dinsdag 22 juli 2008

a script

#!/bin/bash
# -xv
#
# Name: loginaccounts.sh
# Description: automate login account management
#
# Author: Dominick Grift
# Version: 0.0.3

# Copyright (C) 2008 Dominick Grift

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.

# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see .

# Report undefined variables
# shopt -s -o nounset

# Global declarations
declare -rx SCRIPT=${0##*/}
declare -rx EXITSTATUS=$?

# My global declarations
declare -r OPTSTRING="-h,-L.-P,-A,-C,-f,-a,-i:,-p:,-c:,-g:,-l:,-n:,-c:,-q:,-e:"
declare UCOMMNT=0 # Optional
declare UGRP="realusers,sshusers" # Tunable
declare USERID # Mandatory
declare RESULT # System
declare UPASSWD # Mandatory
declare ULOGNS=3 # Tunable
declare UNPROC=15 # Tunable
declare ULOCL=0 # Optional
declare UCATGR=0 # Optional
declare UFORWRD=0 # optional
declare UQUOT="10000" # Tunable
declare UEXPR=0 # Optional
declare UPOLY=1 # Optional
declare UCRON=0 # Optional
declare UAT=0 # Optional
declare UAGE=1 # Optional

# Sanity checks

# Requires BASH
if test -z "$BASH" ; then
printf "$SCRIPT:$LINENO: %s\n" "Please run this script with the BASH shell" >&2
exit 192
fi

# Test for input
if test -z "$1" ; then
printf "$SCRIPT:$LINENO: %s\n" "Copyright (C) 2008 Dominick Grift"
printf "$SCRIPT:$LINENO: %s\n" ""
printf "$SCRIPT:$LINENO: %s\n" "This program is free software: you can redistribute it and/or modify"
printf "$SCRIPT:$LINENO: %s\n" "it under the terms of the GNU Affero General Public License as"
printf "$SCRIPT:$LINENO: %s\n" "published by the Free Software Foundation, either version 3 of the"
printf "$SCRIPT:$LINENO: %s\n" "License, or (at your option) any later version."
printf "$SCRIPT:$LINENO: %s\n" ""
printf "$SCRIPT:$LINENO: %s\n" "This program is distributed in the hope that it will be useful,"
printf "$SCRIPT:$LINENO: %s\n" "but WITHOUT ANY WARRANTY; without even the implied warranty of"
printf "$SCRIPT:$LINENO: %s\n" "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the"
printf "$SCRIPT:$LINENO: %s\n" "GNU Affero General Public License for more details."
printf "$SCRIPT:$LINENO: %s\n" ""
printf "$SCRIPT:$LINENO: %s\n" "You should have received a copy of the GNU Affero General Public License"
printf "$SCRIPT:$LINENO: %s\n" "along with this program. If not, see ."
exit 0
fi

# Test for root
if [ `whoami` != "root" ] ; then
printf "$SCRIPT:$LINENO: %s\n" "DAC: Must be root" >&2
exit 192
fi

# Test for unconfined
if [ `id -Z | awk 'BEGIN { FS=":" } { print $3 }'` != unconfined_t ] ; then
printf "$SCRIPT:$LINENO: %s\n" "MAC: Must be unconfined domain" >&2
exit 192
fi

# Check getopt mode
getopt -T
if [ $? -ne 4 ] ; then
printf "$SCRIPT: %s\n" "Getopt is in compatibility mode" >&2
exit 192
fi

# Test parameters
RESULT='getopt --name "$SCRIPT" --options "$OPTSTRING" --longoptions "help" "identity" "password" "comment" "groups" "logins" "nproc" "local" "range" "forward" "quota" "expire" "poly" "cron" "at" "chage" -- "$@"'
if [ $? -gt 0 ] ; then
exit 192
fi

# Functions

add_user() {
/usr/sbin/useradd "$USERID" 1>&2 >/dev/null;
}

add_user_passwd() {
/bin/echo "$UPASSWD" | /usr/bin/passwd "$USERID" --stdin 1>&2 >/dev/null;
}

add_comment() {
/usr/sbin/usermod -c "$UCOMMNT" "$USERID" 1>&2 >/dev/null;
}

add_expire() {
/usr/sbin/usermod -e "$UEXPR" "$USERID" 1>&2 >/dev/null;
}

add_poly() {
/bin/mkdir /home/"$USERID"/"$USERID".inst && chmod -R 000 /home/"$USERID"/"$USERID".inst 1>&2 >/dev/null;

