A few us were talking on IRC about how it would be nice to be able to audit the list of people with RelEng network access from time to time. The overall list is very big (all of IT, all of RelEng, plus people with temporary access). Dustin suggested that we may be able to get a weekly report of the latter group of users, is this possible? If so, it should be sent to firstname.lastname@example.org. 16:02 < bhearsum> in the blue sky world it would be nice to have a list of everyone with access minus releng+IT -- that would be the list that we want to audit from time to time 16:02 < arr> the infra team might be able to tell you how to get that 16:02 < arr> I'm not sure there's any differentiation between releng and not releng, though 16:03 < arr> it's just an LDAP bit 16:03 < dustin> cn=releng is a different group 16:03 < dustin> you could subtract them 16:03 < dustin> I bet one of the LDAP gurus could whip up a query for that
Possibly related, it would be a "good thing" to get a report anytime the set of releng folks changed. That usually means we need to get sudoer's access changed on a number of boxes. I can handle change detection on my end, but need the raw data (either query or email). Feel free to tell me to file a new bug. :)
I set up a little script in openvpn::weeklyreport and applied this to vpn1.releng.scl3.mozilla.com. The script grabs a list of all members of cn=buildteam,ou=groups,dc=mozilla, compares it to a list of all valid LDAP users and e-mails it to email@example.com. I just put it in /etc/cron.weekly, which I believe will cause it to run sometime on Sunday morning every week. I'm sending one mail now by hand, and you should expect one every Sunday (or whenever cron.weekly runs). If you don't see it, please let me know. Regarding the request in comment 1, I believe you have access to this server and can look at the script to see the query, and how I'm using it. Ping me some morning if you want help with ldapsearch parameters or anything. As a member of the group you should be able to query ldap directly for the list of members in the group and subsequently write your own scripts to track the changes. It'd definitely have to be a regular "pull" query, as I don't have a way to fire off a hook in a "push" model when changes are made to LDAP.
Also, the e-mail that was just sent said "Daily" in the subject. I changed it to "Weekly", so the ones from cron will say "Weekly Report of Releng Users"
c#0 (and my prefence) talk about excluding IT and Releng from the query. Such that we'd get a list of people who are not "known ok" (releng and IT can be assumed, "known ok") Having full list could still be useful once and a while though, maybe once a month for full list? (non-blocking) But as it stands, with IT and Releng grouped in, doing quick audits of the people is hard, and even harder to find useful actionables if someone is on this for too long.
OOO and enh request, if possible can we coerce the "From" to be something other than "root". Makes it easier for my filterings/skimming
:atoll helped me write a filter to exclude people in cn=sysadmins, cn=releng and cn=relops. The new script has been pushed. :hwine brought to my attention that cron fired off the script this morning. I have't looked into how cron.weekly determines when to run. If you prefer a set time, please re-open with when you want it to run. If you are good with "jabba thinks Sunday, but maybe it'll happen on Thursdays going forward", then it's good. (In reply to Justin Wood (:Callek) from comment #5) > OOO and enh request, if possible can we coerce the "From" to be something > other than "root". Makes it easier for my filterings/skimming I'd just make a filter based on Subject for "Weekly Report of Releng VPN Users" coming from "root".
I just got the latest report, hooray! Thanks again for this.