Add central logging for all actions done
log file "user_management.log" Each line is [YYYY-MM-DD HH:mm:ss] [script name] [TEST] ... [TEST] is only set if we are in a test run for create user, if info flag is set, we do not write a log
This commit is contained in:
Clemens Schwaighofer
@@ -88,6 +88,24 @@ if [ -f "${BASE_FOLDER}${IGNORE_USER_FILE}" ]; then
|
||||
echo "Reading ${IGNORE_USER_FILE}";
|
||||
fi;
|
||||
|
||||
LOG="${BASE_FOLDER}/../log/user_management.log";
|
||||
function write_log()
|
||||
{
|
||||
text="${1}";
|
||||
do_echo="${2}";
|
||||
log_prefix="";
|
||||
# log prefix for testing
|
||||
if [ ${TEST} -eq 1 ]; then
|
||||
log_prefix="[TEST] ";
|
||||
fi;
|
||||
# write log not in info run
|
||||
echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}";
|
||||
if [ "${do_echo}" = "1" ]; then
|
||||
echo "${text}";
|
||||
fi;
|
||||
}
|
||||
write_log "START SCRIPT RUN";
|
||||
|
||||
# loop over passwd file
|
||||
# if not in no action then check if .ssh/authorized_keys file exists
|
||||
cut -d ":" -f 1,6 /etc/passwd |
|
||||
@@ -97,14 +115,17 @@ while read -r user_home; do
|
||||
# skip admin usernames
|
||||
if [[ " ${NO_ACTION[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
|
||||
printf "${PRINTF_INFO}" "NO ACT" "!" "${username}" "user in NO ACTION list";
|
||||
write_log "[NO ACT] ${username} in NO ACTION list";
|
||||
continue;
|
||||
fi;
|
||||
if [[ " ${SKIP_USERS[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
|
||||
printf "${PRINTF_INFO}" "SKIP" "*" "${username}" "skip forced via command line";
|
||||
write_log "[SKIP] ${username} skip forced via command line";
|
||||
continue;
|
||||
fi;
|
||||
if [[ " ${IGNORE_USER[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
|
||||
printf "${PRINTF_INFO}" "SKIP" "**" "${username}" "skip from ignore config file";
|
||||
write_log "[SKIP] ${username} skip from ignore config file";
|
||||
continue;
|
||||
fi;
|
||||
home_folder=$(echo "${user_home}" | cut -d ":" -f 2);
|
||||
@@ -113,8 +134,10 @@ while read -r user_home; do
|
||||
# but do we have an auth folder, if yes -> exist skip
|
||||
if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then
|
||||
printf "${PRINTF_INFO}" "DONE" "." "${username}" "already moved";
|
||||
write_log "[DONE] ${username} already moved";
|
||||
else
|
||||
printf "${PRINTF_INFO}" "IGNORE" "?" "${username}" "no authorized_keys file";
|
||||
write_log "[IGNORE] ${username} no authorized_keys file";
|
||||
fi;
|
||||
continue;
|
||||
fi;
|
||||
@@ -124,6 +147,7 @@ while read -r user_home; do
|
||||
ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_MASTER_AUTHORIZED_FILE}");
|
||||
if [ -n "${ssh_key_diff}" ]; then
|
||||
printf "${PRINTF_INFO}" "ABORT" "!!!" "${username}" "authorized key is not matching the master key file";
|
||||
write_log "[ABORT] ${username} authorized key is not matching the master key file";
|
||||
exit;
|
||||
fi;
|
||||
fi;
|
||||
@@ -132,6 +156,7 @@ while read -r user_home; do
|
||||
ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
|
||||
if [ -z "${ssh_key_diff}" ]; then
|
||||
printf "${PRINTF_INFO}" "REMOVE" "-" "${username}" ".ssh/authorized_keys";
|
||||
write_log "[REMOVE] ${username} .ssh/authorized_keys";
|
||||
if [ ${master_user} -eq 0 ]; then
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
rm "${home_folder}/.ssh/authorized_keys";
|
||||
@@ -139,15 +164,17 @@ while read -r user_home; do
|
||||
echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
|
||||
fi;
|
||||
else
|
||||
echo "[!] No delete for master user, must be done manually";
