linux_wiki:freeipa_report_access_user

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux_wiki:freeipa_report_access_user [2019/05/25 23:50] (current)
Line 1: Line 1:
 +====== FreeIPA Report Access User ======
 +
 +**General Information**
 +
 +Report what hosts a user has access to.
 +
 +**Checklist**
 +  * Distro(s): Enterprise Linux 6/7
 +  * Other: [[http://www.unixmen.com/configure-freeipa-server-centos-7/|FreeIPA Server Installed]] (script runs there)
 +
 +----
 +
 +====== The Script ======
 +
 +<code bash report-access-user.sh>
 +#!/bin/bash
 +# Name: report-access-user.sh
 +# Description: Report what hosts a user has access to.
 +# Last Modified: 2017-08-08
 +# Recent Changes:-Initial Release
 +###############################################################################################
 +
 +##### Customize These Variables #####
 +# IPA admin user
 +admin_user="admin"
 +##### End of Customize Variables #####
 +
 +#=====================================
 +# Functions; Main starts after
 +#=====================================
 +function show_usage
 +{
 +  echo -e "\n==== Report: User Access ===="
 +  echo -e "\nDescription: Report what hosts a user has to."
 +  echo -e "\n--Usage--"
 +  echo -e "./report-access-user.sh -u USERNAME"
 +  echo -e "\n-OPTIONS-"
 +  echo -e "-h                    => Display usage."
 +  echo -e "-u USERNAME           => Name of user to check access for."
 +  echo -e "\n--Other Requirements--"
 +  echo -e "-> FreeIPA admin access."
 +  echo -e
 +}
 +
 +#=======================
 +# Get Script Arguments
 +#=======================
 +# Reset POSIX variable in case it has been used previously in this shell
 +OPTIND=1
 +
 +while getopts "hu:" opt; do
 +  case "${opt}" in
 +    h) # -h (help) argument
 +      show_usage
 +      exit 0
 +    ;;
 +    u) #-u USERNAME argument
 +       user_name="${OPTARG}"
 +    ;;
 +    *) # invalid argument
 +      show_usage
 +      exit 0
 +    ;;
 +  esac
 +done
 +
 +#===================
 +# Pre-checks: Make sure we have good options set
 +#===================
 +# See if we have a kerberos ticket, if not, prompt login
 +/usr/bin/klist -s
 +if [[ $? -ne 0 ]]; then
 +  echo ">>No kerberos ticket found for (${admin_user}), login as ${admin_user} now:"
 +  /usr/bin/kinit ${admin_user}
 +  echo
 +fi
 +
 +#===================
 +# Main starts here
 +#===================
 +echo -e "================================================"
 +echo -e "####========= Report: User Access ==========####"
 +echo -e "================================================"
 +echo
 +echo -e "This script will report all hosts that a given user has access to."
 +
 +## If no username given, prompt ##
 +if [[ -z "${user_name}" ]]; then
 +  echo -en "-> Username to check access for: "
 +  read user_name
 +fi
 +
 +echo -e "-> Checking access for: ${user_name}"
 +ipa user-show ${user_name} > /dev/null 2>&1
 +if [[ $? -ne 0 ]]; then
 +  echo -e ">> ERROR! Was unable to get information on username: ${user_name}"
 +  echo -e ">> Ensure you have the correct username. Exiting..."
 +  exit 1
 +fi
 +
 +#- Get all of the groups a user is a part of
 +user_groups="$(ipa user-show ${user_name} | awk -F: '/Member of groups/ {print $2}' | sed 's/,//g')"
 +
 +# For each group, determine if it is part of a HBAC rule
 +for group in $(echo ${user_groups}); do
 +
 +  echo -e "\n>> Group: ${group}"
 +
 +  # Check if a group is in a HBAC Rule
 +  hbac_rules="$(ipa group-show ${group} | awk -F: '/Member of HBAC rule/ {print $2}' | sed 's/,//g')"
 +
 +  if [[ -z ${hbac_rules} ]]; then
 +    # No rules found, move on to next group name
 +    echo -e "-> Group (${group}) is NOT in any HBAC rules." 
 +    continue
 +  fi
 +
 +  # Group is a part of HBAC Rule(s), For each hbac rule check for system groups
 +  for rule in $(echo ${hbac_rules}); do
 +    echo -e "--> HBAC Rule: ${rule}"
 +
 +    # Get all host groups
 +    host_groups="$(ipa hbacrule-show ${rule} | awk -F: '/Host Groups/ {print $2}' | sed 's/,//g')"
 +
 +    if [[ -z ${host_groups} ]]; then
 +      # No host groups; Check to see if this is an "all" host group
 +      host_category="$(ipa hbacrule-show ${rule} | awk -F: '/Host category/ {print $2}' | sed 's/,//g')"
 +
 +      if [[ $(echo ${host_category} | awk '{print $1}') == "all" ]]; then
 +        # Access is 'all' hosts, display that and move to the next rule
 +        echo -e "----> Host access is: All"
 +        continue
 +      else
 +        # Access is not configured, display that and move to the next rule
 +        echo -e "----> No host groups in rule and not set to access 'all' hosts either."
 +        continue
 +      fi
 +    fi
 +
 +    # For each host group, display the associated hosts
 +    for hostgroup_name in $(echo ${host_groups}); do
 +      echo -e "----> Host Group: ${hostgroup_name}"
 +
 +      # Get all hosts and display them
 +      host_names="$(ipa hostgroup-show ${hostgroup_name} | awk -F: '/Member hosts/ {print $2}')"
 +      echo -e "------> Hosts: ${host_names}\n"
 +    done # End of 'For each host group' loop
 +
 +  done # End of 'For each hbac rule' loop
 +
 +done # End of 'For each group' loop
 +
 +echo -e "\n===================================="
 +echo -e "=- Report: User Access Completed. -="
 +echo -e "===================================="
 +</code>
 +
 +----
  
  • linux_wiki/freeipa_report_access_user.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)