From fa47178ed1e1ddc6113ec190e91180f691e789b0 Mon Sep 17 00:00:00 2001 From: Clemens Schwaighofer Date: Mon, 9 Dec 2024 11:37:37 +0900 Subject: [PATCH] Add central logging for all actions done log file "user_management.log" Each line is [YYYY-MM-DD HH:mm:ss] [script name] [TEST] ... [TEST] is only set if we are in a test run for create user, if info flag is set, we do not write a log --- bin/authorized_key_location_change.sh | 32 +++++++- bin/check_last_login.sh | 2 +- bin/create_user.sh | 111 +++++++++++++++++++------- bin/delete_user.sh | 64 ++++++++++----- bin/lock_user.sh | 33 ++++++-- bin/rename_user.sh | 38 ++++++--- bin/unlock_user.sh | 33 ++++++-- 7 files changed, 239 insertions(+), 74 deletions(-) diff --git a/bin/authorized_key_location_change.sh b/bin/authorized_key_location_change.sh index 0e55105..5de9e84 100755 --- a/bin/authorized_key_location_change.sh +++ b/bin/authorized_key_location_change.sh @@ -88,6 +88,24 @@ if [ -f "${BASE_FOLDER}${IGNORE_USER_FILE}" ]; then echo "Reading ${IGNORE_USER_FILE}"; fi; +LOG="${BASE_FOLDER}/../log/user_management.log"; +function write_log() +{ + text="${1}"; + do_echo="${2}"; + log_prefix=""; + # log prefix for testing + if [ ${TEST} -eq 1 ]; then + log_prefix="[TEST] "; + fi; + # write log not in info run + echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}"; + if [ "${do_echo}" = "1" ]; then + echo "${text}"; + fi; +} +write_log "START SCRIPT RUN"; + # loop over passwd file # if not in no action then check if .ssh/authorized_keys file exists cut -d ":" -f 1,6 /etc/passwd | @@ -97,14 +115,17 @@ while read -r user_home; do # skip admin usernames if [[ " ${NO_ACTION[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then printf "${PRINTF_INFO}" "NO ACT" "!" "${username}" "user in NO ACTION list"; + write_log "[NO ACT] ${username} in NO ACTION list"; continue; fi; if [[ " ${SKIP_USERS[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then printf "${PRINTF_INFO}" "SKIP" "*" "${username}" "skip forced via command line"; + write_log "[SKIP] ${username} skip forced via command line"; continue; fi; if [[ " ${IGNORE_USER[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then printf "${PRINTF_INFO}" "SKIP" "**" "${username}" "skip from ignore config file"; + write_log "[SKIP] ${username} skip from ignore config file"; continue; fi; home_folder=$(echo "${user_home}" | cut -d ":" -f 2); @@ -113,8 +134,10 @@ while read -r user_home; do # but do we have an auth folder, if yes -> exist skip if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then printf "${PRINTF_INFO}" "DONE" "." "${username}" "already moved"; + write_log "[DONE] ${username} already moved"; else printf "${PRINTF_INFO}" "IGNORE" "?" "${username}" "no authorized_keys file"; + write_log "[IGNORE] ${username} no authorized_keys file"; fi; continue; fi; @@ -124,6 +147,7 @@ while read -r user_home; do ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_MASTER_AUTHORIZED_FILE}"); if [ -n "${ssh_key_diff}" ]; then printf "${PRINTF_INFO}" "ABORT" "!!!" "${username}" "authorized key is not matching the master key file"; + write_log "[ABORT] ${username} authorized key is not matching the master key file"; exit; fi; fi; @@ -132,6 +156,7 @@ while read -r user_home; do ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"); if [ -z "${ssh_key_diff}" ]; then printf "${PRINTF_INFO}" "REMOVE" "-" "${username}" ".ssh/authorized_keys"; + write_log "[REMOVE] ${username} .ssh/authorized_keys"; if [ ${master_user} -eq 0 ]; then if [ ${TEST} -eq 0 ]; then rm "${home_folder}/.ssh/authorized_keys"; @@ -139,15 +164,17 @@ while read -r user_home; do echo "$> rm \"${home_folder}/.ssh/authorized_keys\""; fi; else - echo "[!] No delete for master user, must be done manually"; + write_log "[!] No delete for master user, must be done manually" "1"; fi; continue; fi; # No update, alert printf "${PRINTF_INFO}" "DIFF" "???" "${username}" "Different authorized keys in home dir, SKIPPED"; + write_log "[DIFF] ${username} Different authorized keys in home dir, SKIPPED"; continue; fi; printf "${PRINTF_INFO}" "MOVE" ">" "${username}" "Move SSH Key to central location"; + write_log "[MOVE] ${username} Move SSH Key to central location"; # move public keys over if [ ${TEST} -eq 0 ]; then cat "${home_folder}/.ssh/authorized_keys" > "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"; @@ -159,13 +186,14 @@ while read -r user_home; do ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"); if [ -n "${ssh_key_diff}" ]; then printf "${PRINTF_INFO}" "ERROR" "!!!" "${username}" "Move problem ${ssh_key_diff}"; + write_log "[ERROR] ${username} Move problem ${ssh_key_diff}"; break; fi; # remove home .ssh/authorized_keys (do not remove folder) if [ ${master_user} -eq 0 ]; then rm "${home_folder}/.ssh/authorized_keys"; else - echo "=> No delete for master user, must be done manually"; + write_log "=> No delete for master user, must be done manually" "1"; fi; else echo "[START] ====>"; diff --git a/bin/check_last_login.sh b/bin/check_last_login.sh index 7cfbec8..f1490df 100755 --- a/bin/check_last_login.sh +++ b/bin/check_last_login.sh @@ -76,7 +76,7 @@ account_id=$(echo "${instance_data}" | jq .accountId) region=$(echo "${instance_data}" | jq .region) if [ "${OUTPUT_TARGET}" = "text" ]; then - LOG="${LOG}/check_ssh_user.$(date +"%F_%H%m%S").log"; + LOG="${LOG}/check_ssh_user.$(date +"%F_%H%M%S").log"; exec &> >(tee -a "${LOG}"); echo "[START] =============>"; echo "AWS ID : ${account_id}"; diff --git a/bin/create_user.sh b/bin/create_user.sh index a2986ec..32c54a3 100755 --- a/bin/create_user.sh +++ b/bin/create_user.sh @@ -176,6 +176,12 @@ if [ "$(whoami)" != "root" ]; then fi; fi; +# do not allow test and info at the same +if [ ${TEST} -eq 1 ] && [ ${INFO} -eq 1 ]; then + echo "Cannot have --test and --info option at the same time"; + error=1; +fi; + # exit if not -g parameter set if [ $GO -eq 0 ]; then echo "Script has to be run with -g option for actual user creation."; @@ -187,20 +193,51 @@ if [ $error -eq 1 ]; then exit; fi; +LOG="${BASE_FOLDER}/../log/user_management.log"; +function write_log() +{ + text="${1}"; + do_echo="${2}"; + log_prefix=""; + # log prefix for testing + if [ ${TEST} -eq 1 ]; then + log_prefix="[TEST] "; + fi; + # write log not in info run + if [ ${INFO} -eq 0 ]; then + echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}"; + fi; + if [ "${do_echo}" = "1" ]; then + echo "${text}"; + fi; +} +write_log "START SCRIPT RUN"; + +# used for test run only +overall_run_error=0; + +# MARK: LOOP START # create users while read -r i; do + # run error for one row + run_error=0; # skip rows start with # (comment) if [[ "${i}" =~ ^\# ]]; then continue; fi; + + # log create inly on not info + if [ ${INFO} -eq 0 ]; then + write_log "[CREATE] ROW: $i"; + fi; + + # MARK: VALUES CHECK # POS 2: make lower case, remove spaces username=$(echo "${i}" | cut -d ";" -f 2 | tr "[:upper:]" "[:lower:]" | tr -d ' '); # check username is alphanumeric with . if ! [[ "${username}" =~ ^[a-z0-9]+([.a-z0-9_-]+[a-z0-9])?