|
||||
write_log "[!] No delete for master user, must be done manually" "1";
|
||||
fi;
|
||||
continue;
|
||||
fi;
|
||||
# No update, alert
|
||||
printf "${PRINTF_INFO}" "DIFF" "???" "${username}" "Different authorized keys in home dir, SKIPPED";
|
||||
write_log "[DIFF] ${username} Different authorized keys in home dir, SKIPPED";
|
||||
continue;
|
||||
fi;
|
||||
printf "${PRINTF_INFO}" "MOVE" ">" "${username}" "Move SSH Key to central location";
|
||||
write_log "[MOVE] ${username} Move SSH Key to central location";
|
||||
# move public keys over
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
cat "${home_folder}/.ssh/authorized_keys" > "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
|
||||
@@ -159,13 +186,14 @@ while read -r user_home; do
|
||||
ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
|
||||
if [ -n "${ssh_key_diff}" ]; then
|
||||
printf "${PRINTF_INFO}" "ERROR" "!!!" "${username}" "Move problem ${ssh_key_diff}";
|
||||
write_log "[ERROR] ${username} Move problem ${ssh_key_diff}";
|
||||
break;
|
||||
fi;
|
||||
# remove home .ssh/authorized_keys (do not remove folder)
|
||||
if [ ${master_user} -eq 0 ]; then
|
||||
rm "${home_folder}/.ssh/authorized_keys";
|
||||
else
|
||||
echo "=> No delete for master user, must be done manually";
|
||||
write_log "=> No delete for master user, must be done manually" "1";
|
||||
fi;
|
||||
else
|
||||
echo "[START] ====>";
|
||||
|
||||
@@ -76,7 +76,7 @@ account_id=$(echo "${instance_data}" | jq .accountId)
|
||||
region=$(echo "${instance_data}" | jq .region)
|
||||
|
||||
if [ "${OUTPUT_TARGET}" = "text" ]; then
|
||||
LOG="${LOG}/check_ssh_user.$(date +"%F_%H%m%S").log";
|
||||
LOG="${LOG}/check_ssh_user.$(date +"%F_%H%M%S").log";
|
||||
exec &> >(tee -a "${LOG}");
|
||||
echo "[START] =============>";
|
||||
echo "AWS ID : ${account_id}";
|
||||
|
||||
@@ -176,6 +176,12 @@ if [ "$(whoami)" != "root" ]; then
|
||||
fi;
|
||||
fi;
|
||||
|
||||
# do not allow test and info at the same
|
||||
if [ ${TEST} -eq 1 ] && [ ${INFO} -eq 1 ]; then
|
||||
echo "Cannot have --test and --info option at the same time";
|
||||
error=1;
|
||||
fi;
|
||||
|
||||
# exit if not -g parameter set
|
||||
if [ $GO -eq 0 ]; then
|
||||
echo "Script has to be run with -g option for actual user creation.";
|
||||
@@ -187,20 +193,51 @@ if [ $error -eq 1 ]; then
|
||||
exit;
|
||||
fi;
|
||||
|
||||
LOG="${BASE_FOLDER}/../log/user_management.log";
|
||||
function write_log()
|
||||
{
|
||||
text="${1}";
|
||||
do_echo="${2}";
|
||||
log_prefix="";
|
||||
# log prefix for testing
|
||||
if [ ${TEST} -eq 1 ]; then
|
||||
log_prefix="[TEST] ";
|
||||
fi;
|
||||
# write log not in info run
|
||||
if [ ${INFO} -eq 0 ]; then
|
||||
echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}";
|
||||
fi;
|
||||
if [ "${do_echo}" = "1" ]; then
|
||||
echo "${text}";
|
||||
fi;
|
||||
}
|
||||
write_log "START SCRIPT RUN";
|
||||
|
||||
# used for test run only
|
||||
overall_run_error=0;
|
||||
|
||||
# MARK: LOOP START
|
||||
# create users
|
||||
while read -r i; do
|
||||
# run error for one row
|
||||
run_error=0;
|
||||
# skip rows start with # (comment)
|
||||
if [[ "${i}" =~ ^\# ]]; then
|
||||
continue;
|
||||
fi;
|
||||
|
||||
# log create inly on not info
|
||||
if [ ${INFO} -eq 0 ]; then
|
||||
write_log "[CREATE] ROW: $i";
|
||||
fi;
|
||||
|
||||
# MARK: VALUES CHECK
|
||||
# POS 2: make lower case, remove spaces
|
||||
username=$(echo "${i}" | cut -d ";" -f 2 | tr "[:upper:]" "[:lower:]" | tr -d ' ');