}

no_poly() {
/bin/sed '/^\/tmp/s/$/\,$USERID/' /etc/security/namespace.conf > tmpfile && /bin/cp tmpfile /etc/security/namespace.conf; /bin/rm tmpfile;
/bin/sed '/^\/var/s/$/\,$USERID/' /etc/security/namespace.conf > tmpfile && /bin/cp tmpfile /etc/security/namespace.conf; /bin/rm tmpfile;
/bin/sed '/^\$HOME/s/$/\,$USERID/' /etc/security/namespace.conf > tmpfile && /bin/cp tmpfile /etc/security/namespace.conf; /bin/rm tmpfile;
}

add_forward() {
/bin/echo """
Match User $USERID
X11Forwarding no
AllowTcpForwarding no""" >> /etc/ssh/sshd_config;
}

add_quota() {
/usr/sbin/setquota -u "$USERID" 0 "$UQUOT" 7500 10000 -a 1>&2 >/dev/null;
}

add_nproc() {
/bin/echo "$USERID hard nproc $UNPROC" >> /etc/security/limits.conf;
}

add_logins() {
/bin/echo "$USERID - maxlogins $ULOGNS" >> /etc/security/limits.conf;
}

add_local() {
/bin/echo "- : $USERID : LOCAL" >> /etc/security/access.conf;
}

add_cron() {
/bin/echo "$USERID" >> /etc/cron.allow;
}

add_at() {
/bin/echo "$USERID" >> /etc/at.allow;
}

add_groups() {
/usr/sbin/usermod -G "$UGRP" "$USERID" 1>&2 >/dev/null;
}

add_cat() {
NEWCAT=:$UCATGR
/usr/sbin/semanage user -a -L s0 -r "s0-s0$NEWCAT" -R user_r -P user "$USERID" 1>&2 >/dev/null;
/usr/sbin/semanage login -a -s "$USERID" -r "s0-s0$NEWCAT" "$USERID" 1>&2 >/dev/null;
}

add_seuser() {
/usr/sbin/semanage user -a -L s0 -r "s0-s0" -R user_r -P user "$USERID" 1>&2 >/dev/null;
/usr/sbin/semanage login -a -s "$USERID" -r "s0-s0" "$USERID" 1>&2 >/dev/null;
}

