[RESOLVED] Local administrator audit packages for Linux and macOS

[bastien30]

Good morning,

Here are packages for auditing local administrators under Linux and MacOS.

Linux:

Code: Select all

# -*- coding: utf-8 -*-
from setuphelpers import *

# Define allowed users in admin group
allowed_admins_list = [
    r'my-admin-user',
    r'my-other-admin-user',
]

def install():
    pass

def audit():
    if is_rhel_based():
        admin_group = r'wheel'
    elif is_debian_based():
        admin_group = r'sudo'
    else:
        print(r'Unsupported Linux distribution %s' % get_distrib_linux())
        return "ERROR"

    admins_users = run(r'getent group %s' % admin_group).split(':')[3].strip('\n').strip().split(',')
    unallowed_user_in_admins_group = False
    listerror = []
    admins_dict = {"unallowed": [], "allowed": []}

    for user in admins_users:
        if not user.lower() in allowed_admins_list:
            listerror.append(user)
            admins_dict["unallowed"].append(user)
        else:
            admins_dict["allowed"].append(user)

    print("ADMINS LIST : %s" % ",".join(admins_users))  # Allowed users in admin list
    if listerror:
        print("UNALLOWED ADMINS LIST : %s" % ",".join(listerror))  # Bad users in admin list
        unallowed_user_in_admins_group = True 

    WAPT.write_audit_data_if_changed("audit-local-admins-linux", "audit-local-admins-linux", admins_dict)

    if unallowed_user_in_admins_group:
        return "ERROR"

    return "OK"

macOS:

Code: Select all

# -*- coding: utf-8 -*-
from setuphelpers import *

# Define allowed users in admin group
allowed_admins_list = [
    ### SYSTEM ACCOUNTS
    r'root',
    r'_mbsetupuser',  # System installation assistant
    ### OTHERS
    r'my-admin-user',
    r'my-other-admin-user',
]

def install():
    pass

def audit():
    admins_users = run(r'dscacheutil -q group -a name admin | grep users').split(': ')[1].strip('\n').strip().split(' ')
    unallowed_user_in_admins_group = False
    listerror = []
    admins_dict = {"unallowed": [], "allowed": []}

    for user in admins_users:
        if not user.lower() in allowed_admins_list:
            listerror.append(user)
            admins_dict["unallowed"].append(user)
        else:
            admins_dict["allowed"].append(user)

    print("ADMINS LIST : %s" % ",".join(admins_users))  # Allowed users in admin list
    if listerror:
        print("UNALLOWED ADMINS LIST : %s" % ",".join(listerror))  # Bad users in admin list
        unallowed_user_in_admins_group = True 

    WAPT.write_audit_data_if_changed("audit-local-admins-macos", "audit-local-admins-macos", admins_dict)

    if unallowed_user_in_admins_group:
        return "ERROR"

    return "OK"

[italbot]

Hello,

Thank you, we will add this code to our tis-audit-local-admins package.

Sincerely,

Ingrid