|
||||
# check username is alphanumeric with .
|
||||
if ! [[ "${username}" =~ ^[a-z0-9]+([.a-z0-9_-]+[a-z0-9])?$ ]]; then
|
||||
echo "User name can only be a-z 0-9 - _ . and cannot start or end with - . or _: ${username}";
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
break;
|
||||
fi;
|
||||
run_error=1;
|
||||
write_log "[ERROR] User name can only be a-z 0-9 - _ . and cannot start or end with - . or _: ${username}" "1";
|
||||
fi;
|
||||
# POS 3: groups
|
||||
_group=$(echo "${i}" | cut -d ";" -f 3 | tr "[:upper:]" "[:lower:]" | tr -d ' ');
|
||||
@@ -223,14 +260,12 @@ while read -r i; do
|
||||
ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | cut -d "|" -f 1 | tr "[:upper:]" "[:lower:]" | tr -d ' ');
|
||||
# if not allow or forward, set to access
|
||||
if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then
|
||||
echo "[!!] Not valid ssh access type ${ssh_access_type}, set to allow";
|
||||
ssh_access_type="allow";
|
||||
run_error=1;
|
||||
write_log "[ERROR] Not valid ssh access type ${ssh_access_type}" "1";
|
||||
fi;
|
||||
if [ $ssh_forward_ok -eq 0 ] && [ "${ssh_access_type}" = "forward" ]; then
|
||||
echo "[!!!] sshforward group does not exsts, cannot set user ${username}";
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
break;
|
||||
fi;
|
||||
write_log "[ERROR] sshforward group does not exsts, cannot set user ${username}" "1";
|
||||
run_error=1;
|
||||
fi;
|
||||
ssh_group="ssh${ssh_access_type}";
|
||||
# sshallow group is always added
|
||||
@@ -259,24 +294,35 @@ while read -r i; do
|
||||
fi;
|
||||
# user & group not set
|
||||
if [ -z "${username}" ] || [ -z "${_group}" ]; then
|
||||
echo "[!!!!!] Missing user or group entry for ${username}/${_group}";
|
||||
echo "[*** ABORT RUN ***]"
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
break;
|
||||
fi;
|
||||
run_error=1;
|
||||
write_log "[ERROR] Missing user or group entry for ${username}/${_group}" "1";
|
||||
else
|
||||
group_error=0;
|
||||
# check group names valid
|
||||
for create_group in ${_group//,/ }; do
|
||||
if ! [[ "${create_group}" =~ ^[a-z0-9]+([a-z0-9_-]+[a-z0-9])?$ ]]; then
|
||||
echo "Group name can only be a-z 0-9 - _ and cannot start or end with - or _: ${create_group}";
|
||||
write_log "[ERROR] Group name can only be a-z 0-9 - _ and cannot start or end with - or _: ${create_group}" "1";
|
||||
group_error=1;
|
||||
fi;
|
||||
done;
|
||||
if [ $group_error -eq 1 ] && [ ${TEST} -eq 0 ]; then
|
||||
if [ $group_error -eq 1 ]; then
|
||||
run_error=1;
|
||||
fi;
|
||||
fi;
|
||||
|
||||
# error & test -> break
|
||||
if [ ${run_error} -eq 1 ]; then
|
||||
overall_run_error=1;
|
||||
write_log "[*** ABORT RUN ***]" "1";
|
||||
# end if not test and not info
|
||||
if [ ${TEST} -eq 0 ] && [ ${INFO} -eq 0 ]; then
|
||||
break;
|
||||
else
|
||||
continue;
|
||||
fi;
|
||||
fi;
|
||||
|
||||
# MARK: SSH NAMES SET
|
||||
# SSH file name part without folder
|
||||
ssh_keygen_id="${hostname}${separator}${group}${separator}${username}${separator}${ssh_keytype}.pem";
|
||||
# the full file including folder name
|
||||
@@ -286,20 +332,21 @@ while read -r i; do
|
||||
# check existing pub file
|
||||
ssh_keyfile_check_pub="${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB}${ssh_keygen_id}.pub";
|
||||
|
||||
# MARK: INFO
|
||||
if [ ${INFO} -eq 1 ]; then
|
||||
info_string="User: '${username}:${group}(${sub_group});${ssh_group}', SSH: ${ssh_keygen_id}";
|
||||
# test if pub file exists or not, test if user exists
|
||||
echo -n "User: '${username}:${group}(${sub_group});${ssh_group}', SSH: ${ssh_keygen_id}";
|
||||
if getent passwd "${username}" > /dev/null 2>&1; then
|
||||