$ ]]; then - echo "User name can only be a-z 0-9 - _ . and cannot start or end with - . or _: ${username}"; - if [ ${TEST} -eq 0 ]; then - break; - fi; + run_error=1; + write_log "[ERROR] User name can only be a-z 0-9 - _ . and cannot start or end with - . or _: ${username}" "1"; fi; # POS 3: groups _group=$(echo "${i}" | cut -d ";" -f 3 | tr "[:upper:]" "[:lower:]" | tr -d ' '); @@ -223,14 +260,12 @@ while read -r i; do ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | cut -d "|" -f 1 | tr "[:upper:]" "[:lower:]" | tr -d ' '); # if not allow or forward, set to access if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then - echo "[!!] Not valid ssh access type ${ssh_access_type}, set to allow"; - ssh_access_type="allow"; + run_error=1; + write_log "[ERROR] Not valid ssh access type ${ssh_access_type}" "1"; fi; if [ $ssh_forward_ok -eq 0 ] && [ "${ssh_access_type}" = "forward" ]; then - echo "[!!!] sshforward group does not exsts, cannot set user ${username}"; - if [ ${TEST} -eq 0 ]; then - break; - fi; + write_log "[ERROR] sshforward group does not exsts, cannot set user ${username}" "1"; + run_error=1; fi; ssh_group="ssh${ssh_access_type}"; # sshallow group is always added @@ -259,24 +294,35 @@ while read -r i; do fi; # user & group not set if [ -z "${username}" ] || [ -z "${_group}" ]; then - echo "[!!!!!] Missing user or group entry for ${username}/${_group}"; - echo "[*** ABORT RUN ***]" - if [ ${TEST} -eq 0 ]; then - break; - fi; + run_error=1; + write_log "[ERROR] Missing user or group entry for ${username}/${_group}" "1"; else group_error=0; # check group names valid for create_group in ${_group//,/ }; do if ! [[ "${create_group}" =~ ^[a-z0-9]+([a-z0-9_-]+[a-z0-9])?$ ]]; then - echo "Group name can only be a-z 0-9 - _ and cannot start or end with - or _: ${create_group}"; + write_log "[ERROR] Group name can only be a-z 0-9 - _ and cannot start or end with - or _: ${create_group}" "1"; group_error=1; fi; done; - if [ $group_error -eq 1 ] && [ ${TEST} -eq 0 ]; then - break; + if [ $group_error -eq 1 ]; then + run_error=1; fi; fi; + + # error & test -> break + if [ ${run_error} -eq 1 ]; then + overall_run_error=1; + write_log "[*** ABORT RUN ***]" "1"; + # end if not test and not info + if [ ${TEST} -eq 0 ] && [ ${INFO} -eq 0 ]; then + break; + else + continue; + fi; + fi; + + # MARK: SSH NAMES SET # SSH file name part without folder ssh_keygen_id="${hostname}${separator}${group}${separator}${username}${separator}${ssh_keytype}.pem"; # the full file including folder name @@ -286,20 +332,21 @@ while read -r i; do # check existing pub file ssh_keyfile_check_pub="${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB}${ssh_keygen_id}.pub"; + # MARK: INFO if [ ${INFO} -eq 1 ]; then + info_string="User: '${username}:${group}(${sub_group});${ssh_group}', SSH: ${ssh_keygen_id}"; # test if pub file exists or not, test if user exists - echo -n "User: '${username}:${group}(${sub_group});${ssh_group}', SSH: ${ssh_keygen_id}"; if getent passwd "${username}" > /dev/null 2>&1; then - echo -n ", User exists"; + info_string="${info_string}, User exists"; fi; if [ -f "${ssh_keyfile_check_pub}" ]; then - echo -n ", SSH Pub key OK"; + info_string="${info_string}, SSH Pub key OK"; fi; - # line break - echo ""; + echo "${info_string}"; continue; fi; + # MARK: CREATE # add group for each entry in _group for create_group in ${_group//,/ }; do if [ ${TEST} -eq 0 ]; then @@ -311,9 +358,9 @@ while read -r i; do # check if user is not already created # if getent passwd ${username} > /dev/null 2>&1; then if id "${username}" &>/dev/null; then - echo "-- Skip '${username}:${group}(${sub_group})'"; + write_log "-- Skip '${username}:${group}(${sub_group})'" "1"; else - echo "++ Create '${username}:${group}(${sub_group})'"; + write_log "++ Create '${username}:${group}(${sub_group})'" "1"; params=( "-c" "$(date +"%F")" "-s" "${user_login_shell}" "-g" "${group}" "-G" "$(IFS=, ; echo "${sub_group_opt[*]}")" @@ -349,7 +396,7 @@ while read -r i; do