add_chage() {
/usr/bin/chage -m 7 -M 180 -W 7 "$USERID" 1>&2 >/dev/null;
}

# Main loop

# Replace the parameters with the results of getopt
eval set -- "$RESULT"

# Process the parameters
while [ $# -gt 0 ] ; do
case "$1" in
-h | --help) # Show help
printf "$SCRIPT:$LINENO: %s\n" "Usage: $SCRIPT [options]"
printf "$SCRIPT:$LINENO: %s\n" ""
printf "$SCRIPT:$LINENO: %s\n" " Options:"
printf "$SCRIPT:$LINENO: %s\n" " [-h][--help] | View this help"
printf "$SCRIPT:$LINENO: %s\n" " [-L][--local] | Optional: Disabled by default"
printf "$SCRIPT:$LINENO: %s\n" " [-f][--forward] | Optional: Disabled by default"
printf "$SCRIPT:$LINENO: %s\n" " [-P][--poly] | Optional: Enabled by default"
printf "$SCRIPT:$LINENO: %s\n" " [-C][--cron] | Optional: Disabled by default"
printf "$SCRIPT:$LINENO: %s\n" " [-A][--at] | Optional: Disabled by default"
printf "$SCRIPT:$LINENO: %s\n" " [-a][--chage] | Optional: Enabled by default"
printf "$SCRIPT:$LINENO: %s\n" " [-i][--identity] identity | Mandatory: User name"
printf "$SCRIPT:$LINENO: %s\n" " [-p][--password] password | Mandatory: Strong password"
printf "$SCRIPT:$LINENO: %s\n" " [-c][--comment] comment | Tunable: Defaults to none"
printf "$SCRIPT:$LINENO: %s\n" " [-g][--groups] groups | Tunable: Defaults to realusers,sshusers"
printf "$SCRIPT:$LINENO: %s\n" " [-l][--logins] number of logins | Tunable: Defaults to 3"
printf "$SCRIPT:$LINENO: %s\n" " [-n][--nproc] number of processes| Tunable: Defaults to 15"
printf "$SCRIPT:$LINENO: %s\n" " [-r][--range] range | Optional: Disabled by default"
printf "$SCRIPT:$LINENO: %s\n" " [-q][--quota] number of blocks | Tunable: Defaults to 10000 blocks"
printf "$SCRIPT:$LINENO: %s\n" " [-e][--expire] date | Optional: Disabled by default"
printf "$SCRIPT:$LINENO: %s\n" ""
printf "$SCRIPT:$LINENO: %s\n" " Examples:"
printf "$SCRIPT:$LINENO: %s\n" " $SCRIPT -i john -c \"John Doe\" -p F000_Bar!!1 -r c2,c4 -e 2010-12-15 -C"
exit 0
;;
-i | --identity) shift
if [ $# -eq 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "Identity for [-i][--identity] is missing" >&2
exit 192
fi
USERID="$1"
;;
-p | --password) shift
if [ $# -eq 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "Password for [-p][--password] is missing" >&2
exit 192
fi
UPASSWD="$1"
;;
-c | --comment) shift
if [ $# -eq 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "Comment for [-c][--comment] is missing" >&2
exit 192
fi
UCOMMNT="$1"
;;
-g | --groups) shift
if [ $# -eq 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "Groups for [-g][--groups] are missing" >&2
exit 192
fi
UGRP="$1"
;;
-l | --logins) shift
if [ $# -eq 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "Number of logins for [-l][--logins] is missing" >&2
exit 192
fi
ULOGNS="$1"
;;
-n | --nproc) shift
if [ $# -eq 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "Number of processes for [-n][--nproc] is missing" >&2
exit 192
fi
UNPROC="$1"
;;
-L | --local) shift
ULOCL=1
;;
-P | --poly) shift
UPOLY=0
;;
-r | --range) shift
if [ $# -eq 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "Range for [-r][--range] is missing" >&2
exit 192
fi
UCATGR="$1"
;;
-f | --forward) shift
UFORWRD=1
;;
-C | --cron) shift
UCRON=1
;;
-A | --at) shift
UAT=1
;;
-a | --chage) shift
UAGE=0
;;
-q | --quota) shift
if [ $# -eq 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "Quota for [-q][--quota] is missing" >&2
exit 192
fi
UQUOT="$1"
;;
-e | --expire) shift
if [ $# -eq 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "Expiration date for [-e][--expire] is missing" >&2
exit 192
fi
UEXPR="$1"
;;
esac
shift
done

if [ -z "$USERID" ] ; then
printf "$SCRIPT:$LINENO: %s\n" "Identity missing" >&2
exit 192
fi

if [ -z "$UPASSWD" ] ; then
printf "$SCRIPT:$LINENO: %s\n" "Password missing" >&2
exit 192
fi

# Processing
if test -n "$USERID" ; then
add_user;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add_user: FAIL";
exit 192
fi
printf "$SCRIPT:$LINENO: %s\n" "added user: $USERID";
else
printf "$SCRIPT:$LINENO: %s\n" "no identity specified: should not be here";
exit 192
fi

sleep 1;

if test -n "$UPASSWD" ; then
add_user_passwd;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add_passwd: FAIL";
exit 192
fi
printf "$SCRIPT:$LINENO: %s\n" "added passwd: $UPASSWD";
else
printf "$SCRIPT:$LINENO: %s\n" "no password specified: should not be here";
exit 192
fi

sleep 1;

if test "$UCOMMNT" -ne 0 ; then
add_comment;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add_comment: FAIL";
exit 192
fi
printf "$SCRIPT:$LINENO: %s\n" "added comment: $UCOMMNT";
else
printf "$SCRIPT:$LINENO: %s\n" "no comment specified: skipping";
fi

sleep 1;

if [ "$UGRP" != "realusers,sshusers" ] ; then
add_groups;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add_groups: FAIL";
exit 192
fi
printf "%s\n" "added groups: $UGRP";
else
add_groups;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add_groups: FAIL";
exit 192
fi
printf "$SCRIPT:$LINENO: %s\n" "no groups specified: realusers,sshusers";
fi

sleep 1;

if [ "$UEXPR" != "0" ] ; then
add_expire;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add_expire: FAIL";
exit 192
fi
printf "$SCRIPT:$LINENO: %s\n" "added expire: $UEXPR";
else
printf "$SCRIPT:$LINENO: %s\n" "no expire specified: skipping";
fi