echo -n ", User exists";
|
||||
info_string="${info_string}, User exists";
|
||||
fi;
|
||||
if [ -f "${ssh_keyfile_check_pub}" ]; then
|
||||
echo -n ", SSH Pub key OK";
|
||||
info_string="${info_string}, SSH Pub key OK";
|
||||
fi;
|
||||
# line break
|
||||
echo "";
|
||||
echo "${info_string}";
|
||||
continue;
|
||||
fi;
|
||||
|
||||
# MARK: CREATE
|
||||
# add group for each entry in _group
|
||||
for create_group in ${_group//,/ }; do
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
@@ -311,9 +358,9 @@ while read -r i; do
|
||||
# check if user is not already created
|
||||
# if getent passwd ${username} > /dev/null 2>&1; then
|
||||
if id "${username}" &>/dev/null; then
|
||||
echo "-- Skip '${username}:${group}(${sub_group})'";
|
||||
write_log "-- Skip '${username}:${group}(${sub_group})'" "1";
|
||||
else
|
||||
echo "++ Create '${username}:${group}(${sub_group})'";
|
||||
write_log "++ Create '${username}:${group}(${sub_group})'" "1";
|
||||
params=(
|
||||
"-c" "$(date +"%F")" "-s" "${user_login_shell}"
|
||||
"-g" "${group}" "-G" "$(IFS=, ; echo "${sub_group_opt[*]}")"
|
||||
@@ -349,7 +396,7 @@ while read -r i; do
|
||||
password=${_password};
|
||||
fi;
|
||||
# create SSH key
|
||||
echo " > Create ssh key-pair '${ssh_keyfile}'";
|
||||
write_log " > Create ssh key-pair: ${ssh_keyfile}" "1";
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
ssh-keygen \
|
||||
-t "${ssh_keytype}" \
|
||||
@@ -366,16 +413,17 @@ while read -r i; do
|
||||
fi;
|
||||
if [ -n "${found}" ]; then
|
||||
skip_ssh=1;
|
||||
echo "-- Skip SSH Key creation: ${ssh_keygen_id}.pub";
|
||||
write_log "-- Skip SSH Key creation: ${ssh_keygen_id}.pub" "1";
|
||||
else
|
||||
# override previously set with stored one
|
||||
ssh_keyfile_pub=${ssh_keyfile_check_pub};
|
||||
echo " < Use existing public ssh key '${ssh_keygen_id}.pub'";
|
||||
write_log " < Use existing public ssh key: ${ssh_keygen_id}.pub" "1";
|
||||
# Password already set notification
|
||||
fi;
|
||||
password="[ALREADY SET]";
|
||||
fi;
|
||||
if [ ${skip_ssh} -eq 0 ]; then
|
||||
# MARK: SSH CREATE
|
||||
# write login info to output file
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
create_output_file="${ROOT_FOLDER}${output_file}";
|
||||
@@ -444,6 +492,8 @@ done <<< "$(cat "${ROOT_FOLDER}${input_file}")";
|
||||
if [ ${INFO} -eq 1 ]; then
|
||||
exit;
|
||||
fi;
|
||||
|
||||
# MARK: ZIP FILE CREATE
|
||||
# check if there are any files in the SSH_KEYGEN_FOLDER, else skip zip file creation and file move
|
||||
has_pem_files=0;
|
||||
if (shopt -s nullglob dotglob; f=("${SSH_KEYGEN_FOLDER}"*".pem"*); ((${#f[@]}))); then
|
||||
@@ -488,4 +538,9 @@ else
|
||||
echo "$> rm ${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}*";
|
||||
fi;
|
||||
|
||||
# MARK: TEST ERROR INFO
|
||||
if [ ${TEST} -eq 1 ] && [ ${overall_run_error} -eq 1 ]; then
|
||||
echo "[ERROR] Some errors occoured during the run, they will prohibit the live run of this script";
|
||||
fi;
|
||||
|
||||
# __END__
|
||||
|
||||
@@ -60,20 +60,16 @@ backup_folder="${BASE_FOLDER}../backup/";
|
||||
input_file='user_list.txt';
|
||||
user_list_file="${root_folder}${input_file}";
|
||||
# log file
|
||||
LOG="${BASE_FOLDER}/../log/delete_user."$(date +"%F_%H%m%S");
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
LOG="${LOG}.log";
|
||||
else
|
||||
LOG="${LOG}.test.log";
|
||||
fi;
|
||||
HISTORY="${BASE_FOLDER}/../log/delete_user.log";
|
||||
# ignore users (root and admin users)
|
||||
ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
|
||||
# detect ssh authorized_keys setting
|
||||
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
|
||||