password=${_password}; fi; # create SSH key - echo " > Create ssh key-pair '${ssh_keyfile}'"; + write_log " > Create ssh key-pair: ${ssh_keyfile}" "1"; if [ ${TEST} -eq 0 ]; then ssh-keygen \ -t "${ssh_keytype}" \ @@ -366,16 +413,17 @@ while read -r i; do fi; if [ -n "${found}" ]; then skip_ssh=1; - echo "-- Skip SSH Key creation: ${ssh_keygen_id}.pub"; + write_log "-- Skip SSH Key creation: ${ssh_keygen_id}.pub" "1"; else # override previously set with stored one ssh_keyfile_pub=${ssh_keyfile_check_pub}; - echo " < Use existing public ssh key '${ssh_keygen_id}.pub'"; + write_log " < Use existing public ssh key: ${ssh_keygen_id}.pub" "1"; # Password already set notification fi; password="[ALREADY SET]"; fi; if [ ${skip_ssh} -eq 0 ]; then + # MARK: SSH CREATE # write login info to output file if [ ${TEST} -eq 0 ]; then create_output_file="${ROOT_FOLDER}${output_file}"; @@ -444,6 +492,8 @@ done <<< "$(cat "${ROOT_FOLDER}${input_file}")"; if [ ${INFO} -eq 1 ]; then exit; fi; + +# MARK: ZIP FILE CREATE # check if there are any files in the SSH_KEYGEN_FOLDER, else skip zip file creation and file move has_pem_files=0; if (shopt -s nullglob dotglob; f=("${SSH_KEYGEN_FOLDER}"*".pem"*); ((${#f[@]}))); then @@ -488,4 +538,9 @@ else echo "$> rm ${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}*"; fi; +# MARK: TEST ERROR INFO +if [ ${TEST} -eq 1 ] && [ ${overall_run_error} -eq 1 ]; then + echo "[ERROR] Some errors occoured during the run, they will prohibit the live run of this script"; +fi; + # __END__ diff --git a/bin/delete_user.sh b/bin/delete_user.sh index 0c121b9..52d5bbb 100755 --- a/bin/delete_user.sh +++ b/bin/delete_user.sh @@ -60,20 +60,16 @@ backup_folder="${BASE_FOLDER}../backup/"; input_file='user_list.txt'; user_list_file="${root_folder}${input_file}"; # log file -LOG="${BASE_FOLDER}/../log/delete_user."$(date +"%F_%H%m%S"); -if [ ${TEST} -eq 0 ]; then - LOG="${LOG}.log"; -else - LOG="${LOG}.test.log"; -fi; +HISTORY="${BASE_FOLDER}/../log/delete_user.log"; # ignore users (root and admin users) ignore_users=('root' 'ec2-user' 'ubuntu' 'admin'); # detect ssh authorized_keys setting SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=''; SSH_AUTHORIZED_FILE=''; -for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do - if [ -n "$(echo "${cf}" | grep "%u")" ]; then - SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//'); +# shellcheck disable=SC2013 +for cf in $(grep "^AuthorizedKeysFile" "/etc/ssh/sshd_config" | grep "%u"); do + if echo "$cf" | grep -q "%u"; then + SSH_CENTRAL_AUTHORIZED_FILE_FOLDER="${cf/%%u//}"; if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}"; exit; @@ -86,17 +82,39 @@ if [ ! -f "${user_list_file}" ]; then exit; fi; +LOG="${BASE_FOLDER}/../log/user_management.log"; +function write_log() +{ + text="${1}"; + do_echo="${2}"; + log_prefix=""; + # log prefix for testing + if [ ${TEST} -eq 1 ]; then + log_prefix="[TEST] "; + fi; + # write log not in info run + echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}"; + if [ "${do_echo}" = "1" ]; then + echo "${text}"; + fi; +} +write_log "START SCRIPT RUN"; + +# used for test run only +overall_run_error=0; + # $1 ... $n for username in "$@"; do error=0; # skip if there is an option hidden + # shellcheck disable=SC2154 if [[ ${_arg:0:1} = "-" ]]; then continue; fi; # skip ignore users, note that if a user is not in the sshallow list anyway # we skip them too, this is just in case check if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then - echo "[!] User ${username} is in the ignore user list"; + write_log "[!] User ${username} is in the ignore user list" "1"; continue; fi; @@ -104,31 +122,33 @@ for username in "$@"; do # if missing in or another do not continue if ! id "${username}" &>/dev/null; then # not in passwd - echo "[!!!] User ${username} does not exist in /etc/passwd"; + write_log "[ERRPR] User ${username} does not exist in /etc/passwd" "1"; error=1; fi; user_list_entry=$(grep "${username}" "${user_list_file}"); if [ -z "${user_list_entry}" ]; then - echo "[!!!] User ${username} does not exist in user_list.txt file"; + write_log "[ERROR] User ${username} does not exist in user_list.txt file" "1"; error=1; elif [[ "${user_list_entry}" =~ ^#DELETED ]]; then - echo "[!!!] User ${username} is flagged as deleted in user_list.txt file"; + write_log "[ERROR] User ${username} is flagged as deleted in user_list.txt file" "1"; error=1; fi; if [ $error -eq 1 ]; then + overall_run_error=1; + write_log "[*** ABORT RUN ***]" "1"; if [ ${TEST} -eq 0 ]; then break; fi; fi; - echo "=> Delete: ${username}"; + write_log "=> Delete: ${username}" "1"; # ssh authorized file SSH_AUTHORIZED_FILE="${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}${username}"; # make backup from /home if [ ${BACKUP} -eq 1 ]; then - home_folder=$(getent passwd ${username} | cut -d ":" -f 6); + home_folder=$(getent passwd "${username}" | cut -d ":" -f 6); backup_file="${backup_folder}${host}${separator}${username}.${timestamp}.tar.bz2"; files_list="${home_folder}"; if [ -f "${SSH_AUTHORIZED_FILE}" ]; then @@ -136,7 +156,7 @@ for username in "$@"; do fi; echo "[0] Backup ${files_list} to ${backup_file}"; if [ ${TEST} -eq 0 ]; then - tar cfjp "${backup_file}" ${file_list}; + tar cfjp "${backup_file}" "${files_list}"; else echo "$> tar cfjp \"${backup_file}\" ${files_list};"; fi; @@ -144,7 +164,7 @@ for username in "$@"; do echo "[1] Remove user + home dir"; if [ ${TEST} -eq 0 ]; then - userdel -r ${username} + userdel -r "${username}" else echo "$> userdel -r ${username}"; fi; @@ -162,7 +182,7 @@ for username in "$@"; do fi; else # Not critical error - echo "[?] Cannot find ${SSH_AUTHORIZED_FILE}"; + write_log "[?] Cannot find ${SSH_AUTHORIZED_FILE}" "1"; fi; # Update user_list.txt file and add # for the line @@ -172,11 +192,17 @@ for username in "$@"; do if [ ${TEST} -eq 0 ]; then sed -i -e "s/^\([A-Za-z0-9]\{1,\};${username};\)/#DELETED-${delete_date}:\1/" "${user_list_file}"; else + # shellcheck disable=SC2028 echo "$> sed -i -e \"s/^\([A-Za-z0-9]\{1,\};${username};\)/#DELETED-${delete_date}:\1/\" \"${user_list_file}\";"; fi; - echo $(date +"%F %T")";${host};${username}" >> "${LOG}"; + echo "$(date +"%F %T");${host};${username};${TEST}" >> "${HISTORY}"; done; +# MARK: TEST ERROR INFO +if [ ${TEST} -eq 1 ] && [ ${overall_run_error} -eq 1 ]; then + echo "[ERROR] Some errors occoured during the run, they will prohibit the live run of this script"; +fi; + # __END__ diff --git a/bin/lock_user.sh b/bin/lock_user.sh index b462a69..a60790b 100755 --- a/bin/lock_user.sh +++ b/bin/lock_user.sh @@ -46,27 +46,48 @@ ssh_allow_group="sshallow"; ssh_forward_group="sshforward"; user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n"; +LOG="${BASE_FOLDER}/../log/user_management.log"; +function write_log() +{ + text="${1}"; + do_echo="${2}"; + log_prefix=""; + # log prefix + if [ ${TEST} -eq 1 ]; then + log_prefix="TEST"; + fi; + if [ -n "${log_prefix}" ]; then + log_prefix="[${log_prefix}] "; + fi; + echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}"; + if [ "${do_echo}" = "1" ]; then + echo "${text}"; + fi; +} +write_log "START SCRIPT RUN"; + echo "--------------------->" # $1 ... $n for username in "$@"; do # skip if there is an option hidden + # shellcheck disable=SC2154 if [[ ${_arg:0:1} = "-" ]]; then continue; fi; # skip ignore users, note that