OTRS and PCI DSS

[wiegandr]

Hello all,
In the wake of our PCI DSS audit, we have to provide a monthly generated userlisting from all OTRS User, vaild or invaild and there roles. Does anybody have an idea on how to do this using a simple bash shell script?

Thank You for your help.

Ralf Wiegand

[RStraub]

Try running this perl script as otrs-user:
(you might want to redirect the output to a .csv file)

Code: Select all

#!/usr/bin/perl

use strict;
use warnings;
use utf8;

use lib '/opt/otrs/';
use lib '/opt/otrs/Kernel/cpan-lib';
use lib '/opt/otrs/Custom';

use Kernel::System::ObjectManager;
use Data::Dumper;

local $Kernel::OM = Kernel::System::ObjectManager->new(
    'Kernel::System::Log' => {
        LogPrefix => 'ListUsers',
    },
);

my $UserObject = $Kernel::OM->Get('Kernel::System::User');
my $GroupObject = $Kernel::OM->Get('Kernel::System::Group');

my %UserList = $UserObject->UserList(
    Type          => 'Long',
    Valid         => 0,
);

printf "Name;Login;ValidID;Roles";

foreach my $UserID ( keys %UserList ) {
    my %RoleList = $GroupObject->PermissionUserRoleGet(
        UserID => $UserID,
    );
    my %User = $UserObject->GetUserData(
        UserID => $UserID,
    );
    printf "$User{UserFullname};$User{UserLogin};$User{ValidID};" . qq{@{ [ values %RoleList ] }} . "\n";
}

[wiegandr]

This works great under OTRS 5.x, I also have two OTRS ticket systems using OTRS 3.x and I am getting the following messages: (where getusers.pl is the script name I am using...)

Can't locate Kernel/System/ObjectManager.pm in @INC (@INC contains: /opt/otrs/Custom /opt/otrs/Kernel/cpan-lib /opt/otrs/ /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at getusers.pl line 11.
BEGIN failed--compilation aborted at getusers.pl line 11.

Thank You for your great help.
Ralf Wiegand

[RStraub]

Mmh, according to the API in 3.x there was no Object Manager yet. So the single line:

Code: Select all

my $UserObject = $Kernel::OM->Get('Kernel::System::User');

would have to be replaced with:

Code: Select all

    use Kernel::Config;
    use Kernel::System::Encode;
    use Kernel::System::Log;
    use Kernel::System::Main;
    use Kernel::System::Time;
    use Kernel::System::DB;
    use Kernel::System::User;

    my $ConfigObject = Kernel::Config->new();
    my $EncodeObject = Kernel::System::Encode->new(
        ConfigObject => $ConfigObject,
    );
    my $LogObject = Kernel::System::Log->new(
        ConfigObject => $ConfigObject,
        EncodeObject => $EncodeObject,
    );
    my $MainObject = Kernel::System::Main->new(
        ConfigObject => $ConfigObject,
        EncodeObject => $EncodeObject,
        LogObject    => $LogObject,
    );
    my $TimeObject = Kernel::System::Time->new(
        ConfigObject => $ConfigObject,
        LogObject    => $LogObject,
    );
    my $DBObject = Kernel::System::DB->new(
        ConfigObject => $ConfigObject,
        EncodeObject => $EncodeObject,
        LogObject    => $LogObject,
        MainObject   => $MainObject,
    );
    my $UserObject = Kernel::System::User->new(
        ConfigObject => $ConfigObject,
        LogObject    => $LogObject,
        MainObject   => $MainObject,
        TimeObject   => $TimeObject,
        DBObject     => $DBObject,
        EncodeObject => $EncodeObject,
    );

The same goes for the GroupObject. You then should delete the 4-5 lines:

Code: Select all

local $Kernel::OM = Kernel::System::ObjectManager->new(
    'Kernel::System::Log' => {
        LogPrefix => 'ListUsers',
    },
);

The whole API can be seen here:
http://doc.otrs.com/doc/api/otrs/3.3/Pe ... up.pm.html

[wiegandr]

Not sure if I am getting this correct...getting
Can't locate object method "PermissionUserRoleGet" via package "Kernel::System::Group" at getusers.pl line 72.

#!/usr/bin/perl

use strict;
use warnings;
use utf8;

use lib '/opt/otrs/';
use lib '/opt/otrs/Kernel/cpan-lib';
use lib '/opt/otrs/Custom';

use Data::Dumper;

use Kernel::Config;
use Kernel::System::Encode;
use Kernel::System::Log;
use Kernel::System::Main;
use Kernel::System::Time;
use Kernel::System::DB;
use Kernel::System::Group;
use Kernel::System::User;

my $ConfigObject = Kernel::Config->new();
my $EncodeObject = Kernel::System::Encode->new(
ConfigObject => $ConfigObject,
);
my $LogObject = Kernel::System::Log->new(
ConfigObject => $ConfigObject,
EncodeObject => $EncodeObject,
);
my $MainObject = Kernel::System::Main->new(
ConfigObject => $ConfigObject,
EncodeObject => $EncodeObject,
LogObject => $LogObject,
);
my $TimeObject = Kernel::System::Time->new(
ConfigObject => $ConfigObject,
LogObject => $LogObject,
);
my $DBObject = Kernel::System::DB->new(
ConfigObject => $ConfigObject,
EncodeObject => $EncodeObject,
LogObject => $LogObject,
MainObject => $MainObject,
);
my $GroupObject = Kernel::System::Group->new(
ConfigObject => $ConfigObject,
LogObject => $LogObject,
MainObject => $MainObject,
TimeObject => $TimeObject,
DBObject => $DBObject,
EncodeObject => $EncodeObject,
);
my $UserObject = Kernel::System::User->new(
ConfigObject => $ConfigObject,
LogObject => $LogObject,
MainObject => $MainObject,
TimeObject => $TimeObject,
DBObject => $DBObject,
EncodeObject => $EncodeObject,
GroupObject => $GroupObject,
);

my %UserList = $UserObject->UserList(
Type => 'Long',
Valid => 0,
);


printf "Name;Login;ValidID;Roles";

foreach my $UserID ( keys %UserList ) {
my %RoleList = $GroupObject->PermissionUserRoleGet(
UserID => $UserID,
);
my %User = $UserObject->GetUserData(
UserID => $UserID,
);
printf "$User{UserFullname};$User{UserLogin};$User{ValidID};" . qq{@{ [ values %RoleList ] }} . "\n";



I have no clue if I am doing this right??

[RStraub]

Oh that function didn't exist back in 3.x either.

It seems the closest would be:

Code: Select all

  my %RoleList = $GroupObject->GroupUserRoleMemberList(
        UserID => $ID,
        Result => 'HASH',
    );

But I cannot test it, as I don't have a 3.x. Try to follow the API and see where you get with that.