SSH_AUTHORIZED_FILE='';
|
||||
for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
|
||||
if [ -n "$(echo "${cf}" | grep "%u")" ]; then
|
||||
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
|
||||
# shellcheck disable=SC2013
|
||||
for cf in $(grep "^AuthorizedKeysFile" "/etc/ssh/sshd_config" | grep "%u"); do
|
||||
if echo "$cf" | grep -q "%u"; then
|
||||
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER="${cf/%%u//}";
|
||||
if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
|
||||
echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
|
||||
exit;
|
||||
@@ -86,17 +82,39 @@ if [ ! -f "${user_list_file}" ]; then
|
||||
exit;
|
||||
fi;
|
||||
|
||||
LOG="${BASE_FOLDER}/../log/user_management.log";
|
||||
function write_log()
|
||||
{
|
||||
text="${1}";
|
||||
do_echo="${2}";
|
||||
log_prefix="";
|
||||
# log prefix for testing
|
||||
if [ ${TEST} -eq 1 ]; then
|
||||
log_prefix="[TEST] ";
|
||||
fi;
|
||||
# write log not in info run
|
||||
echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}";
|
||||
if [ "${do_echo}" = "1" ]; then
|
||||
echo "${text}";
|
||||
fi;
|
||||
}
|
||||
write_log "START SCRIPT RUN";
|
||||
|
||||
# used for test run only
|
||||
overall_run_error=0;
|
||||
|
||||
# $1 ... $n
|
||||
for username in "$@"; do
|
||||
error=0;
|
||||
# skip if there is an option hidden
|
||||
# shellcheck disable=SC2154
|
||||
if [[ ${_arg:0:1} = "-" ]]; then
|
||||
continue;
|
||||
fi;
|
||||
# skip ignore users, note that if a user is not in the sshallow list anyway
|
||||
# we skip them too, this is just in case check
|
||||
if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
|
||||
echo "[!] User ${username} is in the ignore user list";
|
||||
write_log "[!] User ${username} is in the ignore user list" "1";
|
||||
continue;
|
||||
fi;
|
||||
|
||||
@@ -104,31 +122,33 @@ for username in "$@"; do
|
||||
# if missing in or another do not continue
|
||||
if ! id "${username}" &>/dev/null; then
|
||||
# not in passwd
|
||||
echo "[!!!] User ${username} does not exist in /etc/passwd";
|
||||
write_log "[ERRPR] User ${username} does not exist in /etc/passwd" "1";
|
||||
error=1;
|
||||
fi;
|
||||
user_list_entry=$(grep "${username}" "${user_list_file}");
|
||||
if [ -z "${user_list_entry}" ]; then
|
||||
echo "[!!!] User ${username} does not exist in user_list.txt file";
|
||||
write_log "[ERROR] User ${username} does not exist in user_list.txt file" "1";
|
||||
error=1;
|
||||
elif [[ "${user_list_entry}" =~ ^#DELETED ]]; then
|
||||
echo "[!!!] User ${username} is flagged as deleted in user_list.txt file";
|
||||
write_log "[ERROR] User ${username} is flagged as deleted in user_list.txt file" "1";
|
||||
error=1;
|
||||
fi;
|
||||
|
||||
if [ $error -eq 1 ]; then
|
||||
overall_run_error=1;
|
||||
write_log "[*** ABORT RUN ***]" "1";
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
break;
|
||||
fi;
|
||||
fi;
|
||||
|
||||
echo "=> Delete: ${username}";
|
||||
write_log "=> Delete: ${username}" "1";
|
||||
# ssh authorized file
|
||||
SSH_AUTHORIZED_FILE="${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}${username}";
|
||||
|
||||
# make backup from /home
|
||||
if [ ${BACKUP} -eq 1 ]; then
|
||||
home_folder=$(getent passwd ${username} | cut -d ":" -f 6);
|
||||
home_folder=$(getent passwd "${username}" | cut -d ":" -f 6);
|
||||
backup_file="${backup_folder}${host}${separator}${username}.${timestamp}.tar.bz2";
|
||||
files_list="${home_folder}";
|
||||
if [ -f "${SSH_AUTHORIZED_FILE}" ]; then
|
||||
@@ -136,7 +156,7 @@ for username in "$@"; do
|
||||
fi;
|
||||
echo "[0] Backup ${files_list} to ${backup_file}";
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
