#!/usr/bin/env bash # Delete user # - Backup # - delete user # - delete home # - remove ssh-keygen-created-pub files # - remove ssh central auth data if exits # - update user_list.txt and comment (#) line for this user # - write delete log # This will permaently remove the user TEST=0; # do not run any actions BACKUP=1; while getopts ":tb" opt; do case "${opt}" in t) # var/log/secure*bz2 TEST=1; ;; b) # nobackup BACKUP=0; ;; \?) echo -e "\n Option does not exist: ${OPTARG}\n"; echo "Use -t for test"; echo "Use -g for actually creation run"; echo "Use -b to not make a backup of the home folder and public key" exit 1; ;; esac; done; shift "$((OPTIND-1))" if [ "$(whoami)" != "root" ]; then if [ ${TEST} -eq 0 ]; then echo "Script must be run as root user"; exit; else echo "!!!! Script must be run as root user !!!!"; fi; fi; if [ $# -eq 0 ]; then echo "Must give at least one user name"; exit; fi; # check tar, bzip2 is installed if backup = 1 host=$(hostname); timestamp=$(date +%Y%m%d-%H%M%S); # character to set getween info blocks separator="#"; # base folder for all data BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/"; root_folder="${BASE_FOLDER}../"; backup_folder="${BASE_FOLDER}../backup/"; # SSH_KEYGEN_FOLDER_CREATED_PUB='ssh-keygen-created-pub/'; input_file='user_list.txt'; user_list_file="${root_folder}${input_file}"; # log file HISTORY="${BASE_FOLDER}/../log/delete_user.log"; # ignore users (root and admin users) ignore_users=('root' 'ec2-user' 'ubuntu' 'admin'); # detect ssh authorized_keys setting SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=''; SSH_AUTHORIZED_FILE=''; # shellcheck disable=SC2013 for cf in $(grep "^AuthorizedKeysFile" "/etc/ssh/sshd_config" | grep "%u"); do if echo "$cf" | grep -q "%u"; then SSH_CENTRAL_AUTHORIZED_FILE_FOLDER="${cf/%%u//}"; if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}"; exit; fi; fi; done; if [ ! -f "${user_list_file}" ]; then echo "${input_file} is missing"; exit; fi; LOG="${BASE_FOLDER}/../log/user_management.log"; function write_log() { text="${1}"; do_echo="${2}"; log_prefix=""; # log prefix for testing if [ ${TEST} -eq 1 ]; then log_prefix="[TEST] "; fi; # write log not in info run echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}"; if [ "${do_echo}" = "1" ]; then echo "${text}"; fi; } write_log "START SCRIPT RUN"; # used for test run only overall_run_error=0; # $1 ... $n for username in "$@"; do error=0; # skip if there is an option hidden # shellcheck disable=SC2154 if [[ ${_arg:0:1} = "-" ]]; then continue; fi; # skip ignore users, note that if a user is not in the sshallow list anyway # we skip them too, this is just in case check if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then write_log "[!] User ${username} is in the ignore user list" "1"; continue; fi; # user must exist in user_list.txt and /etc/passwd # if missing in or another do not continue if ! id "${username}" &>/dev/null; then # not in passwd write_log "[ERRPR] User ${username} does not exist in /etc/passwd" "1"; error=1; fi; user_list_entry=$(grep "${username}" "${user_list_file}"); if [ -z "${user_list_entry}" ]; then write_log "[ERROR] User ${username} does not exist in user_list.txt file" "1"; error=1; elif [[ "${user_list_entry}" =~ ^#DELETED ]]; then write_log "[ERROR] User ${username} is flagged as deleted in user_list.txt file" "1"; error=1; fi; if [ $error -eq 1 ]; then overall_run_error=1; write_log "[*** ABORT RUN ***]" "1"; if [ ${TEST} -eq 0 ]; then break; fi; fi; write_log "=> Delete: ${username}" "1"; # ssh authorized file SSH_AUTHORIZED_FILE="${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}${username}"; # make backup from /home if [ ${BACKUP} -eq 1 ]; then home_folder=$(getent passwd "${username}" | cut -d ":" -f 6); backup_file="${backup_folder}${host}${separator}${username}.${timestamp}.tar.bz2"; files_list="${home_folder}"; if [ -f "${SSH_AUTHORIZED_FILE}" ]; then files_list="${files_list} ${SSH_AUTHORIZED_FILE}"; fi; echo "[0] Backup ${files_list} to ${backup_file}"; if [ ${TEST} -eq 0 ]; then tar cfjp "${backup_file}" "${files_list}"; else echo "$> tar cfjp \"${backup_file}\" ${files_list};"; fi; fi; echo "[1] Remove user + home dir"; if [ ${TEST} -eq 0 ]; then # remove all secondary group entries first before we delete the user # there might be cases where they are left usermod -G "" "${username}"; userdel -r "${username}"; else echo "$> usermod -G \"\" \"${username}\""; echo "$> userdel -r \"${username}\""; fi; # remove ssh files in pub echo "[2] Remove SSH Public key"; # Note, we keep the public key in the -created-pub folder if [ -f "${SSH_AUTHORIZED_FILE}" ]; then if [ ${TEST} -eq 0 ]; then chattr -i "${SSH_AUTHORIZED_FILE}"; rm "${SSH_AUTHORIZED_FILE}"; else echo "$> chattr -i \"${SSH_AUTHORIZED_FILE}\";"; echo "$> rm \"${SSH_AUTHORIZED_FILE}\";" fi; else # Not critical error write_log "[?] Cannot find ${SSH_AUTHORIZED_FILE}" "1"; fi; # Update user_list.txt file and add # for the line echo "[3] Update user_list.txt file"; # eg n;foo -> #DELETED-YYYYMMDD_HHmmss:n;foo ... delete_date=$(date +%Y%m%d_%H%M%S) if [ ${TEST} -eq 0 ]; then sed -i -e "s/^\([A-Za-z0-9]\{1,\};${username};\)/#DELETED-${delete_date}:\1/" "${user_list_file}"; else # shellcheck disable=SC2028 echo "$> sed -i -e \"s/^\([A-Za-z0-9]\{1,\};${username};\)/#DELETED-${delete_date}:\1/\" \"${user_list_file}\";"; fi; echo "$(date +"%F %T");${host};${username};${TEST}" >> "${HISTORY}"; done; # MARK: TEST ERROR INFO if [ ${TEST} -eq 1 ] && [ ${overall_run_error} -eq 1 ]; then echo "[ERROR] Some errors occoured during the run, they will prohibit the live run of this script"; fi; # __END__