Saturday, March 29, 2008

Removing Old Users Network Wide Using Expect

Hey there,

Here comes another Expect monster-sized weekend script for you ;)

Today's script is a twist on a previous script we posted to do network wide updates. The essence is still the same. This should basically save you the hassle of having to log in to a million different servers to find and remove users who you know shouldn't have accounts on your boxes.

Again, you can also delete the "Weed out the undesirables pronto" section if you don't want to minimally secure the script from unauthorized usage by doing a logname check.

We've left out the login functionality for Linux this time, but we'll add it tomorrow as a "diff -c" patch file and add it to this file with "patch" to give the week an appropriate finish :)

There's a section I wrote specifically for an Informix sql database, that you can modify (or remove) if you like, to include an example of how to check for users (or anything, really) in a database. If you don't want or need that functionality, just delete the "$userlogin mail server sql user report:" section. All the sections are highlighted with tons of pound signs (#)

Once you edit this Expect script to suit your needs, you can run it easily, like so (with -h if you want to see the help screen):

Ex:
host # ./eraser


or

host # ./eraser -h

See you tomorrow with the Linux additions. Have a great weekend :)


Creative Commons License


This work is licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License

#!/usr/local/bin/expect

log_user 0

#########################################################################
# eraser - root out ex-employees across network
# 2008 - Mike Golvach - eggi@comcast.net
# Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License
#
# Usage: eraser <-h> [User Login] [Your Login]
#########################################################################

#########################################################################
# Weed out the undesirables pronto
#########################################################################

set gauntlet [exec logname]
if { [string compare $gauntlet "user1"] != 0 && [string compare $gauntlet "user2"] != 0 } {
puts "Sorry, $gauntlet. You may not use eraser."
exit
}

#########################################################################
# Go for the help short-circuit
#########################################################################

foreach member $argv {
if { $member == "-h" } {
puts "#############################################################################"
puts "USAGE:"
puts " $argv0 <-h> \[User Login\] \[Your Login\]"
puts "#############################################################################"
puts "SCO Hosts:"
puts " sco1 sco2"
puts "SUN Hosts:"
puts " sun1 sun2"
puts "HP Hosts:"
puts " hp1 hp2"
puts "#############################################################################"
puts "FLAGS:"
puts " -h: Show this message."
puts " User Login: Theirs."
puts " Your Login: Yours."
puts "#############################################################################"
puts "A FEW VALID COMMAND LINE EXPRESSIONS:"
puts " $argv0 -h"
puts " \(The -h command invalidates all others\)"
puts " $argv0 userlogin yourlogin"
puts " \(The Regular Way\)"
puts "#############################################################################"
exit
} elseif { [string match -* $member] == 1 } {
puts "Usage: $argv0 <-h> \[User Login\] \[Your Login\]"
exit
}
}

#########################################################################
# Generic login procs divided by architecture
#########################################################################

proc sun_login {tprompt login lpass} {

set timeout 3
set prompt $tprompt
set qlogin $login
set qpass $lpass

expect "ogin: " {send "$qlogin\r"}
expect "word: " {send "$qpass\r"}
}

proc hp_login {tprompt login lpass} {

set timeout 12
set prompt $tprompt
set qlogin $login
set qpass $lpass

expect "ogin: " {send "$qlogin\r"}
expect "word:" {send "$qpass\r"}
}

proc sco_login {tprompt login lpass} {

set timeout 6
set prompt $tprompt
set qlogin $login
set qpass $lpass

expect "ogin: " {send "$qlogin\r"}
expect "word:" {send "$qpass\r"}
expect -re $tprompt {send "\r"}
}

#########################################################################
# passwd and mail aliases groper procs by architecture
#########################################################################

proc sunhp_q {tprompt login lpass userlogin host} {
set timeout 5
set log $login
set opass $lpass
set prompt $tprompt
set ulogin $userlogin
set hostname $host
set insidealias none
set insidepwd none

send_user "Scanning $hostname... "

expect -re $tprompt {send "grep $ulogin /etc/passwd\r"}
expect -re $tprompt
send "echo $?\r"
expect -re "\r\n(.*)\r\n"
set returnval $expect_out(1,string)
if { $returnval == 0 } {
set insidepwd 1
}
expect -re $tprompt {send "grep $ulogin /etc/mail/aliases\r"}
expect -re $tprompt
send "echo $?\r"
expect -re "\r\n(.*)\r\n"
set returnval $expect_out(1,string)
if { $returnval == 0 } {
set insidealias 1
}
expect -re $tprompt {
send "exit\r"
}
return "$hostname $insidepwd $insidealias"
}

