Differences

This shows you the differences between two versions of the page.

--- linux_wiki:freeipa_report_access_host [2019/05/25 23:50]
+++ linux_wiki:freeipa_report_access_host [2019/05/25 23:50] (current)
@@ Line 1: / Line 1: @@
+====== FreeIPA Report Access Host ======
+**General Information**
+Report what users/groups have access to a host.
+**Checklist**
+  * Distro(s): Enterprise Linux 6/7
+  * Other: [[http://www.unixmen.com/configure-freeipa-server-centos-7/|FreeIPA Server Installed]] (script runs there)
+----
+====== The Script ======
+<code bash report-access-host.sh>
+#!/bin/bash
+# Name: report-access-host.sh
+# Description: Report what users/groups have access to a host
+# Last Modified: 2017-08-03
+# Recent Changes:-Initial Release
+###############################################################################################
+##### Customize These Variables #####
+# IPA admin user
+admin_user="admin"
+##### End of Customize Variables #####
+#=====================================
+# Functions; Main starts after
+#=====================================
+function show_usage
+{
+  echo -e "\n==== Report: Host Access ===="
+  echo -e "\nDescription: Report what users/groups have access to a host."
+  echo -e "\n--Usage--"
+  echo -e "./report-access-host.sh -n HOSTNAME"
+  echo -e "\n-OPTIONS-"
+  echo -e "-h                    => Display usage."
+  echo -e "-n HOSTNAME           => Name of host to check access for."
+  echo -e "\n--Other Requirements--"
+  echo -e "-> FreeIPA admin access."
+  echo -e
+}
+#=======================
+# Get Script Arguments
+#=======================
+# Reset POSIX variable in case it has been used previously in this shell
+OPTIND=1
+while getopts "hn:" opt; do
+  case "${opt}" in
+    h) # -h (help) argument
+      show_usage
+      exit 0
+    ;;
+    n) #-n HOSTNAME argument
+       system_name="${OPTARG}"
+    ;;
+    *) # invalid argument
+      show_usage
+      exit 0
+    ;;
+  esac
+done
+#===================
+# Pre-checks: Make sure we have good options set
+#===================
+# See if we have a kerberos ticket, if not, prompt login
+/usr/bin/klist -s
+if [[ $? -ne 0 ]]; then
+  echo ">>No kerberos ticket found for (${admin_user}), login as ${admin_user} now:"
+  /usr/bin/kinit ${admin_user}
+  echo
+fi
+#===================
+# Main starts here
+#===================
+echo -e "================================================"
+echo -e "####========= Report: Host Access ==========####"
+echo -e "================================================"
+echo
+echo -e "This script will report all users/groups that have access to a given host."
+## If no hostname given, prompt ##
+if [[ -z "${system_name}" ]]; then
+  echo -en "-> Hostname to check access for: "
+  read system_name
+fi
+echo -e "-> Checking access for: ${system_name}"
+ipa host-show ${system_name} > /dev/null 2>&1
+if [[ $? -ne 0 ]]; then
+  echo -e ">> ERROR! Was unable to get information on hostname: ${system_name}"
+  echo -e ">> Ensure you have the correct hostname. Exiting..."
+  exit 1
+fi
+# Get the HBAC rule a host is a part of
+hbac_rule="$(ipa host-show ${system_name} | awk -F: '/HBAC rule/ {print $2}')"
+# Get all user groups in the HBAC rule (remove commas so we can parse in a for loop)
+user_groups="$(ipa hbacrule-show ${hbac_rule} | awk -F: '/User Groups/ {print $2}' | sed 's/,//g')"
+echo -e "\n>> HBAC Rule Controlling Access: ${hbac_rule}"
+echo -e "\nThe following groups/users have access to the system via the HBAC rule."
+# For each user group, display the group name and user accounts
+for group_name in $(echo ${user_groups}); do
+  echo -e "\n>> Group Name: ${group_name}"
+  # Get group's user list
+  user_list="$(ipa group-show ${group_name} | awk -F: '/Member users/ {print $2}')"
+  # Display all users
+  echo -e "--> Users in Group: ${user_list}"
+done
+echo -e "\n===================================="
+echo -e "=- Report: Host Access Completed. -="
+echo -e "===================================="
+</code>
+----