Differences
This shows you the differences between two versions of the page.
linux_wiki:freeipa_report_users_disabled [2018/06/02 23:32] billdozor created |
linux_wiki:freeipa_report_users_disabled [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== FreeIPA Report Users Disabled ====== | ||
- | |||
- | **General Information** | ||
- | |||
- | Run this script periodically via cron in order to report on disabled user accounts and how long their password has been expired. | ||
- | |||
- | **Checklist** | ||
- | * Distro(s): Enterprise Linux 6/7 | ||
- | * Other: [[http:// | ||
- | |||
- | ---- | ||
- | |||
- | ====== The Script ====== | ||
- | |||
- | <code bash report-users-disabled.sh> | ||
- | #!/bin/bash | ||
- | # Name: report-users-disabled.sh | ||
- | # Description: | ||
- | # Last Updated: 2018-04-10 | ||
- | # Recent Changes: | ||
- | ############################################################################################### | ||
- | |||
- | # | ||
- | ##### Customize These Variables ##### | ||
- | # | ||
- | |||
- | # admin credentials | ||
- | admin_user=" | ||
- | admin_pass=' | ||
- | |||
- | # email report to system admins | ||
- | system_admins_email=" | ||
- | |||
- | # Temp files for e-mail message | ||
- | report_email="/ | ||
- | report_users_over_limit="/ | ||
- | |||
- | # Expired Since Days Limit | ||
- | expired_since_limit=-90 | ||
- | |||
- | # | ||
- | ##### End of Customize Variables ##### | ||
- | # | ||
- | |||
- | # | ||
- | #### Functions Here: Main Starts After #### | ||
- | # | ||
- | |||
- | # Create the initial report layout/ | ||
- | function create_report_header() { | ||
- | |||
- | # Clear out email temp file contents | ||
- | cat /dev/null > ${report_email} | ||
- | cat /dev/null > ${report_users_over_limit} | ||
- | |||
- | # Setup report header | ||
- | echo -e "---- FreeIPA Users Disabled Report ----" > ${report_email} | ||
- | echo -e " | ||
- | |||
- | echo -e " | ||
- | echo -e " | ||
- | echo -e " | ||
- | |||
- | } | ||
- | |||
- | # Add disabled usernames and days since expiration to the report | ||
- | function add_to_report() { | ||
- | |||
- | # Determine report type (top or bottom) | ||
- | if [[ ${1} == " | ||
- | report_type=${report_email} | ||
- | elif [[ ${1} == " | ||
- | report_type=${report_users_over_limit} | ||
- | else | ||
- | echo -e ">> | ||
- | report_type=${report_email} | ||
- | fi | ||
- | |||
- | # Set variables passed to the function | ||
- | username=${2} | ||
- | expires_in_days=${3} | ||
- | expires_on_epoch=${4} | ||
- | |||
- | # Determine the friendly looking expiration date | ||
- | userpw_expiry_date_long=$(date --date=" | ||
- | |||
- | # Create expired dialog for report | ||
- | dialog_expires=" | ||
- | |||
- | # Status message | ||
- | echo " | ||
- | |||
- | ## Add user account and expiration line to report file | ||
- | if [[ $(echo ${username} | wc --max-line-length) -lt 8 ]]; then | ||
- | # If less than 8 character username, use two tabs | ||
- | echo -e " | ||
- | else | ||
- | # If 8 or more characters, use one tab | ||
- | echo -e " | ||
- | fi | ||
- | |||
- | } | ||
- | |||
- | # Add disabled usernames that have been expired > ${expired_since_limit} | ||
- | function add_to_expired_over_list() { | ||
- | |||
- | # Set variables passed to the function | ||
- | username=${1} | ||
- | expires_in_days=${2} | ||
- | expires_on_epoch=${3} | ||
- | |||
- | # Determine the friendly looking expiration date | ||
- | userpw_expiry_date_long=$(date --date=" | ||
- | |||
- | # Status message | ||
- | echo " | ||
- | |||
- | # Create expired dialog for report | ||
- | dialog_expires=" | ||
- | |||
- | ## Add user account and expiration line to report file | ||
- | if [[ $(echo ${username} | wc --max-line-length) -lt 8 ]]; then | ||
