proves centos7

README.md

@@ -23,26 +23,18 @@ OS/Puppet version it works with.
 
 ## Module Description
 
-If applicable, this section should have a brief description of the technology
-the module integrates with and what that integration enables. This section
-should answer the questions: "What does this module *do*?" and "Why would I use
-it?"
-
-If your module has a range of functionality (installation, configuration,
-management, etc.) this is the time to mention it.
+**/etc/default/useradd** and **login.defs** management
 
 ## Setup
 
 ### What shadow affects
 
-* A list of files, packages, services, or operations that the module will alter,
-  impact, or execute on the system it's installed on.
-* This is a great place to stick any warnings.
-* Can be in list or paragraph form.
+* manages package containing **/etc/default/useradd**
+* **/etc/default/useradd** itself
 
 ### Setup Requirements
 
-This module requires pluginsync enabled 
+This module requires pluginsync enabled
 
 ### Beginning with shadow
 
@@ -59,10 +51,16 @@ the fancy stuff with your module here.
 
 ## Reference
 
-Here, list the classes, types, providers, facts, etc contained in your module.
-This section should include all of the under-the-hood workings of your module so
-people know what the module is touching on their system but don't need to mess
-with things. (We are working on automating this section!)
+### classes
+
+#### useradd
+
+* **group**: The group name or ID for a new user's initial group (when the **-N/--no-user-group** is used or when the **USERGROUPS_ENAB** variable is set to **no** in **/etc/login.defs**). The named group must exist, and a numerical group **ID** must have an existing entry (default: 100)
+* **home**: The default base directory for the system if no homedir (-d) is specified. **home** is concatenated with the account name to define the home directory. (default: /home)
+* **inactive**:  The number of days after a password expires until the account is permanently disabled. A value of 0 disables the account as soon as the password has expired, and a value of -1 disables the feature (default: -1)
+* **expire**: The date on which the user account will be disabled. The date is specified in the format YYYY-MM-DD (default: undef)
+* **shell**: The name of the user's login shell (default: /sbin/nologin)
+* **skel**:  The skeleton directory, which contains files and directories to be copied in the user's home directory, when the home directory is created by useradd. (default: /etc/skel)
 
 ## Limitations
 

manifests/logindefs.pp

@@ -0,0 +1,74 @@
+class shadow::logindefs (
+                          $maildir       = $shadow::params::maildir_default,
+                          $pass_max_days = $shadow::params::pass_max_days_default,
+                          $pass_min_days = $shadow::params::pass_min_days_default,
+                          $pass_min_len  = $shadow::params::pass_min_len_default,
+                          $pass_warn_age = $shadow::params::pass_warn_age_default,
+                          $uid_min			 = '1000',
+                          $uid_max			 = '60000',
+                          $gid_min			 = '1000',
+                          $gid_max			 = '60000',
+                          $sys_uid_min   = $shadow::params::sys_uid_min_default,
+                          $sys_uid_max   = $shadow::params::sys_uid_max_default,
+                          $sys_gid_min   = $shadow::params::sys_gid_min_default,
+                          $sys_gid_max   = $shadow::params::sys_gid_max_default,
+                        ) inherits shadow {
+
+  class { '::shadow::install': } ->
+  class { '::shadow::logindefs::config': } ->
+  Class['::shadow::logindefs']
+
+  case $::osfamily
+  {
+    'redhat':
+    {
+      case $::operatingsystemrelease
+      {
+        /^[6-7].*$/:
+        {
+          $package_name='shadow-utils'
+          $maildir_default = '/var/spool/mail'
+        }
+        default: { fail("Unsupported RHEL/CentOS version! - ${::operatingsystemrelease}")  }
+      }
+    }
+    'Debian':
+    {
+      case $::operatingsystem
+      {
+        'Ubuntu':
+        {
+          case $::operatingsystemrelease
+          {
+            /^1[4-7].*$/:
+            {
+              fail('not implemented')
+            }
+            default: { fail("Unsupported Ubuntu version! - ${::operatingsystemrelease}")  }
+          }
+        }
+        'Debian': { fail('Unsupported')  }
+        default: { fail('Unsupported Debian flavour!')  }
+      }
+    }
+    'Suse':
+    {
+      case $::operatingsystem
+      {
+        'SLES':
+        {
+          case $::operatingsystemrelease
+          {
+            '11.3':
+            {
+              fail('not implemented')
+            }
+            default: { fail("Unsupported operating system ${::operatingsystem} ${::operatingsystemrelease}") }
+          }
+        }
+        default: { fail("Unsupported operating system ${::operatingsystem}") }
+      }
+    }
+    default: { fail('Unsupported OS!')  }
+  }
+}

manifests/logindefs/config.pp

@@ -0,0 +1,11 @@
+class shadow::logindefs::config inherits useradd {
+
+  file { '/etc/login.defs':
+    ensure  => 'present',
+    group   => 'root',
+    owner   => 'root',
+    mode    => '0644',
+    content => template("${module_name}/logindefs/logindefs.erb"),
+  }
+
+}

