Get local user info groups and group membership

bkone · 05-17-2019, 06:48 AM

I am trying to figure out a one-liner or script that will allow me to get all the information I need with one swoop. I am running a mixture of Red Hat and SUSE servers and need to just get all the information in a file.

compgen -u gets me the users
compgen -g gets me the groups
I found this script that will show me the users and what group they are in -
#! /bin/bash
#
for i in $(cat /etc/passwd | cut -d: -f1); do
echo -n $i ": "
grep $i /etc/group | cut -d: -f1 | tr "\n" " "
echo
done

I was also trying to get the lslogins output which shows me the last login, pwd-lock, and pwd-deny. I am assuming this indicates if the user can login or if it is a system account.

Long story short I am trying to get a nice auditing output to show local users and groups of all systems and then what users are in what groups. Plus, show if the user is able to login or if it is system account (daemon). Auditors here are primary Windows so they see a local account they just assume it can login.

Any suggestions or assistance is greatly appreciated!

BW-userx · 05-17-2019, 07:42 AM

if you want just user users, human users that is.

Code:

 for i in $( who | cut -d' ' -f1); do echo $i ; echo $(id  $i ); done

shows who is login and what groups they belong to. needs curtailing of course to use your formatting needs. you (will) needs to look in the appropriate areas for the data you need to display. Do your research what files keeps whos particular type of info, and how to access it, and, what commands (apps) get you the info you're looking for.

the ole' "how to ...." search is a good start to a search text line for how to do something. Then piece it together like I did on my example.

this would have been my line of questioning,
how to do a for loop on the cli
how to find users logged in
how to find users groups
how to chop up strings in Linux
etc...

MensaWater · 05-17-2019, 10:03 AM

Quote:

Originally Posted by BW-userx

if you want just user users, human users that is.

Code:

 for i in $( who | cut -d' ' -f1); do echo $i ; echo $(id  $i ); done

Expanding on that, to get all users whether logged in or not one could query /etc/passwd file. Administrative accounts are usually UID 500 or lower. If shadow is in use (as it should be) then the general layout of /etc/passwd starts with:
username:x:uid:gid:etc...

A one liner that would exclude all uid values 500 and lower as well as the special nfsnobody from that layout and do your suggested id command would be:

Code:

for user in $(egrep -v "x:[0-9]:|x:[0-9][0-9]:|x:[0-4][0-9][0-9]:|x:500:|x:65534:" /etc/passwd |awk -F: '{print $1}'); do id $user; done

egrep allows for multiple patterns. The patterns are separated by pipe sign "|" and the set of patterns are started and ended with double quotes ".
The first pattern above looks for any single digit UID (e.g. 0 for root)
The second pattern looks for any 2 digit uid
The third pattern looks for any 3 digit uid up to 499
The fourth pattern looks just for uid 500
The final pattern excludes 65534 used for nfsnobody.
It then pipes the lines found into awk and splits on : as delimiter which is what passwd uses and gets the first field which is the user login name.
The for loop makes it run id on each of the user login names found.

ondoho · 05-18-2019, 04:07 AM

why does it have to be a oneliner?
this is fairly complex; seems pretty clear to me that a shell function or a dedicated script is required here, whichever approach you choose.

MensaWater · 05-20-2019, 01:39 PM

Quote:

Originally Posted by ondoho

why does it have to be a oneliner?
this is fairly complex; seems pretty clear to me that a shell function or a dedicated script is required here, whichever approach you choose.

For some reason folks love one liners - in point of fact what I gave the OP as a one liner is something I'd normally spread over multiple lines in a scirpt e.g.:

Code:

#/bin/bash
for user in $(egrep -v "x:[0-9]:|x:[0-9][0-9]:|x:[0-4][0-9][0-9]:|x:500:|x:65534:" /etc/passwd |awk -F: '{print $1}')
do id $user
done

In such a script I might even do intermediate steps for that first line depending on what else I needed to do. However, it works as a one liner the way my earlier post had it.

bkone · 05-22-2019, 09:57 AM

Great suggestions all!

One issue I am encountering now is these servers are running SSSD to tie them to AD for user authentication. When I run different commands I am getting tons of AD users which I don't want, just looking for local user accounts.

Commands that are showing more account, AD, than what I want:

Code:

compgen -u
/usr/bin/getent passwd | awk -F ':' {'print "Login:" $1 "\tName:" $5 "\tHome:" $6'}
/usr/bin/getent passwd | awk -F ':' {'print $1'} | xargs -I {}  groups {{} | sed 's/ : /:/g' | tr ' ' ','

Any thoughts on what else I can run to just see local account information for my Auditors? Trying to determine what accounts, local, are human accounts or accounts that can login. What accounts are disabled or have password locked and not able to login. Things like that.

MensaWater · 05-22-2019, 10:50 AM

If it is coming from AD it is NOT a "LOCAL" user account on the server.

bkone · 05-22-2019, 11:59 AM

Quote:

Originally Posted by MensaWater

If it is coming from AD it is NOT a "LOCAL" user account on the server.

Correct, thus I am trying to figure out how to exclude those from the output.

MensaWater · 05-22-2019, 02:35 PM

Quote:

Originally Posted by bkone

Correct, thus I am trying to figure out how to exclude those from the output.

Are your AD users also in your /etc/passwd file? If not, what I sent before should be sufficient as it would only interrogate /etc/passwd.

If they are can you send an example of an AD user that is in your /etc/passwd file?

Is such an AD user also in /etc/shadow?