- | # If less than 8 character username, use two tabs | ||
- | echo -e " | ||
- | else | ||
- | # If 8 or more characters, use one tab | ||
- | echo -e " | ||
- | fi | ||
- | |||
- | } | ||
- | |||
- | # Add usernames that have been disabled > limit to the end of the email report | ||
- | function add_over_limit_list_to_report() { | ||
- | |||
- | # Setup disabled users > expiry limit header | ||
- | echo -e " | ||
- | echo -e " | ||
- | echo -e " | ||
- | |||
- | # Add Disabled Users expired > ${expired_since_limit} to end of report | ||
- | if [[ -s ${report_users_over_limit} ]]; then | ||
- | # If file size is greater than 0, add content to report | ||
- | cat ${report_users_over_limit} >> ${report_email} | ||
- | else | ||
- | # If file size is 0, give a status message | ||
- | echo "No user accounts expired > ${expired_since_limit} days ago." >> ${report_email} | ||
- | fi | ||
- | |||
- | } | ||
- | |||
- | # | ||
- | #### End of Functions #### | ||
- | # | ||
- | |||
- | # | ||
- | #### Main Starts Here #### | ||
- | # | ||
- | |||
- | # Initialize a kerberos ticket as admin and wait a short time | ||
- | echo ">> | ||
- | echo ${admin_pass} | / | ||
- | sleep 3 | ||
- | |||
- | # Build a list of disabled accounts | ||
- | #- Find all users | grep logins and disabled status lines | | ||
- | #- If the current line matches " | ||
- | #- next, store the current line's field 3 in the variable username (username=$3) | ||
- | user_list=$(/ | ||
- | |||
- | # Get today' | ||
- | todays_epoch=$(date +%s) | ||
- | |||
- | # Create the report header | ||
- | create_report_header | ||
- | |||
- | #### Main Loop #### | ||
- | for user in ${user_list}; | ||
- | |||
- | echo " | ||
- | |||
- | # Get user's password expiration and cut off the zulu time designator trailing at the end(' | ||
- | userpw_expiry_datetime=$(/ | ||
- | |||
- | # If the user account does not have a password expiration value, skip the user | ||
- | if [[ -z ${userpw_expiry_datetime} ]]; then | ||
- | # Skip to next user in user_list | ||
- | continue | ||
- | fi | ||
- | |||
- | # Split up the year, | ||
- | userpw_expiry_date_year=" | ||
- | userpw_expiry_date_month=" | ||
- | userpw_expiry_date_day=" | ||
- | userpw_expiry_time_hour=" | ||
- | userpw_expiry_time_min=" | ||
- | userpw_expiry_time_sec=" | ||
- | |||
- | # Caculate the user's expiry date in epoch time | ||
- | userpw_expiry_epoch=$(date --utc --date=" | ||
- | |||
- | # Calculate how many seconds and days until password expiration | ||
- | password_expires_seconds=$(expr ${userpw_expiry_epoch} - ${todays_epoch}) | ||
- | password_expires_days=$(expr ${password_expires_seconds} / 86400) | ||
- | |||
- | |||
- | # if password has been expired for >= expired_since_limit, | ||
- | if [[ ${password_expires_days} -le ${expired_since_limit} ]]; then | ||
- | echo "-> User account has been expired for >= ${expired_since_limit} days: ${user} (${password_expires_days})" | ||
- | # | ||
- | add_to_report " | ||
- | else | ||
- | # Otherwise, add the expired user to the main section of the report | ||
- | echo "-> User account has been expired for < ${expired_since_limit} days: ${user} (${password_expires_days})" | ||
- | # | ||
- | add_to_report " | ||
- | fi | ||
- | |||
- | done | ||
- | #### End Main Loop #### | ||
- | |||
- | # Add disabled users that expired longer ago to the end of email report | ||
- | add_over_limit_list_to_report | ||
- | |||
- | # Status message | ||
- | echo ">> | ||
- | |||
- | # Use the date-time from the beginning of the script | ||
- | todays_date_long=$(date --date=" | ||
- | |||
- | # Email Report | ||
- | / | ||
- | |||
- | # Clear out email temp file contents | ||
- | cat /dev/null > ${report_email} | ||
- | cat /dev/null > ${report_users_over_limit} | ||
- | </ | ||
- | |||
- | ---- | ||