#! /usr/bin/env perl # vim: set filetype=perl ts=4 sw=4 sts=4 et: use common::sense; use Sys::Hostname (); use Term::ANSIColor; use JSON; use POSIX (); use File::Basename; use lib dirname(__FILE__) . '/../../../lib/perl'; use OVH::Result; use OVH::Bastion; use OVH::Bastion::Plugin qw( :DEFAULT help ); # globally allow sys_getpw* and sys_getgr* cache use $ENV{'PW_GR_CACHE'} = 1; OVH::Bastion::Plugin::begin( argv => \@ARGV, header => "account information", options => {'account=s' => \my $account, "list-groups" => \my $listGroups}, helptext => <<'EOF', Display some information about an account Usage: --osh SCRIPT_NAME --account ACCOUNT [--list-groups] --account ACCOUNT The account name to work on --list-groups Show which groups the account has a role on EOF ); my $fnret; $fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $account); $fnret or osh_exit $fnret; $account = $fnret->value->{'account'}; my $sysaccount = $fnret->value->{'sysaccount'}; my $remoteaccount = $fnret->value->{'remoteaccount'}; $fnret = OVH::Bastion::get_plugin_list(restrictedOnly => 1); $fnret or osh_exit $fnret; my %ret; if (OVH::Bastion::is_admin(account => $account)) { osh_info "$account is a bastion " . colored('admin', 'green'); $ret{'is_admin'} = 1; } if (OVH::Bastion::is_super_owner(account => $account)) { osh_info "$account is a bastion " . colored('superowner', 'green'); $ret{'is_superowner'} = 1; } if (OVH::Bastion::is_auditor(account => $account)) { osh_info "$account is a bastion " . colored('auditor', 'green'); $ret{'is_auditor'} = 1; } osh_info "This account has access to the following restricted commands:"; my @granted; foreach my $plugin (sort keys %{$fnret->value}) { $fnret = OVH::Bastion::is_user_in_group(user => $account, group => "osh-$plugin"); if ($fnret) { push @granted, $plugin; osh_info "- $plugin"; } } if (!@granted) { osh_info "(none)"; } $ret{'allowed_commands'} = \@granted; my $result_hash = {}; if ($listGroups) { $fnret = OVH::Bastion::get_group_list(); $fnret or osh_exit $fnret; osh_info "\nThis account is part of the following groups:"; foreach my $name (sort keys %{$fnret->value}) { my @flags; push @flags, 'owner' if OVH::Bastion::is_group_owner(group => $name, account => $account); push @flags, 'gatekeeper' if OVH::Bastion::is_group_gatekeeper(group => $name, account => $account); push @flags, 'aclkeeper' if OVH::Bastion::is_group_aclkeeper(group => $name, account => $account); push @flags, 'member' if OVH::Bastion::is_group_member(group => $name, account => $account); push @flags, 'guest' if OVH::Bastion::is_group_guest(group => $name, account => $account); if (@flags) { my $line = sprintf "%18s", $name; $line .= sprintf " %14s", colored(grep({ $_ eq 'owner' } @flags) ? 'Owner' : '-', 'red'); $line .= sprintf " %19s", colored(grep({ $_ eq 'gatekeeper' } @flags) ? 'GateKeeper' : '-', 'yellow'); $line .= sprintf " %18s", colored(grep({ $_ eq 'aclkeeper' } @flags) ? 'ACLKeeper' : '-', 'magenta'); $line .= sprintf " %15s", colored(grep({ $_ eq 'member' } @flags) ? 'Member' : '-', 'green'); $line .= sprintf " %14s", colored(grep({ $_ eq 'guest' } @flags) ? 'Guest' : '-', 'cyan'); osh_info $line; $result_hash->{$name} = {flags => \@flags, name => $name}; } } if (not keys %$result_hash) { osh_info "(none)"; } osh_info "\n"; } $ret{'groups'} = $result_hash; my $canConnect = 1; $ret{'always_active'} = OVH::Bastion::account_config( account => $account, key => OVH::Bastion::OPT_ACCOUNT_ALWAYS_ACTIVE, public => 1 ) ? 