diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000..854021d Binary files /dev/null and b/.DS_Store differ diff --git a/T2_2025/.DS_Store b/T2_2025/.DS_Store new file mode 100644 index 0000000..c9382df Binary files /dev/null and b/T2_2025/.DS_Store differ diff --git a/T2_2025/UAC Scripts/README.md b/T2_2025/UAC Scripts/README.md new file mode 100644 index 0000000..2146b9b --- /dev/null +++ b/T2_2025/UAC Scripts/README.md @@ -0,0 +1,171 @@ +# Redback User Access Control Scripts + +This repository contains a suite of Bash scripts designed to support basic user and group management for lab-scale Linux environments, particularly those aligned with ASD Essential 8 Maturity Level 1 (ML1) baselines. The scripts were created as part of a postgraduate cybersecurity project, with the aim of enforcing least privilege, simplifying administrative overhead, and enabling consistent reproducibility of access control environments. + +--- + +## Installation + +To use these scripts system-wide without calling them directly via path, you can install them to a directory in your `$PATH`, such as `/usr/local/bin`: + +```bash +sudo install -m 0755 bulk-user-group-manager.sh /usr/local/bin/bulk-user-group-manager +sudo install -m 0755 group-manager.sh /usr/local/bin/group-manager +sudo install -m 0755 cleanup.sh /usr/local/bin/cleanup-users +``` + +This will allow you to call the tools simply as: + +```bash +sudo bulk-user-group-manager +sudo group-manager +sudo cleanup-users +``` + +> You can change the target directory if needed; just ensure it’s included in your `$PATH` and accessible to the appropriate users. + +--- + +## Scripts Overview + +- `bulk-user-group-manager.sh` — Interactive CLI for managing user accounts, creating users with sensible defaults, and assigning them to predefined groups. +- `group-manager.sh` — *(WIP)* Script to validate, create, and manage group privileges and shared directories. +- `cleanup.sh` — *(WIP)* Script to clean up user accounts and restore the environment to a base state. + +--- + +## `bulk-user-group-manager.sh` + +This script is the primary tool for creating individual user accounts via an interactive prompt. It enforces username sanitisation, sets up home directories with secure permissions, assigns supplementary groups, and logs created credentials for administrative reference. + +### Features + +- **Interactive CLI** with username confirmation +- **Username slugification** to prevent invalid account names +- **Secure default permissions** for home directories (`700`) +- **First login password reset enforced** +- **Optional group assignment** during creation +- **Session summary** including usernames and temporary passwords +- **Credential log output** to a file (defaults to `created_users_.csv`) + +### Usage + +```bash +sudo ./bulk-user-group-manager.sh +``` + +Or, once installed as described in the Installation section: + +```bash +sudo bulk-user-group-manager +``` + +You will be presented with a menu: + +``` +Bulk User/Group Manager (E8 ML1-aligned) + +Choose an action: + [1] Create user + [2] Create group + [3] Import users from CSV + [4] Exit +``` + +> **Note**: CSV import is currently disabled. Future revisions may restore this functionality. + +#### Example Workflow + +```bash +First name: Ben +Last name: Stephens +Proposed username: ben.stephens +Accept 'ben.stephens' as the username? [Y/n]: y +Select supplementary groups for ben.stephens (optional): staff-admin +``` + +The script will: +- Create the user `ben.stephens` +- Set the home directory to `/home/ben.stephens` with `700` permissions +- Generate a temporary password and force a password reset +- Assign the user to `staff-admin` (if the group exists) +- Log the credentials in a timestamped output file + +### Security Notes + +- Passwords are randomly generated and **only output once** to the admin. +- Output CSV is saved with `600` permissions and should be manually secured or deleted. +- You can enforce root-only access to this log file: + ```bash + sudo chown root:root created_users_2025-09-04.csv + sudo chmod 600 created_users_2025-09-04.csv + ``` + +--- + +## `group-manager.sh` *(Work in Progress)* + +This script will: + +- Check for predefined groups and create any that are missing +- Ensure group-shared directories exist and have correct permissions +- Apply privilege escalation rules via `sudoers` on a per-group basis +- Provide a menu to modify group privileges, either through: + - Comma-separated custom commands + - Selection from predefined allowed command sets + + *Usage, examples, and detailed implementation to be added.