proc sco_q {tprompt login lpass userlogin host} {
set timeout 5
set log $login
set opass $lpass
set prompt $tprompt
set ulogin $userlogin
set hostname $host
set insidealias none
set insidepwd none

send_user "Scanning $hostname... "

expect -re $tprompt {send "\r"}
expect -re $tprompt {send "grep $ulogin /etc/passwd\r"}
expect -re $tprompt
send "echo $?\r"
expect -re "\r\n(.*)\r\n"
set returnval $expect_out(1,string)
if { $returnval == 0 } {
set insidepwd 1
}
expect -re $tprompt {send "grep $ulogin /usr/mmdf/table/alias.user\r"}
expect -re $tprompt
send "echo $?\r"
expect -re "\r\n(.*)\r\n"
set returnval $expect_out(1,string)
if { $returnval == 0 } {
set insidealias 1
}
expect -re $tprompt {
send "exit\r"
}
return "$hostname $insidepwd $insidealias"
}

#########################################################################
# The main process loop
#########################################################################

#########################################################################
# Check command line args
#########################################################################

if { [llength $argv] < 2 } {
puts "Usage: $argv0 <-h> \[User Login\] \[Your Login\]"
exit
}

#########################################################################
# Set list of servers, passwords and other globals
#########################################################################

set sun [list sun1 sun2]
set sco [list sco1 sco2]
set hp [list hp1 hp2]

set userlogin [lindex $argv 0]
set login [lindex $argv 1]
set tprompt "(%|#|\\\/|\\\$|\\\/|\\\/\\\/#|mgolvach|\\\)|\\\>|\\\}) ?$"

#########################################################################
# Grab user password.
#########################################################################

send_user "Enter your login password : "
stty -echo
expect -re "(.*)\n"
stty echo
set lpass $expect_out(1,string)

send_user "\n"

#########################################################################
# Do It To It.
#########################################################################

foreach host $sun {
spawn telnet $host
sun_login $tprompt $login $lpass
lappend finalists [sunhp_q $tprompt $login $lpass $userlogin $host]
}

foreach host $hp {
spawn telnet $host
hp_login $tprompt $login $lpass
lappend finalists [sunhp_q $tprompt $login $lpass $userlogin $host]
}

foreach host $sco {
spawn telnet $host
sco_login $tprompt $login $lpass
lappend finalists [sco_q $tprompt $login $lpass $userlogin $host]
}

puts ""
puts "#################################################################"
puts "$userlogin is a valid user on the following machines:"
puts "#################################################################"
set counter 0
foreach item $finalists {
if { [lindex $item 1] == 1 } {
incr counter
puts [lindex $item 0]
}
}
if { $counter == 0 } {
puts "No valid accounts found for $userlogin"
}
puts "#################################################################"
puts "$userlogin has mail alias entries on the following machines:"
puts "#################################################################"
set counter 0
foreach item $finalists {
if { [lindex $item 2] == 1 } {
incr counter
puts [lindex $item 0]
}
}
if { $counter == 0 } {
puts "No alias file entries found for $userlogin"
}
puts "#################################################################"
puts "$userlogin mail server sql user report:"
puts "#################################################################"
set counter 0
set squealer [open "|isql userdb 2>/dev/null >/tmp/tattle1.tmp" w]
puts $squealer "select * from mail_users where mail_user_id = \"$userlogin\""
close $squealer
set stooly [open "/tmp/tattle1.tmp"]
while {[gets $stooly buffer]!=-1} {
if { [string match *$userlogin* $buffer] == 1 } {
puts "Mail Dir : $buffer"
incr counter
}
}
if { $counter == 0 } {
puts "No Mail Dir entries found for $userlogin"
}
system "rm /tmp/tattle1.tmp"
puts "#################################################################"
puts "$userlogin excess files and directories found on mail server"
puts "#################################################################"
set counter 0
if { [file exists "/var/mail/$userlogin"] == 1 } {
incr counter
puts "File: /var/mail/$userlogin"
}
if { [file isdirectory "/var/imsp/user/$userlogin"] == 1 } {
incr counter
puts "Directory: /var/imsp/user/$userlogin"
}
if { $counter == 0 } {
puts "No excess mail server files found for $userlogin"
}
puts "#################################################################"
puts "DON'T FORGET TO:"
puts " 1. Do this".
puts " 2. Do that."
puts " 3. Do everything else."
puts "#################################################################"

exit



, Mike