Add central logging for all actions done
log file "user_management.log" Each line is [YYYY-MM-DD HH:mm:ss] [script name] [TEST] ... [TEST] is only set if we are in a test run for create user, if info flag is set, we do not write a log
This commit is contained in:
Clemens Schwaighofer
@@ -46,27 +46,48 @@ ssh_allow_group="sshallow";
|
||||
ssh_forward_group="sshforward";
|
||||
user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n";
|
||||
|
||||
LOG="${BASE_FOLDER}/../log/user_management.log";
|
||||
function write_log()
|
||||
{
|
||||
text="${1}";
|
||||
do_echo="${2}";
|
||||
log_prefix="";
|
||||
# log prefix
|
||||
if [ ${TEST} -eq 1 ]; then
|
||||
log_prefix="TEST";
|
||||
fi;
|
||||
if [ -n "${log_prefix}" ]; then
|
||||
log_prefix="[${log_prefix}] ";
|
||||
fi;
|
||||
echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}";
|
||||
if [ "${do_echo}" = "1" ]; then
|
||||
echo "${text}";
|
||||
fi;
|
||||
}
|
||||
write_log "START SCRIPT RUN";
|
||||
|
||||
echo "--------------------->"
|
||||
# $1 ... $n
|
||||
for username in "$@"; do
|
||||
# skip if there is an option hidden
|
||||
# shellcheck disable=SC2154
|
||||
if [[ ${_arg:0:1} = "-" ]]; then
|
||||
continue;
|
||||
fi;
|
||||
# skip ignore users, note that if a user is not in the sshallow list anyway
|
||||
# we skip them too, this is just in case check
|
||||
if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
|
||||
echo "[!] User ${username} is in the ignore user list";
|
||||
write_log "[ERROR] User ${username} is in the ignore user list" "1";
|
||||
continue;
|
||||
fi;
|
||||
# check that user exists in passwd
|
||||
if ! id "${username}" &>/dev/null; then
|
||||
echo "[!] User ${username} does not exists in /etc/passwd file";
|
||||
write_log "[ERROR] User ${username} does not exists in /etc/passwd file" "1";
|
||||
continue;
|
||||
fi;
|
||||
# if not check if in reject list
|
||||
if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then
|
||||
echo "[.] User ${username} already in the ${ssh_reject_group} list";
|
||||
write_log "[.] User ${username} already in the ${ssh_reject_group} list";
|
||||
continue;
|
||||
fi;
|
||||
# check if user is in sshallow/forward list
|
||||
@@ -77,14 +98,14 @@ for username in "$@"; do
|
||||
# if user is in ssh allow group and ALSO in ssh forward group -> bad
|
||||
if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then
|
||||
if [ -n "${ssh_remove_group}" ]; then
|
||||
echo "[!!!! ERROR !!!!] User ${username} exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again.";
|
||||
write_log "[!!!! ERROR !!!!] User ${username} exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again." "1";
|
||||
break;
|
||||
fi;
|
||||
ssh_remove_group="${ssh_forward_group}";
|
||||
fi;
|
||||
if [ -n "${ssh_remove_group}" ]; then
|
||||
# remove user from ssh group and add to reject groups
|
||||
echo "[*] User ${username} will be removed from ${ssh_remove_group}";
|
||||
write_log "[*] User ${username} will be removed from ${ssh_remove_group}" "1";
|
||||
if [ ${TEST} -eq 1 ]; then
|
||||
# shellcheck disable=SC2059
|
||||
printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}";
|
||||
@@ -94,7 +115,7 @@ for username in "$@"; do
|
||||
fi;
|
||||
else
|
||||
# skip not ssh user
|
||||
echo "[?] User ${username} not in any ssh allow/foward groups";
|
||||
write_log "[?] User ${username} not in any ssh allow/foward groups" "1";
|
||||
fi;
|
||||
done;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user