; then
  echo ">>No kerberos ticket found for (${admin_user}), login as ${admin_user} now:"
  /usr/bin/kinit ${admin_user}
  echo
fi
 
#===================
# Main starts here
#===================
echo -e "================================================"
echo -e "####========= Report: Host Access ==========####"
echo -e "================================================"
echo
echo -e "This script will report all users/groups that have access to a given host."
 
## If no hostname given, prompt ##
if [[ -z "${system_name}" ]]; then
  echo -en "-> Hostname to check access for: "
  read system_name
fi
 
echo -e "-> Checking access for: ${system_name}"
ipa host-show ${system_name} > /dev/null 2>&1
if [[ $? -ne 0 ]]; then
  echo -e ">> ERROR! Was unable to get information on hostname: ${system_name}"
  echo -e ">> Ensure you have the correct hostname. Exiting..."
  exit 1
fi
 
# Get the HBAC rule a host is a part of
hbac_rule="$(ipa host-show ${system_name} | awk -F: '/HBAC rule/ {print $2}')"
 
# Get all user groups in the HBAC rule (remove commas so we can parse in a for loop)
user_groups="$(ipa hbacrule-show ${hbac_rule} | awk -F: '/User Groups/ {print $2}' | sed 's/,//g')"
 
echo -e "\n>> HBAC Rule Controlling Access: ${hbac_rule}"
echo -e "\nThe following groups/users have access to the system via the HBAC rule."
 
# For each user group, display the group name and user accounts
for group_name in $(echo ${user_groups}); do
 
  echo -e "\n>> Group Name: ${group_name}"
 
  # Get group's user list
  user_list="$(ipa group-show ${group_name} | awk -F: '/Member users/ {print $2}')"
 
  # Display all users
  echo -e "--> Users in Group: ${user_list}"
 
done
 
echo -e "\n===================================="
echo -e "=- Report: Host Access Completed. -="
echo -e "===================================="
  • linux_wiki/freeipa_report_access_host.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)