* + +--- + +## `cleanup.sh` *(Work in Progress)* + +This script will: + +- Remove all users and/or groups except core administrative accounts +- Optionally remove home directories and shared folders +- Reset sudoers and access controls to a clean baseline + + *Usage and examples to be added.* + +--- + +## File Structure + +```text +. +├── bulk-user-group-manager.sh # Interactive user creation tool +├── group-manager.sh # Group validation and sudo policy tool (WIP) +├── cleanup.sh # Environment cleanup utility (WIP) +├── created_users_*.csv # Output logs of created users and passwords +└── README.md # This file +``` + +--- + +## Assumptions + +This script assumes the administrator has: + +- Sudo/root access on a Linux system (Debian/Ubuntu tested) +- Familiarity with UNIX permissions, `passwd`, `usermod`, and `sudoers` +- Understanding of secure access control and ASD Essential 8 ML1 principles + +Scripts were tested against Ubuntu 22.04 LTS, but should work with minimal modifications on other modern Linux distributions. + +--- + +## Licence and Attribution + +This project is for educational and lab-use purposes only. No warranty is provided for production deployments. Authored by Kim Brvenik. + +--- + +## Roadmap + +- [ ] Finalise `group-manager.sh` with sudoer editing functionality +- [ ] Implement `cleanup.sh` safely with confirmation checks +- [ ] Add automated test harness for validation in CI environments +- [ ] Package as `.deb` or `.rpm` for easier installation +- [ ] Add csv import function to bulk user group manager + diff --git a/T2_2025/UAC Scripts/bulk-user-group-manager.sh b/T2_2025/UAC Scripts/bulk-user-group-manager.sh new file mode 100644 index 0000000..bab8d0a --- /dev/null +++ b/T2_2025/UAC Scripts/bulk-user-group-manager.sh @@ -0,0 +1,284 @@ +#!/usr/bin/env bash +# ============================================================================ +# Bulk User/Group Manager (Ubuntu-focused) +# ---------------------------------------------------------------------------- +# Purpose: Repeatedly add users and groups in a controlled, auditable way. +# Designed to support ASD Essential Eight (E8) ML1 objectives: +# - Least privilege by default (no sudo unless an allowed group in sudoers) +# - Group-based access segregation and private home directories +# - Idempotent checks and explicit operator prompts +# - Basic audit trail via syslog (use `journalctl -t bulk-user-mgr`) +# ---------------------------------------------------------------------------- +# Notes: +# * Requires root. Tested on Ubuntu Server. +# * Group directories are created under /srv/groups/ with 2770 perms +# so only members of the group (and root) can read/write. If available, +# ACLs are set to preserve restrictive defaults for new files. +# * User home is /home/ with 700 perms; first login password reset +# is enforced via `passwd -e`. +# * Script loops until you choose Exit. +# * Script exports all created usernames and passwords to a CSV file. +# ============================================================================ + +set -Eeuo pipefail + +# ------------------------ helpers ------------------------ +die() { echo "ERROR: $*" >&2; exit 1; } + +need_root() { + if [[ "${EUID:-$(id -u)}" -ne 0 ]]; then + die "Please run as root (use sudo)." + fi +} + +has_command() { + command -v "$1" >/dev/null 2>&1 +} + +trim() { + local s="$*" + s="${s#"${s%%[![:space:]]*}"}" # ltrim + s="${s%"${s##*[![:space:]]}"}" # rtrim + printf '%s' "$s" +} + +slugify() { + # Convert names to a safe username like first.last (lowercase, ascii, dots) + local s="$1" + if has_command iconv; then s=$(printf '%s' "$s" | iconv -f UTF-8 -t ASCII//TRANSLIT); fi + s=$(printf '%s' "$s" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9]+/./g; s/^\.+//; s/\.+$//; s/\.+/./g') + printf '%s' "$s" +} + +prompt_yn() { + local msg="$1" ; local default="${2:-N}" + local ans + while true; do + read -r -p "$msg " ans || ans="" + ans="${ans:-$default}" + ans="${ans,,}" + case "$ans" in + y|yes) return 0;; + n|no) return 1;; + *) echo "Please answer y or n." ;; + esac + done +} + +ensure_group() { + local g="$1" + if ! getent group "$g" >/dev/null; then + groupadd "$g" + echo "[OK] Created group: $g" + fi +} + +ensure_predefined_groups() { + local predefined=( + type-junior type-senior + staff-user staff-admin + blue-team infrastructure + project-1 project-2 project-3 project-4 project-5 + ) + local missing=0 + for g in "${predefined[@]}"; do + if ! getent group "$g" >/dev/null; then + groupadd "$g" + missing=1 + echo "[OK] Created group: $g" + fi + done + if (( missing == 0 )); then + echo "[OK] All predefined groups are present." + fi +} + +print_banner() { + echo "Bulk User/Group Manager (E8 ML1-aligned)" + echo +} + +# ------------------------ session logging ------------------------ +SESSION_ROWS=() # each: username,first,last,password +SESSION_CSV="bulk-user-creds-$(date +%Y%m%d-%H%M%S).csv" + +on_exit() { + if ((${#SESSION_ROWS[@]})); then + # Write header + rows + { echo "username,first,last,password"; printf '%s\n' "${SESSION_ROWS[@]}"; } > "$SESSION_CSV" + chmod 600 "$SESSION_CSV" || true + echo + echo "[SECRET] Session credentials written to: $(pwd)/$SESSION_CSV" + echo " File permissions set to 600." + fi +} +trap on_exit EXIT + +# ------------------------ main flow ------------------------ +create_user_flow() { + printf "First name: " + read -r first || first="" + first="$(trim "$first")" + [[ -n "$first" ]] || die "First name is required." + + printf "Last name: " + read -r last || last="" + last="$(trim "$last")" + [[ -n "$last" ]] || die "Last name is required." + + local proposed username + proposed="$(slugify "$first.$last")" + printf "Proposed username: %s\n" "$proposed" + read -r -p "Accept '$proposed' as the username? [Y/n]: " accept || accept="Y" + accept="${accept:-Y}" + if [[ "$accept" =~ ^[Nn]$ ]]; then + read -r -p "Enter username: " username || username="" + username="$(slugify "$(trim "$username")")" + else + username="$proposed" + fi + [[ -n "$username" ]] || die "Username is required." + + if id -u "$username" >/dev/null 2>&1; then + echo "[INFO] User '$username' already exists; proceeding to group assignments." + else + useradd -m -c "$first $last" -s /bin/bash "$username" + echo "[OK] Created user $username ($first $last)" + local home="/home/$username" + if [[ -d "$home" ]]; then + chown "$username":"$username" "$home" + chmod 700 "$home" + fi + fi + + echo + echo "Is the account a Student or Staff member?" + echo " [1] Student" + echo " [2] Staff" + local role + while true; do + read -r -p "Selection: " role || role="" + case "$role" in + 1|2) break;; + *) echo "Please enter 1 or 2." ;; + esac + done + + declare -a add_groups=() + + if [[ "$role" == "1" ]]; then + echo + echo "Student type:" + echo " [1] Junior (adds: type-junior)" + echo " [2] Senior (adds: type-senior)" + local stype + while true; do + read -r -p "Selection: " stype || stype="" + case "$stype" in + 1) add_groups+=("type-junior"); break;; + 2) add_groups+=("type-senior"); break;; + *) echo "Please enter 1 or 2." ;; + esac + done + + echo + echo "Project access:" + echo " [0] None" + echo " [1] project-1" + echo " [2] project-2" + echo " [3] project-3" + echo " [4] project-4" + echo " [5] project-5" + echo " [6] blue-team" + echo " [7] secdevops" + echo " [8] infrastructure" + echo " [9] data-warehouse" + local psel + while true; do + read -r -p "Selection: " psel || psel="0" + case "$psel" in + 0) break;; + 1) add_groups+=("project-1"); break;; + 2) add_groups+=("project-2"); break;; + 3) add_groups+=("project-3"); break;; + 4) add_groups+=("project-4"); break;; + 5) add_groups+=("project-5"); break;; + 6) add_groups+=("blue-team"); break;; + 7) add_groups+=("secdevops"); break;; + 8) add_groups+=("infrastructure"); break;; + 9) add_groups+=("data-warehouse"); break;; + *) echo "Please enter a number 0–9." ;; + esac + done + + if prompt_yn "Add Blue Team access? [y/N]:" "N"; then + add_groups+=("blue-team") + fi + if prompt_yn "Add Infrastructure access? [y/N]:" "N"; then + add_groups+=("infrastructure") + fi + + else + add_groups+=("staff-user") + if prompt_yn "Grant admin access (staff-admin)? [y/N]:" "N"; then + add_groups+=("staff-admin") + fi + fi + + # Deduplicate groups + declare -A seen=() + declare -a unique=() + for g in "${add_groups[@]}"; do + [[ -z "$g" ]] && continue + if [[ -z "${seen[$g]:-}" ]]; then + seen["$g"]=1 + unique+=("$g") + fi + done + + if ((${#unique[@]})); then + for g in "${unique[@]}"; do ensure_group "$g"; done + ( IFS=,; usermod -aG "${unique[*]}" "$username" ) + echo "[OK] Added $username to groups: ${unique[*]}" + else + echo "[INFO] No supplementary groups selected." + fi + + # Optional temporary password + local pw="" + if prompt_yn "Set a temporary random password now? [Y/n]:" "Y"; then + if has_command openssl; then + pw="$(openssl rand -base64 18)" + else + pw="$(tr -dc 'A-Za-z0-9!@#%^*_=+' /dev/null 2>&1 || true + echo "[SECRET] Temporary password for ${username}: ${pw}" + fi + + # Append to session log (CSV row); password may be blank if not set + local u_csv f_csv l_csv p_csv + u_csv="${username//,/}" ; f_csv="${first//,/}" ; l_csv="${last//,/}" ; p_csv="${pw//,/}" + SESSION_ROWS+=("${u_csv},${f_csv},${l_csv},${p_csv}") +} + +main() { + need_root + ensure_predefined_groups + print_banner + + while true; do + echo "Choose an action:" + echo " [1] Create user" + echo " [2] Exit" + read -r -p "Selection: " sel || sel="2" + case "$sel" in + 1) create_user_flow; echo;; + 2) exit 0;; + *) echo "Please enter 1 or 2." ;; + esac + done +} + +main "$@"