tar cfjp "${backup_file}" ${file_list};
|
||||
tar cfjp "${backup_file}" "${files_list}";
|
||||
else
|
||||
echo "$> tar cfjp \"${backup_file}\" ${files_list};";
|
||||
fi;
|
||||
@@ -144,7 +164,7 @@ for username in "$@"; do
|
||||
|
||||
echo "[1] Remove user + home dir";
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
userdel -r ${username}
|
||||
userdel -r "${username}"
|
||||
else
|
||||
echo "$> userdel -r ${username}";
|
||||
fi;
|
||||
@@ -162,7 +182,7 @@ for username in "$@"; do
|
||||
fi;
|
||||
else
|
||||
# Not critical error
|
||||
echo "[?] Cannot find ${SSH_AUTHORIZED_FILE}";
|
||||
write_log "[?] Cannot find ${SSH_AUTHORIZED_FILE}" "1";
|
||||
fi;
|
||||
|
||||
# Update user_list.txt file and add # for the line
|
||||
@@ -172,11 +192,17 @@ for username in "$@"; do
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
sed -i -e "s/^\([A-Za-z0-9]\{1,\};${username};\)/#DELETED-${delete_date}:\1/" "${user_list_file}";
|
||||
else
|
||||
# shellcheck disable=SC2028
|
||||
echo "$> sed -i -e \"s/^\([A-Za-z0-9]\{1,\};${username};\)/#DELETED-${delete_date}:\1/\" \"${user_list_file}\";";
|
||||
fi;
|
||||
|
||||
echo $(date +"%F %T")";${host};${username}" >> "${LOG}";
|
||||
echo "$(date +"%F %T");${host};${username};${TEST}" >> "${HISTORY}";
|
||||
|
||||
done;
|
||||
|
||||
# MARK: TEST ERROR INFO
|
||||
if [ ${TEST} -eq 1 ] && [ ${overall_run_error} -eq 1 ]; then
|
||||
echo "[ERROR] Some errors occoured during the run, they will prohibit the live run of this script";
|
||||
fi;
|
||||
|
||||
# __END__
|
||||
|
||||
@@ -46,27 +46,48 @@ ssh_allow_group="sshallow";
|
||||
ssh_forward_group="sshforward";
|
||||
user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n";
|
||||
|
||||
LOG="${BASE_FOLDER}/../log/user_management.log";
|
||||
function write_log()
|
||||
{
|
||||
text="${1}";
|
||||
do_echo="${2}";
|
||||
log_prefix="";
|
||||
# log prefix
|
||||
if [ ${TEST} -eq 1 ]; then
|
||||
log_prefix="TEST";
|
||||
fi;
|
||||
if [ -n "${log_prefix}" ]; then
|
||||
log_prefix="[${log_prefix}] ";
|
||||
fi;
|
||||
echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}";
|
||||
if [ "${do_echo}" = "1" ]; then
|
||||
echo "${text}";
|
||||
fi;
|
||||
}
|
||||
write_log "START SCRIPT RUN";
|
||||
|
||||
echo "--------------------->"
|
||||
# $1 ... $n
|
||||
for username in "$@"; do
|
||||
# skip if there is an option hidden
|
||||
# shellcheck disable=SC2154
|
||||
if [[ ${_arg:0:1} = "-" ]]; then
|
||||
continue;
|
||||
fi;
|
||||
# skip ignore users, note that if a user is not in the sshallow list anyway
|
||||
# we skip them too, this is just in case check
|
||||
if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
|
||||
echo "[!] User ${username} is in the ignore user list";
|
||||
write_log "[ERROR] User ${username} is in the ignore user list" "1";
|
||||
continue;
|
||||
fi;
|
||||
# check that user exists in passwd
|
||||
if ! id "${username}" &>/dev/null; then
|
||||
echo "[!] User ${username} does not exists in /etc/passwd file";
|
||||
write_log "[ERROR] User ${username} does not exists in /etc/passwd file" "1";
|
||||
continue;
|
||||
fi;
|
||||
# if not check if in reject list
|
||||
if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then
|
||||
echo "[.] User ${username} already in the ${ssh_reject_group} list";
|
||||
write_log "[.] User ${username} already in the ${ssh_reject_group} list";
|
||||
continue;
|
||||
fi;
|
||||
# check if user is in sshallow/forward list
|
||||
@@ -77,14 +98,14 @@ for username in "$@"; do
|
||||
# if user is in ssh allow group and ALSO in ssh forward group -> bad
|
||||
if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then