if a user is not in the sshallow list anyway # we skip them too, this is just in case check if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then - echo "[!] User ${username} is in the ignore user list"; + write_log "[ERROR] User ${username} is in the ignore user list" "1"; continue; fi; # check that user exists in passwd if ! id "${username}" &>/dev/null; then - echo "[!] User ${username} does not exists in /etc/passwd file"; + write_log "[ERROR] User ${username} does not exists in /etc/passwd file" "1"; continue; fi; # if not check if in reject list if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then - echo "[.] User ${username} already in the ${ssh_reject_group} list"; + write_log "[.] User ${username} already in the ${ssh_reject_group} list"; continue; fi; # check if user is in sshallow/forward list @@ -77,14 +98,14 @@ for username in "$@"; do # if user is in ssh allow group and ALSO in ssh forward group -> bad if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then if [ -n "${ssh_remove_group}" ]; then - echo "[!!!! ERROR !!!!] User ${username} exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again."; + write_log "[!!!! ERROR !!!!] User ${username} exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again." "1"; break; fi; ssh_remove_group="${ssh_forward_group}"; fi; if [ -n "${ssh_remove_group}" ]; then # remove user from ssh group and add to reject groups - echo "[*] User ${username} will be removed from ${ssh_remove_group}"; + write_log "[*] User ${username} will be removed from ${ssh_remove_group}" "1"; if [ ${TEST} -eq 1 ]; then # shellcheck disable=SC2059 printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}"; @@ -94,7 +115,7 @@ for username in "$@"; do fi; else # skip not ssh user - echo "[?] User ${username} not in any ssh allow/foward groups"; + write_log "[?] User ${username} not in any ssh allow/foward groups" "1"; fi; done; diff --git a/bin/rename_user.sh b/bin/rename_user.sh index d7af9ed..f3af7e6 100644 --- a/bin/rename_user.sh +++ b/bin/rename_user.sh @@ -58,13 +58,6 @@ input_file='user_list.txt'; user_list_file="${ROOT_FOLDER}${input_file}"; default_ssh_keytype='ed25519'; ssh_keytype=''; -# log file -LOG="${BASE_FOLDER}/../log/rename_user."$(date +"%F_%H%m%S"); -if [ ${TEST} -eq 0 ]; then - LOG="${LOG}.log"; -else - LOG="${LOG}.test.log"; -fi; # ignore users (root and admin users) ignore_users=('root' 'ec2-user' 'ubuntu' 'admin'); # detect ssh authorized_keys setting @@ -144,6 +137,27 @@ if [ $error -eq 1 ]; then exit; fi; +# log file +LOG="${BASE_FOLDER}/../log/user_management.log"; +function write_log() +{ + text="${1}"; + do_echo="${2}"; + log_prefix=""; + # log prefix + if [ ${TEST} -eq 1 ]; then + log_prefix="TEST"; + fi; + if [ -n "${log_prefix}" ]; then + log_prefix="[${log_prefix}] "; + fi; + echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}"; + if [ "${do_echo}" = "1" ]; then + echo "${text}"; + fi; +} +write_log "START SCRIPT RUN"; + # parse user list entry for group/hostname/ssh type key to build ssh key list # POS 3: groups @@ -164,7 +178,7 @@ else ssh_keytype=${default_ssh_keytype}; fi; -echo "* Rename ${OLD_USERNAME} to ${NEW_USERNAME}"; +write_log "* Rename ${OLD_USERNAME} to ${NEW_USERNAME}" "1"; old_home_dir=$(getent passwd "${OLD_USERNAME}" | cut -d: -f6); new_home_dir=$(echo "${old_home_dir}" | sed -e "s/\/${OLD_USERNAME}$/\/${NEW_USERNAME}/"); @@ -202,7 +216,7 @@ NEW_SSH_AUTHORIZED_FILE="${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}${NEW_USERNAME}"; if [ -f "${OLD_SSH_AUTHORIZED_FILE}" ]; then if [ $TEST -eq 0 ]; then - echo "rename to ${NEW_SSH_AUTHORIZED_FILE}"; + write_log "rename to ${NEW_SSH_AUTHORIZED_FILE}" "1"; chattr -i "${OLD_SSH_AUTHORIZED_FILE}"; mv "${OLD_SSH_AUTHORIZED_FILE}" "${NEW_SSH_AUTHORIZED_FILE}"; chattr +i "${NEW_SSH_AUTHORIZED_FILE}"; @@ -212,7 +226,7 @@ if [ -f "${OLD_SSH_AUTHORIZED_FILE}" ]; then echo "$> chattr +i \"${NEW_SSH_AUTHORIZED_FILE}\";"; fi; else - echo "[?] ${OLD_SSH_AUTHORIZED_FILE} is missing"; + write_log "[?] ${OLD_SSH_AUTHORIZED_FILE} is missing" "1"; fi; # rename keygen public file @@ -221,13 +235,13 @@ NEW_ssh_keygen_pub="${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB}${hostname}${s if [ -f "${OLD_ssh_keygen_pub}" ]; then if [ $TEST -eq 0 ]; then - echo "rename to ${NEW_ssh_keygen_pub}"; + write_log "rename to ${NEW_ssh_keygen_pub}" "1"; mv "${OLD_ssh_keygen_pub}" "${NEW_ssh_keygen_pub}"; else echo "$> mv \"${OLD_ssh_keygen_pub}\" \"${NEW_ssh_keygen_pub}\";"; fi; else - echo "[?] ${OLD_ssh_keygen_pub} is missing"; + write_log "[?] ${OLD_ssh_keygen_pub} is missing" "1"; fi; # rename entry in user list txt file diff --git a/bin/unlock_user.sh b/bin/unlock_user.sh index be6d4c5..9ad31a2 100755 --- a/bin/unlock_user.sh +++ b/bin/unlock_user.sh @@ -61,31 +61,52 @@ ssh_allow_group="sshallow"; ssh_forward_group="sshforward"; user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n"; +LOG="${BASE_FOLDER}/../log/user_management.log"; +function write_log() +{ + text="${1}"; + do_echo="${2}"; + log_prefix=""; + # log prefix + if [ ${TEST} -eq 1 ]; then + log_prefix="TEST"; + fi; + if [ -n "${log_prefix}" ]; then + log_prefix="[${log_prefix}] "; + fi; + echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}"; + if [ "${do_echo}" = "1" ]; then + echo "${text}"; + fi; +} +write_log "START SCRIPT RUN"; + echo "--------------------->" # $1 ... $n for username in "$@"; do # skip if there is an option hidden + # shellcheck disable=SC2154 if [[ ${_arg:0:1} = "-" ]]; then continue; fi; # skip ignore users, note that if a user is not in the sshallow list anyway # we skip them too, this is just in case check if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then - echo "[!] User ${username} is in the ignore user list"; + write_log "[ERROR] User ${username} is in the ignore user list" "1"; continue; fi; # check that user exists in passwd if ! id "${username}" &>/dev/null; then - echo "[!] User ${username} does not exists in /etc/passwd file"; + write_log "[ERROR] User ${username} does not exists in /etc/passwd file" "1"; continue; fi; # check if already in OK groups if id -nGz "${username}" | grep -qzxF "${ssh_allow_group}"; then - echo "[.] User ${username} already in the ${ssh_allow_group} list"; + write_log "[.] User ${username} already in the ${ssh_allow_group} list" "1"; continue; fi; if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then - echo "[.] User ${username} already in the ${ssh_forward_group} list"; + write_log "[.] User ${username} already in the ${ssh_forward_group} list" "1"; continue; fi; # try to find user in user_list.txt and get the allow/forward flag from there, @@ -103,7 +124,7 @@ for username in "$@"; do # check if user is in reject group remove if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then # remove user from ssh group and add to reject groups - echo "[*] User ${username} will be added to ${ssh_add_group}"; + write_log "[*] User ${username} will be added to ${ssh_add_group}" "1"; if [ ${TEST} -eq 1 ]; then # shellcheck disable=SC2059 printf "${user_group_tpl}" "${username}" "${ssh_reject_group}" "${username}" "${ssh_add_group}"; @@ -113,7 +134,7 @@ for username in "$@"; do fi; else # skip not ssh user - echo "[?] User ${username} not in the ssh reject group"; + write_log "[?] User ${username} not in the ssh reject group" "1"; fi; done;