1 : 0; if ($ret{'always_active'}) { $ret{'is_active'} = 1; osh_info "This account is " . colored('always', 'green') . " active"; } else { $fnret = OVH::Bastion::is_account_active(account => $account); if ($fnret->is_ok) { osh_info "\nThis account is " . colored('active', 'green'); $ret{'is_active'} = 1; } elsif ($fnret->is_ko) { osh_info "\nThis account is " . colored('INACTIVE', 'red'); $canConnect = 0; $ret{'is_active'} = 0; } } if (OVH::Bastion::is_auditor(account => $self)) { # TTL check $fnret = OVH::Bastion::is_account_ttl_nonexpired(sysaccount => $sysaccount, account => $account); if ($fnret->is_ok && $fnret->err eq 'OK_NO_TTL') { osh_info "This account has " . colored('no TTL set', 'green'); $ret{'is_ttl_expired'} = 0; } elsif ($fnret->is_ok && $fnret->err eq 'OK_TTL_VALID') { osh_info "This account " . colored('TTL is still valid', 'green') . " (for " . $fnret->value->{'details'}{'human'} . ")"; $ret{'is_ttl_expired'} = 0; } elsif ($fnret->is_ko) { osh_info "This account " . colored('TTL is EXPIRED', 'red') . " (since " . $fnret->value->{'details'}{'human'} . ")"; $canConnect = 0; $ret{'is_ttl_expired'} = 1; } else { osh_warn "Error getting account TTL expiration info (" . $fnret->msg . ")"; } $ret{'ttl_timestamp'} = ($fnret && $fnret->value) ? $fnret->value->{'expiry_time'} : undef; # freeze check $fnret = OVH::Bastion::is_account_nonfrozen(account => $account); $ret{'is_frozen'} = undef; if ($fnret->is_ok) { osh_info "This account is " . colored('not frozen', 'green'); $ret{'is_frozen'} = 0; } elsif ($fnret->is_ko) { my $freezeReason = $fnret->value->{'reason'} || 'no reason given'; osh_info "This account has been " . colored('FROZEN', 'red') . " by " . $fnret->value->{'by'} . " ($freezeReason)"; $ret{'is_frozen'} = 1; $ret{'freeze_info'} = $fnret->value; $canConnect = 0; } # expi check $fnret = OVH::Bastion::is_account_nonexpired(sysaccount => $sysaccount, remoteaccount => $remoteaccount); if ($fnret->is_ok) { osh_info "This account has seen recent-enough activity to " . colored('not be activity-expired', 'green'); $ret{'is_expired'} = 0; } elsif ($fnret->is_ko) { osh_info "This account is " . colored('EXPIRED', 'red') . " activity-wise (it hasn't been seen for a long time)"; $canConnect = 0; $ret{'is_expired'} = 1; } else { osh_warn "Error getting account expiration info (" . $fnret->msg . ")"; } if (!$fnret->is_err) { osh_info "As a consequence, this account " . ($canConnect ? colored("can", 'green') : colored("CANNOT", 'red')) . " connect to this bastion\n\n"; $ret{'can_connect'} = $canConnect; if ($fnret->value->{'already_seen_before'}) { $ret{'already_seen_before'} = 1; if (defined $fnret->value->{'seconds'}) { $fnret = OVH::Bastion::duration2human(seconds => $fnret->value->{'seconds'}, tense => "past"); if ($fnret) { my $seenBeforeStr = $fnret->value->{'datetime_utc'}; if ( $fnret->value->{'datetime_local'} && $fnret->value->{'datetime_utc'} ne $fnret->value->{'datetime_local'}) { $seenBeforeStr .= " / " . $fnret->value->{'datetime_local'}; } $seenBeforeStr = sprintf( "Last seen on %s (%s ago)", colored($seenBeforeStr, 'magenta'), $fnret->value->{'duration'}, ); osh_info $seenBeforeStr; $ret{'last_activity'}{$_} = $fnret->value->{$_} for qw{ datetime_local datetime_utc }; $ret{'last_activity'}{'ago'} = $fnret->value->{'duration'}; $ret{'last_activity'}{'timestamp'} = time() - $fnret->value->{'seconds'}; } } } else { osh_info "This account has " . colored('NEVER', 'red') . " been used (yet)"; $ret{'already_seen_before'} = 0; } } $fnret = OVH::Bastion::account_config(account => $account, key => "creation_info"); if ($fnret) { my $creation_info; eval { $creation_info = decode_json($fnret->value); }; if ($@) { osh_warn("While reading creation metadata information for account '$account', couldn't decode JSON: $@"); } else { $ret{'creation_information'} = $creation_info; if ($creation_info->{'datetime_utc'}) { my $createdOnStr = $creation_info->{'datetime_utc'}; if ( $creation_info->{'datetime_local'} && $creation_info->{'datetime_utc'} ne $creation_info->{'datetime_local'}) { $createdOnStr .