Two Step verification?
136 views
Skip to first unread message
Walter Moore
Oct 20, 2015, 10:11:51 AM10/20/15
to google-ap...@googlegroups.com
Is it possible to identify if a user has two factor verification enabled? How would I push this setting to a user with gam?
--
+-----------------------------------------------------------------+
Walter R. Moore -- Sr. Systems Administrator, Eckerd College
moo...@eckerd.edu -- http://home.eckerd.edu/~moorewr
"It was glorious to see -- if your heart were iron,
And you could keep from grieving at all the pain" - The Iliad (13.355)
I'm on twitter: http://twitter.com/moorewreckerd
***Reminder! ITS will never ask you to e-mail your password!***
Walter R. Moore -- Sr. Systems Administrator, Eckerd College
moo...@eckerd.edu -- http://home.eckerd.edu/~moorewr
"It was glorious to see -- if your heart were iron,
And you could keep from grieving at all the pain" - The Iliad (13.355)
I'm on twitter: http://twitter.com/moorewreckerd
***Reminder! ITS will never ask you to e-mail your password!***
Billy Crook
Oct 20, 2015, 11:51:16 AM10/20/15
to google-ap...@googlegroups.com
Not sure if you can 'push' it to a user because the user has to go
through an enrollment process. But I know it can be queried. We have
a script to enumerate any admin users without 2factor, and alert via
email.
#!/bin/bash
export PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/root/.local/bin:/root/bin"
TwoStepAuditor="Sys...@OurCompany.com"
/path/to/gam.py report users 2>/root/gam-error | \
cut -d ',' -f '1,11,12,14' | sed 's/,/\ /g' | \
while read Email TSV Delegated Super Foo
do
User="$( sed 's/\@.*$//' <<< "${Email}" )"
if [[ "${Super}" == "True" ]] || [[ "${Delegated}" == "True" ]]
then
AdminLevel="Delegated"
if [[ "${Super}" == "True" ]]
then
AdminLevel="Super"
fi
if [[ "${TSV}" == "False" ]]
then
# echo "${User} is missing 2-Step Verification"
mail -s "Google Apps 2-Step Authentication
Audit" ${User}@OurCompany.com ${TwoStepAuditor} <<<"Greetings ${User},
Your Google Apps account, ${Email} currently has ${AdminLevel} Admin
rights to our company, but your account is NOT currently protected by
2-Step Authentication.
Please enable 2-Step authentication to protect OurCompany. Go to
https://www.google.com/settings
The second section is titled \"Signing in\" and each subsection is a
clickable link. Click on the 2-Step Verification subsection.
The OurCompany howto guide for 2-Step Authentication at
https://docs.google.com/a/OurCompany.com/document/d/1vVS8a9_EPNzM/edit
may help. Additionally, Help...@OurCompany.com can help you enable
it.
Thank you for protecting the company by enabling 2-Step Authentication."
fi
fi
done #| \
#mail -s "2-Step Audit" ${TwoStepAuditor}
> --
> You received this message because you are subscribed to the Google Groups
> "Google Apps Manager" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to google-apps-man...@googlegroups.com.
> To post to this group, send email to google-ap...@googlegroups.com.
> Visit this group at http://groups.google.com/group/google-apps-manager.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/google-apps-manager/CAK6HWAvHsYVBjs1mR5uhjC3T4UFNUZn4w7UmgNkFNeVsHcF99A%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
--
Billy Crook • Network and Security Administrator • RiskAnalytics, LLC
through an enrollment process. But I know it can be queried. We have
a script to enumerate any admin users without 2factor, and alert via
email.
#!/bin/bash
export PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/root/.local/bin:/root/bin"
TwoStepAuditor="Sys...@OurCompany.com"
/path/to/gam.py report users 2>/root/gam-error | \
cut -d ',' -f '1,11,12,14' | sed 's/,/\ /g' | \
while read Email TSV Delegated Super Foo
do
User="$( sed 's/\@.*$//' <<< "${Email}" )"
if [[ "${Super}" == "True" ]] || [[ "${Delegated}" == "True" ]]
then
AdminLevel="Delegated"
if [[ "${Super}" == "True" ]]
then
AdminLevel="Super"
fi
if [[ "${TSV}" == "False" ]]
then
# echo "${User} is missing 2-Step Verification"
mail -s "Google Apps 2-Step Authentication
Audit" ${User}@OurCompany.com ${TwoStepAuditor} <<<"Greetings ${User},
Your Google Apps account, ${Email} currently has ${AdminLevel} Admin
rights to our company, but your account is NOT currently protected by
2-Step Authentication.
Please enable 2-Step authentication to protect OurCompany. Go to
https://www.google.com/settings
The second section is titled \"Signing in\" and each subsection is a
clickable link. Click on the 2-Step Verification subsection.
The OurCompany howto guide for 2-Step Authentication at
https://docs.google.com/a/OurCompany.com/document/d/1vVS8a9_EPNzM/edit
may help. Additionally, Help...@OurCompany.com can help you enable
it.
Thank you for protecting the company by enabling 2-Step Authentication."
fi
fi
done #| \
#mail -s "2-Step Audit" ${TwoStepAuditor}
> You received this message because you are subscribed to the Google Groups
> "Google Apps Manager" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to google-apps-man...@googlegroups.com.
> To post to this group, send email to google-ap...@googlegroups.com.
> Visit this group at http://groups.google.com/group/google-apps-manager.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/google-apps-manager/CAK6HWAvHsYVBjs1mR5uhjC3T4UFNUZn4w7UmgNkFNeVsHcF99A%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
--
Billy Crook • Network and Security Administrator • RiskAnalytics, LLC
Reply all
Reply to author
Forward
0 new messages