|
||||
if [ -n "${ssh_remove_group}" ]; then
|
||||
echo "[!!!! ERROR !!!!] User ${username} exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again.";
|
||||
write_log "[!!!! ERROR !!!!] User ${username} exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again." "1";
|
||||
break;
|
||||
fi;
|
||||
ssh_remove_group="${ssh_forward_group}";
|
||||
fi;
|
||||
if [ -n "${ssh_remove_group}" ]; then
|
||||
# remove user from ssh group and add to reject groups
|
||||
echo "[*] User ${username} will be removed from ${ssh_remove_group}";
|
||||
write_log "[*] User ${username} will be removed from ${ssh_remove_group}" "1";
|
||||
if [ ${TEST} -eq 1 ]; then
|
||||
# shellcheck disable=SC2059
|
||||
printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}";
|
||||
@@ -94,7 +115,7 @@ for username in "$@"; do
|
||||
fi;
|
||||
else
|
||||
# skip not ssh user
|
||||
echo "[?] User ${username} not in any ssh allow/foward groups";
|
||||
write_log "[?] User ${username} not in any ssh allow/foward groups" "1";
|
||||
fi;
|
||||
done;
|
||||
|
||||
|
||||
@@ -58,13 +58,6 @@ input_file='user_list.txt';
|
||||
user_list_file="${ROOT_FOLDER}${input_file}";
|
||||
default_ssh_keytype='ed25519';
|
||||
ssh_keytype='';
|
||||
# log file
|
||||
LOG="${BASE_FOLDER}/../log/rename_user."$(date +"%F_%H%m%S");
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
LOG="${LOG}.log";
|
||||
else
|
||||
LOG="${LOG}.test.log";
|
||||
fi;
|
||||
# ignore users (root and admin users)
|
||||
ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
|
||||
# detect ssh authorized_keys setting
|
||||
@@ -144,6 +137,27 @@ if [ $error -eq 1 ]; then
|
||||
exit;
|
||||
fi;
|
||||
|
||||
# log file
|
||||
LOG="${BASE_FOLDER}/../log/user_management.log";
|
||||
function write_log()
|
||||
{
|
||||
text="${1}";
|
||||
do_echo="${2}";
|
||||
log_prefix="";
|
||||
# log prefix
|
||||
if [ ${TEST} -eq 1 ]; then
|
||||
log_prefix="TEST";
|
||||
fi;
|
||||
if [ -n "${log_prefix}" ]; then
|
||||
log_prefix="[${log_prefix}] ";
|
||||
fi;
|
||||
echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}";
|
||||
if [ "${do_echo}" = "1" ]; then
|
||||
echo "${text}";
|
||||
fi;
|
||||
}
|
||||
write_log "START SCRIPT RUN";
|
||||
|
||||
# parse user list entry for group/hostname/ssh type key to build ssh key list
|
||||
|
||||
# POS 3: groups
|
||||
@@ -164,7 +178,7 @@ else
|
||||
ssh_keytype=${default_ssh_keytype};
|
||||
fi;
|
||||
|
||||
echo "* Rename ${OLD_USERNAME} to ${NEW_USERNAME}";
|
||||
write_log "* Rename ${OLD_USERNAME} to ${NEW_USERNAME}" "1";
|
||||
|
||||
old_home_dir=$(getent passwd "${OLD_USERNAME}" | cut -d: -f6);
|
||||
new_home_dir=$(echo "${old_home_dir}" | sed -e "s/\/${OLD_USERNAME}$/\/${NEW_USERNAME}/");
|
||||
@@ -202,7 +216,7 @@ NEW_SSH_AUTHORIZED_FILE="${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}${NEW_USERNAME}";
|
||||
|
||||
if [ -f "${OLD_SSH_AUTHORIZED_FILE}" ]; then
|
||||
if [ $TEST -eq 0 ]; then
|
||||
echo "rename to ${NEW_SSH_AUTHORIZED_FILE}";
|
||||
write_log "rename to ${NEW_SSH_AUTHORIZED_FILE}" "1";
|
||||
chattr -i "${OLD_SSH_AUTHORIZED_FILE}";
|
||||
mv "${OLD_SSH_AUTHORIZED_FILE}" "${NEW_SSH_AUTHORIZED_FILE}";
|
||||
chattr +i "${NEW_SSH_AUTHORIZED_FILE}";
|
||||
@@ -212,7 +226,7 @@ if [ -f "${OLD_SSH_AUTHORIZED_FILE}" ]; then
|
||||
echo "$> chattr +i \"${NEW_SSH_AUTHORIZED_FILE}\";";
|
||||
fi;
|
||||
else
|
||||
echo "[?] ${OLD_SSH_AUTHORIZED_FILE} is missing";
|
||||
write_log "[?] ${OLD_SSH_AUTHORIZED_FILE} is missing" "1";
|
||||
fi;
|
||||
|
||||
# rename keygen public file
|
||||
@@ -221,13 +235,13 @@ NEW_ssh_keygen_pub="${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB}${hostname}${s