= " / " . $creation_info->{'datetime_local'}; } $createdOnStr = sprintf( "Created on %s (%s ago)", colored($createdOnStr, 'magenta'), OVH::Bastion::duration2human(seconds => time() - $creation_info->{'timestamp'})->value->{'duration'} ); osh_info $createdOnStr; } if ($creation_info->{'by'}) { osh_info "Created by " . colored($creation_info->{'by'}, 'magenta'); } if ($creation_info->{'bastion_version'}) { osh_info "Created using The Bastion " . colored('v' . $creation_info->{'bastion_version'}, 'magenta'); } if ($creation_info->{'comment'}) { osh_info "Creation with the following comment: " . colored($creation_info->{'comment'}, 'magenta'); } } } osh_info "\nAccount egress SSH config:"; $fnret = OVH::Bastion::account_ssh_config_get(account => $account); if ($fnret->err eq 'OK_EMPTY') { osh_info "- (default)"; $ret{'account_egress_ssh_config'}{'type'} = 'default'; } elsif ($fnret->err eq 'ERR_FILE_LOCALLY_MODIFIED') { osh_info "- (locally modified!)"; $ret{'account_egress_ssh_config'}{'type'} = 'locally_modified'; } elsif ($fnret) { $ret{'account_egress_ssh_config'}{'type'} = 'custom'; foreach my $key (sort keys %{$fnret->value}) { osh_info "- $key " . $fnret->value->{$key}; $ret{'account_egress_ssh_config'}{'items'}{$key} = $fnret->value->{$key}; } } else { $ret{'account_egress_ssh_config'}{'type'} = 'unknown'; osh_info "- (unknown: " . $fnret . ")"; } osh_info "\nAccount PIV-only policy status:"; $fnret = OVH::Bastion::account_config( account => $account, public => 1, key => OVH::Bastion::OPT_ACCOUNT_INGRESS_PIV_POLICY ); $ret{'ingress_piv_enforced'} = ($fnret && $fnret->value eq 'yes') ? 1 : 0; # keep for backwards compat $ret{'ingress_piv_policy'} = $fnret->value || undef; my $ingress_piv_policy_print = $ret{'ingress_piv_policy'} || 'default'; osh_info "- PIV policy for ingress keys on this account is set to " . colored($ingress_piv_policy_print, $ingress_piv_policy_print eq 'default' ? 'blue' : 'green'); $fnret = OVH::Bastion::account_config( account => $account, public => 1, key => OVH::Bastion::OPT_ACCOUNT_INGRESS_PIV_GRACE ); if ($fnret && $fnret->value > time()) { my $expiry = $fnret->value - time(); my $human = OVH::Bastion::duration2human(seconds => $expiry)->value; osh_info "- PIV grace period for this account is " . colored('set', 'green') . " and expires in " . $human->{'human'}; $ret{'ingress_piv_grace'} = { enabled => 1, expiration_timestamp => $fnret->value, seconds_remaining => $expiry, expiration_date => $human->{'date'}, time_remaining => $human->{'duration'}, }; } else { osh_info "- PIV grace period for this account is " . colored('inactive', 'blue'); $ret{'ingress_piv_grace'} = {enabled => 0}; } $fnret = OVH::Bastion::config('ingressRequirePIV')->value; $ret{'global_ingress_policy'} = $fnret = OVH::Bastion::config('ingressRequirePIV')->value ? 1 : 0; osh_info "- Global PIV policy status is " . ($ret{'global_ingress_policy'} ? colored('enabled', 'red') : colored('disabled', 'blue')); $fnret = OVH::Bastion::is_effective_piv_account_policy_enabled(account => $account); $ret{'effective_ingress_piv_policy'} = $fnret->is_ok ? 1 : 0; osh_info "- As a consequence, PIV policy is " . ($ret{'effective_ingress_piv_policy'} ? colored('enforced', 'red') : colored('inactive', 'blue')) . " for this account"; osh_info "\nAccount Multi-Factor Authentication status:"; $ret{'mfa_password_required'} = OVH::Bastion::is_user_in_group(user => $account, group => OVH::Bastion::MFA_PASSWORD_REQUIRED_GROUP) ? 1 : 0; $ret{'mfa_password_bypass'} = OVH::Bastion::is_user_in_group(user => $account, group => OVH::Bastion::MFA_PASSWORD_BYPASS_GROUP) ? 1 : 0; $ret{'mfa_password_configured'} = OVH::Bastion::is_user_in_group(user => $account, group => OVH::Bastion::MFA_PASSWORD_CONFIGURED_GROUP) ? 1 : 0; osh_info "- Additional password authentication is " . ($ret{'mfa_password_required'} ? colored('required', 'green') : colored('not required', 'blue')) . " for this account"; osh_info "- Additional password authentication bypass is " . ($ret{'mfa_password_bypass'} ? colored('enabled', 'green') : colored('disabled', 'blue')) . " for this account"; osh_info "- Additional password authentication is " . ($ret{'mfa_password_configured'} ? colored('enabled and active', 'green') : colored('disabled', 'blue')); $ret{'mfa_totp_required'} = OVH::Bastion::is_user_in_group(user => $account, group => OVH::Bastion::MFA_TOTP_REQUIRED_GROUP) ? 