Differences
This shows you the differences between two versions of the page.
linux_wiki:freeipa_report_access_user [2019/05/25 23:50] |
linux_wiki:freeipa_report_access_user [2019/05/25 23:50] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== FreeIPA Report Access User ====== | ||
+ | |||
+ | **General Information** | ||
+ | |||
+ | Report what hosts a user has access to. | ||
+ | |||
+ | **Checklist** | ||
+ | * Distro(s): Enterprise Linux 6/7 | ||
+ | * Other: [[http:// | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ====== The Script ====== | ||
+ | |||
+ | <code bash report-access-user.sh> | ||
+ | #!/bin/bash | ||
+ | # Name: report-access-user.sh | ||
+ | # Description: | ||
+ | # Last Modified: 2017-08-08 | ||
+ | # Recent Changes: | ||
+ | ############################################################################################### | ||
+ | |||
+ | ##### Customize These Variables ##### | ||
+ | # IPA admin user | ||
+ | admin_user=" | ||
+ | ##### End of Customize Variables ##### | ||
+ | |||
+ | # | ||
+ | # Functions; Main starts after | ||
+ | # | ||
+ | function show_usage | ||
+ | { | ||
+ | echo -e " | ||
+ | echo -e " | ||
+ | echo -e " | ||
+ | echo -e " | ||
+ | echo -e " | ||
+ | echo -e " | ||
+ | echo -e "-u USERNAME | ||
+ | echo -e " | ||
+ | echo -e "-> FreeIPA admin access." | ||
+ | echo -e | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # Get Script Arguments | ||
+ | # | ||
+ | # Reset POSIX variable in case it has been used previously in this shell | ||
+ | OPTIND=1 | ||
+ | |||
+ | while getopts " | ||
+ | case " | ||
+ | h) # -h (help) argument | ||
+ | show_usage | ||
+ | exit 0 | ||
+ | ;; | ||
+ | u) #-u USERNAME argument | ||
+ | | ||
+ | ;; | ||
+ | *) # invalid argument | ||
+ | show_usage | ||
+ | exit 0 | ||
+ | ;; | ||
+ | esac | ||
+ | done | ||
+ | |||
+ | # | ||
+ | # Pre-checks: Make sure we have good options set | ||
+ | # | ||
+ | # See if we have a kerberos ticket, if not, prompt login | ||
+ | / | ||
+ | if [[ $? -ne 0 ]]; then | ||
+ | echo ">> | ||
+ | / | ||
+ | echo | ||
+ | fi | ||
+ | |||
+ | # | ||
+ | # Main starts here | ||
+ | # | ||
+ | echo -e " | ||
+ | echo -e "#### | ||
+ | echo -e " | ||
+ | echo | ||
+ | echo -e "This script will report all hosts that a given user has access to." | ||
+ | |||
+ | ## If no username given, prompt ## | ||
+ | if [[ -z " | ||
+ | echo -en "-> Username to check access for: " | ||
+ | read user_name | ||
+ | fi | ||
+ | |||
+ | echo -e "-> Checking access for: ${user_name}" | ||
+ | ipa user-show ${user_name} > /dev/null 2>&1 | ||
+ | if [[ $? -ne 0 ]]; then | ||
+ | echo -e ">> | ||
+ | echo -e ">> | ||
+ | exit 1 | ||
+ | fi | ||
+ | |||
+ | #- Get all of the groups a user is a part of | ||
+ | user_groups=" | ||
+ | |||
+ | # For each group, determine if it is part of a HBAC rule | ||
+ | for group in $(echo ${user_groups}); | ||
+ | |||
+ | echo -e " | ||
+ | |||
+ | # Check if a group is in a HBAC Rule | ||
+ | hbac_rules=" | ||
+ | |||
+ | if [[ -z ${hbac_rules} ]]; then | ||
+ | # No rules found, move on to next group name | ||
+ | echo -e "-> Group (${group}) is NOT in any HBAC rules." | ||
+ | continue | ||
+ | fi | ||
+ | |||
+ | # Group is a part of HBAC Rule(s), For each hbac rule check for system groups | ||
+ | for rule in $(echo ${hbac_rules}); | ||
+ | echo -e " | ||
+ | |||
+ | # Get all host groups | ||
+ | host_groups=" | ||
+ | |||
+ | if [[ -z ${host_groups} ]]; then | ||
+ | # No host groups; Check to see if this is an " | ||
+ | host_category=" | ||
+ | |||
+ | if [[ $(echo ${host_category} | awk ' | ||
+ | # Access is ' | ||
+ | echo -e " | ||
+ | continue | ||
+ | else | ||
+ | # Access is not configured, display that and move to the next rule | ||
+ | echo -e " | ||
+ | continue | ||
+ | fi | ||
+ | fi | ||
+ | |||
+ | # For each host group, display the associated hosts | ||
+ | for hostgroup_name in $(echo ${host_groups}); | ||
+ | echo -e " | ||
+ | |||
+ | # Get all hosts and display them | ||
+ | host_names=" | ||
+ | echo -e " | ||
+ | done # End of 'For each host group' loop | ||
+ | |||
+ | done # End of 'For each hbac rule' loop | ||
+ | |||
+ | done # End of 'For each group' loop | ||
+ | |||
+ | echo -e " | ||
+ | echo -e "=- Report: User Access Completed. -=" | ||
+ | echo -e " | ||
+ | </ | ||
+ | |||
+ | ---- | ||