|
||||
|
||||
if [ -f "${OLD_ssh_keygen_pub}" ]; then
|
||||
if [ $TEST -eq 0 ]; then
|
||||
echo "rename to ${NEW_ssh_keygen_pub}";
|
||||
write_log "rename to ${NEW_ssh_keygen_pub}" "1";
|
||||
mv "${OLD_ssh_keygen_pub}" "${NEW_ssh_keygen_pub}";
|
||||
else
|
||||
echo "$> mv \"${OLD_ssh_keygen_pub}\" \"${NEW_ssh_keygen_pub}\";";
|
||||
fi;
|
||||
else
|
||||
echo "[?] ${OLD_ssh_keygen_pub} is missing";
|
||||
write_log "[?] ${OLD_ssh_keygen_pub} is missing" "1";
|
||||
fi;
|
||||
|
||||
# rename entry in user list txt file
|
||||
|
||||
@@ -61,31 +61,52 @@ ssh_allow_group="sshallow";
|
||||
ssh_forward_group="sshforward";
|
||||
user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n";
|
||||
|
||||
LOG="${BASE_FOLDER}/../log/user_management.log";
|
||||
function write_log()
|
||||
{
|
||||
text="${1}";
|
||||
do_echo="${2}";
|
||||
log_prefix="";
|
||||
# log prefix
|
||||
if [ ${TEST} -eq 1 ]; then
|
||||
log_prefix="TEST";
|
||||
fi;
|
||||
if [ -n "${log_prefix}" ]; then
|
||||
log_prefix="[${log_prefix}] ";
|
||||
fi;
|
||||
echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}";
|
||||
if [ "${do_echo}" = "1" ]; then
|
||||
echo "${text}";
|
||||
fi;
|
||||
}
|
||||
write_log "START SCRIPT RUN";
|
||||
|
||||
echo "--------------------->"
|
||||
# $1 ... $n
|
||||
for username in "$@"; do
|
||||
# skip if there is an option hidden
|
||||
# shellcheck disable=SC2154
|
||||
if [[ ${_arg:0:1} = "-" ]]; then
|
||||
continue;
|
||||
fi;
|
||||
# skip ignore users, note that if a user is not in the sshallow list anyway
|
||||
# we skip them too, this is just in case check
|
||||
if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
|
||||
echo "[!] User ${username} is in the ignore user list";
|
||||
write_log "[ERROR] User ${username} is in the ignore user list" "1";
|
||||
continue;
|
||||
fi;
|
||||
# check that user exists in passwd
|
||||
if ! id "${username}" &>/dev/null; then
|
||||
echo "[!] User ${username} does not exists in /etc/passwd file";
|
||||
write_log "[ERROR] User ${username} does not exists in /etc/passwd file" "1";
|
||||
continue;
|
||||
fi;
|
||||
# check if already in OK groups
|
||||
if id -nGz "${username}" | grep -qzxF "${ssh_allow_group}"; then
|
||||
echo "[.] User ${username} already in the ${ssh_allow_group} list";
|
||||
write_log "[.] User ${username} already in the ${ssh_allow_group} list" "1";
|
||||
continue;
|
||||
fi;
|
||||
if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then
|
||||
echo "[.] User ${username} already in the ${ssh_forward_group} list";
|
||||
write_log "[.] User ${username} already in the ${ssh_forward_group} list" "1";
|
||||
continue;
|
||||
fi;
|
||||
# try to find user in user_list.txt and get the allow/forward flag from there,
|
||||
@@ -103,7 +124,7 @@ for username in "$@"; do
|
||||
# check if user is in reject group remove
|
||||
if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then
|
||||
# remove user from ssh group and add to reject groups
|
||||
echo "[*] User ${username} will be added to ${ssh_add_group}";
|
||||
write_log "[*] User ${username} will be added to ${ssh_add_group}" "1";
|
||||
if [ ${TEST} -eq 1 ]; then
|
||||
# shellcheck disable=SC2059
|
||||
printf "${user_group_tpl}" "${username}" "${ssh_reject_group}" "${username}" "${ssh_add_group}";
|
||||
@@ -113,7 +134,7 @@ for username in "$@"; do
|
||||
fi;
|
||||
else
|
||||
# skip not ssh user
|
||||
echo "[?] User ${username} not in the ssh reject group";
|
||||
write_log "[?] User ${username} not in the ssh reject group" "1";
|
||||
fi;
|
||||
done;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user