1 : 0; $ret{'mfa_totp_bypass'} = OVH::Bastion::is_user_in_group(user => $account, group => OVH::Bastion::MFA_TOTP_BYPASS_GROUP) ? 1 : 0; $ret{'mfa_totp_configured'} = OVH::Bastion::is_user_in_group(user => $account, group => OVH::Bastion::MFA_TOTP_CONFIGURED_GROUP) ? 1 : 0; osh_info "- Additional TOTP authentication is " . ($ret{'mfa_totp_required'} ? colored('required', 'green') : colored('not required', 'blue')) . " for this account"; osh_info "- Additional TOTP authentication bypass is " . ($ret{'mfa_totp_bypass'} ? colored('enabled', 'green') : colored('disabled', 'blue')) . " for this account"; osh_info "- Additional TOTP authentication is " . ($ret{'mfa_totp_configured'} ? colored('enabled and active', 'green') : colored('disabled', 'blue')); $ret{'pam_auth_bypass'} = OVH::Bastion::is_user_in_group(user => $account, group => OVH::Bastion::PAM_AUTH_BYPASS_GROUP) ? 1 : 0; osh_info "- PAM authentication bypass is " . ($ret{'pam_auth_bypass'} ? colored('enabled', 'green') : colored('disabled', 'blue')); $ret{'pubkey_auth_optional'} = OVH::Bastion::is_user_in_group(user => $account, group => OVH::Bastion::OSH_PUBKEY_AUTH_OPTIONAL_GROUP) ? 1 : 0; osh_info "- Optional public key authentication is " . ($ret{'pubkey_auth_optional'} ? colored('enabled', 'green') : colored('disabled', 'blue')); $ret{'personal_egress_mfa_required'} = OVH::Bastion::account_config(account => $account, key => "personal_egress_mfa_required")->value; $ret{'personal_egress_mfa_required'} ||= 'none'; # no config means no mfa osh_info "- MFA policy on personal accesses (using personal keys) on egress side is: " . $ret{'personal_egress_mfa_required'}; $ret{'idle_ignore'} = OVH::Bastion::account_config(account => $account, key => OVH::Bastion::OPT_ACCOUNT_IDLE_IGNORE, public => 1) ? 1 : 0; osh_info "\n- Account is immune to idle counter-measures: " . ($ret{'idle_ignore'} ? colored('yes', 'green') : colored('no', 'blue')); $ret{'max_inactive_days'} = OVH::Bastion::account_config(account => $account, %{OVH::Bastion::OPT_ACCOUNT_MAX_INACTIVE_DAYS()})->value; if (!defined $ret{'max_inactive_days'}) { osh_info "- Maximum number of days of inactivity before account is disabled: (default)"; } elsif ($ret{'max_inactive_days'} == 0) { osh_info "- Maximum number of days of inactivity before account is disabled: never"; } else { osh_info "- Maximum number of days of inactivity before account is disabled: " . $ret{'max_inactive_days'}; } my @command = qw{ sudo -n -u root -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountGetPasswordInfo'; push @command, '--account', $account; $fnret = OVH::Bastion::helper(cmd => \@command); if ($fnret) { $ret{'password'}{$_} = $fnret->value->{$_} for (keys %{$fnret->value}); osh_info "Account PAM UNIX password information (used for password MFA):"; if ($ret{'password'}{'password'} eq 'locked') { osh_info "- No valid password is set"; } else { osh_info "- Password is " . $ret{'password'}{'password'}; } osh_info "- Password was last changed on " . $ret{'password'}{'date_changed'}; if ($ret{'password'}{'max_days'} == -1) { osh_info "- Password will never expire"; } else { osh_info "- Password must be changed every " . $ret{'password'}{'max_days'} . " days at least"; osh_info "- A warning is displayed " . $ret{'password'}{'warn_days'} . " days before expiration"; } if ($ret{'password'}{'min_days'} != 0) { osh_info "- The minimum time between two password changes is " . $ret{'password'}{'min_days'} . " days"; } if ($ret{'password'}{'max_days'} != -1) { if ($ret{'password'}{'inactive_days'} != -1) { osh_info "- Account will be disabled " . $ret{'password'}{'inactive_days'} . " days after password expiration"; } else { osh_info "- Account will not be disabled after password expiration"; } } } } osh_ok(\%ret);