[[linux_wiki:freeipa_report_access_host]]

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux_wiki:freeipa_report_access_host [2019/05/26 03:50] (current)
Line 1: Line 1:
 +====== FreeIPA Report Access Host ======
 +
 +**General Information**
 +
 +Report what users/​groups have access to a host. 
 +
 +**Checklist**
 +  * Distro(s): Enterprise Linux 6/7
 +  * Other: [[http://​www.unixmen.com/​configure-freeipa-server-centos-7/​|FreeIPA Server Installed]] (script runs there)
 +
 +----
 +
 +====== The Script ======
 +
 +<code bash report-access-host.sh>​
 +#!/bin/bash
 +# Name: report-access-host.sh
 +# Description:​ Report what users/​groups have access to a host
 +# Last Modified: 2017-08-03
 +# Recent Changes:​-Initial Release
 +###############################################################################################​
 +
 +##### Customize These Variables #####
 +# IPA admin user
 +admin_user="​admin"​
 +##### End of Customize Variables #####
 +
 +#​=====================================
 +# Functions; Main starts after
 +#​=====================================
 +function show_usage
 +{
 +  echo -e "​\n==== Report: Host Access ===="
 +  echo -e "​\nDescription:​ Report what users/​groups have access to a host."
 +  echo -e "​\n--Usage--"​
 +  echo -e "​./​report-access-host.sh -n HOSTNAME"​
 +  echo -e "​\n-OPTIONS-"​
 +  echo -e "​-h ​                   => Display usage."​
 +  echo -e "-n HOSTNAME ​          => Name of host to check access for."
 +  echo -e "​\n--Other Requirements--"​
 +  echo -e "-> FreeIPA admin access."​
 +  echo -e
 +}
 +
 +#​=======================
 +# Get Script Arguments
 +#​=======================
 +# Reset POSIX variable in case it has been used previously in this shell
 +OPTIND=1
 +
 +while getopts "​hn:"​ opt; do
 +  case "​${opt}"​ in
 +    h) # -h (help) argument
 +      show_usage
 +      exit 0
 +    ;;
 +    n) #-n HOSTNAME argument
 +       ​system_name="​${OPTARG}"​
 +    ;;
 +    *) # invalid argument
 +      show_usage
 +      exit 0
 +    ;;
 +  esac
 +done
 +
 +#​===================
 +# Pre-checks: Make sure we have good options set
 +#​===================
 +# See if we have a kerberos ticket, if not, prompt login
 +/​usr/​bin/​klist -s
 +if [[ $? -ne 0 ]]; then
 +  echo ">>​No kerberos ticket found for (${admin_user}),​ login as ${admin_user} now:"
 +  /​usr/​bin/​kinit ${admin_user}
 +  echo
 +fi
 +
 +#​===================
 +# Main starts here
 +#​===================
 +echo -e "​================================================"​
 +echo -e "####​========= Report: Host Access ==========####"​
 +echo -e "​================================================"​
 +echo
 +echo -e "This script will report all users/​groups that have access to a given host."
 +
 +## If no hostname given, prompt ##
 +if [[ -z "​${system_name}"​ ]]; then
 +  echo -en "-> Hostname to check access for: "
 +  read system_name
 +fi
 +
 +echo -e "-> Checking access for: ${system_name}"​
 +ipa host-show ${system_name} > /dev/null 2>&1
 +if [[ $? -ne 0 ]]; then
 +  echo -e ">>​ ERROR! Was unable to get information on hostname: ${system_name}"​
 +  echo -e ">>​ Ensure you have the correct hostname. Exiting..."​
 +  exit 1
 +fi
 +
 +# Get the HBAC rule a host is a part of
 +hbac_rule="​$(ipa host-show ${system_name} | awk -F: '/HBAC rule/ {print $2}'​)"​
 +
 +# Get all user groups in the HBAC rule (remove commas so we can parse in a for loop)
 +user_groups="​$(ipa hbacrule-show ${hbac_rule} | awk -F: '/User Groups/ {print $2}' | sed '​s/,//​g'​)"​
 +
 +echo -e "​\n>>​ HBAC Rule Controlling Access: ${hbac_rule}"​
 +echo -e "\nThe following groups/​users have access to the system via the HBAC rule."
 +
 +# For each user group, display the group name and user accounts
 +for group_name in $(echo ${user_groups});​ do
 +
 +  echo -e "​\n>>​ Group Name: ${group_name}"​
 +
 +  # Get group'​s user list
 +  user_list="​$(ipa group-show ${group_name} | awk -F: '/​Member users/ {print $2}'​)"​
 +
 +  # Display all users
 +  echo -e "​-->​ Users in Group: ${user_list}"​
 +
 +done
 +
 +echo -e "​\n===================================="​
 +echo -e "=- Report: Host Access Completed. -="
 +echo -e "​===================================="​
 +</​code>​
 +
 +----
  
  • linux_wiki/freeipa_report_access_host.txt
  • Last modified: 2019/05/26 03:50
  • (external edit)