sleep 1;

if [ "$UPOLY" -eq 1 ] ; then
add_poly;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add_poly: FAIL";
exit 192
fi
printf "$SCRIPT:$LINENO: %s\n" "poly not specified: enabled poly"
else
no_poly;
printf "$SCRIPT:$LINENO: %s\n" "poly specified: disabled poly";
fi

sleep 1;

if [ "$UFORWRD" -lt 1 ] ; then
add_forward;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add forward: FAIL";
exit 192
fi
printf "$SCRIPT:$LINENO: %s\n" "forward not specified: added forward";
else
printf "$SCRIPT:$LINENO: %s\n" "forward specified: skipping";
fi

sleep 1;

if test "$UQUOT" -ne 10000 && test "$UQUOT" -n 0 ; then
add_quota;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add_quota: FAIL";
exit 192
fi
printf "$SCRIPT:$LINENO: %s\n" "added quota: $UQUOT"
elif [ "$UQUOT" -ne 0 ] ; then
add_quota;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add_quota: FAIL";
exit 192
fi
printf "$SCRIPT:$LINENO: %s\n" "quota not specified: 10000";
else
printf "$SCRIPT:$LINENO: %s\n" "quota disabled: skipping";
fi

sleep 1;

if test "$UNPROC" -ne 15 && test "$UNPROC" -ne 0 ; then
add_nproc;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add_nproc: FAIL";
exit 192
fi
printf "$SCRIPT:$LINENO: %s\n" "nproc specified: added $UNPROC";
elif [ "$UNPROC" -ne 0 ] ; then
add_nproc;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add_nproc: FAIL";
exit 192
fi
printf "$SCRIPT:$LINENO: %s\n" "nproc not specified: 15";
else
printf "$SCRIPT:$LINENO: %s\n" "nproc disabled: skipping";
fi

sleep 1;

if test "$ULOGNS" -ne 3 && test "$ULOGNG" -ne 0 ; then
add_logins;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add_logins: FAIL";
exit 192
fi
printf "$SCRIPT:$LINENO: %s\n" "logins specified: added $ULOGNS"
elif [ "$ULOGNS" -ne 0 ] ; then
add_logins;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add_logins: FAIL";
exit 192
fi
printf "$SCRIPT:$LINENO: %s\n" "logins not specified: 3";
else
printf "$SCRIPT:$LINENO: %s\n" "logins disabled: skipping";
fi

sleep 1;

if [ "$ULOCL" -eq 0 ] ; then
add_local;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add_local: FAIL";
exit 192
fi
printf "$SCRIPT:$LINENO: %s\n" "local not specified: added local";
else
printf "$SCRIPT:$LINENO: %s\n" "local specified: skipping";
fi

sleep 1;

if [ "$UCRON" -eq 1 ] ; then
add_cron;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add_cron: FAIL";
exit 192
fi
printf "$SCRIPT:$LINENO: %s\n" "cron specified: adding cron";
else
printf "$SCRIPT:$LINENO: %s\n" "cron not specified: skipping";
fi

sleep 1;

if [ "$UAT" -gt 0 ] ; then
add_at;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add_at: FAIL";
exit 192
fi
printf "$SCRIPT:$LINENO: %s\n" "at specified: adding $UAT";
else
printf "$SCRIPT:$LINENO: %s\n" "at not specified: skipping";
fi

sleep 1;

if [ "$UAGE" -eq 1 ] ; then
add_chage;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add_chage: FAIL";
exit 192
fi
printf "$SCRIPT:$LINENO: %s\n" "chage specified: adding $UAGE";
else
printf "$SCRIPT:$LINENO: %s\n" "chage not specified: skipping";
fi

sleep 1;

if [ "$UCATGR" != "0" ] ; then
add_cat;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add_cat: FAIL";
exit 192
fi
printf "$SCRIPT:$LINENO: %s\n" "added cat: $UCATGR";
else
add_seuser;
if [ $? -gt 0 ] ; then
printf "$SCRIPT:$LINENO: %s\n" "add_seuser: FAIL";
exit 192
fi
printf "$SCRIPT:$LINENO: %s\n" "added seuser";
fi

# Clean up
exit $EXITSTATUS

#EOF
#TODO: list, remove, modify, loglevels, interactive
Gepost door op

Geen opmerkingen:

Een reactie posten

Abonneren op: Reacties posten (Atom)