manifests/params.pp

@@ -1,16 +1,43 @@
 class shadow::params {
 
-  $package_name='shadow'
-  $service_name='shadow'
+  $pass_min_len_default='5'
+  $pass_warn_age_default='7'
+
+  if(hiera('eypshadow::hardening', false))
+  {
+    #hardening = true
+    $pass_max_days_default='90'
+    $pass_min_days_default='7'
+  }
+  else
+  {
+    $pass_max_days_default='99999'
+    $pass_min_days_default='0'
+  }
 
   case $::osfamily
   {
     'redhat':
     {
       case $::operatingsystemrelease
       {
-        /^[5-7].*$/:
+        /^[5-6].*$/:
         {
+          $package_name='shadow-utils'
+          $maildir_default = '/var/spool/mail'
+          $sys_uid_min_default = undef
+          $sys_uid_max_default = undef
+          $sys_gid_min_default = undef
+          $sys_gid_max_default = undef
+        }
+        /^7.*$/:
+        {
+          $package_name='shadow-utils'
+          $maildir_default = '/var/spool/mail'
+          $sys_uid_min_default = '201'
+          $sys_uid_max_default = '999'
+          $sys_gid_min_default = '201'
+          $sys_gid_max_default = '999'
         }
         default: { fail("Unsupported RHEL/CentOS version! - ${::operatingsystemrelease}")  }
       }
@@ -23,11 +50,11 @@
         {
           case $::operatingsystemrelease
           {
-            /^14.*$/:
-            {
-            }
-            /^16.*$/:
+            /^1[4-7].*$/:
             {
+              $package_name='passwd'
+              $maildir_default = '/var/spool/mail'
+              #TODO sys_gid_min_default ...
             }
             default: { fail("Unsupported Ubuntu version! - ${::operatingsystemrelease}")  }
           }
@@ -36,6 +63,25 @@
         default: { fail('Unsupported Debian flavour!')  }
       }
     }
+    'Suse':
+    {
+      case $::operatingsystem
+      {
+        'SLES':
+        {
+          case $::operatingsystemrelease
+          {
+            '11.3':
+            {
+              $package_name='pwdutils'
+              #TODO variables login.defs
+            }
+            default: { fail("Unsupported operating system ${::operatingsystem} ${::operatingsystemrelease}") }
+          }
+        }
+        default: { fail("Unsupported operating system ${::operatingsystem}") }
+      }
+    }
     default: { fail('Unsupported OS!')  }
   }
 }

manifests/useradd.pp

@@ -0,0 +1,13 @@
+class shadow::useradd (
+                        $group    = '100',
+                        $home     = '/home',
+                        $inactive = '-1',
+                        $expire   = undef,
+                        $shell    = '/sbin/nologin',
+                        $skel     = '/etc/skel',
+                      ) inherits shadow {
+
+  class { '::shadow::install': } ->
+  class { '::shadow::useradd::config': } ->
+  Class['::shadow::useradd']
+}

manifests/useradd/config.pp

@@ -0,0 +1,11 @@
+class shadow::useradd::config inherits useradd {
+
+  file { '/etc/default/useradd':
+    ensure  => 'present',
+    group   => 'root',
+    owner   => 'root',
+    mode    => '0600',
+    content => template("${module_name}/useradd/useradd.erb"),
+  }
+
+}

metadata.json

@@ -2,7 +2,7 @@
   "name": "eyp-shadow",
   "version": "0.1.0",
   "author": "eyp",
-  "summary": null,
+  "summary": "manages useradd and login.defs defaults",
   "license": "Apache-2.0",
   "source": "https://github.com/NTTCom-MS/eyp-shadow",
   "project_page": "https://github.com/NTTCom-MS/eyp-shadow",
@@ -14,27 +14,31 @@
   "operatingsystem_support": [
     {
       "operatingsystem": "RedHat",
-      "operatingsystemrelease": [ "5", "6", "7" ]
+      "operatingsystemrelease": [ "6", "7" ]
     },
     {
       "operatingsystem": "CentOS",
-      "operatingsystemrelease": [ "5", "6", "7" ]
+      "operatingsystemrelease": [ "6", "7" ]
     },
     {
       "operatingsystem": "Scientific",
-      "operatingsystemrelease": [ "5", "6", "7" ]
+      "operatingsystemrelease": [ "6", "7" ]
     },
     {
       "operatingsystem": "OEL",
-      "operatingsystemrelease": [ "5", "6", "7" ]
+      "operatingsystemrelease": [ "6", "7" ]
     },
     {
       "operatingsystem": "OracleLinux",
-      "operatingsystemrelease": [ "5", "6", "7" ]
+      "operatingsystemrelease": [ "6", "7" ]
     },
     {
       "operatingsystem": "Ubuntu",
       "operatingsystemrelease": [ "14.04", "16.04" ]
+    },
+    {
+      "operatingsystem": "SLES",
+      "operatingsystemrelease": [ "11.3" ]
     }
   ],
   "requirements": [

templates/logindefs/logindefs.erb

@@ -0,0 +1,68 @@
+#
+# puppet managed file
+#
+# /etc/login.defs - Configuration control definitions for the login package.
+#
+
+
+MAIL_DIR	<%= @maildir %>
+
+
+# Password aging controls:
+
+#	PASS_MAX_DAYS	Maximum number of days a password may be used.
+PASS_MAX_DAYS	<%= @pass_max_days %>
+
+#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+PASS_MIN_DAYS	<%= @pass_min_days %>
+
+#	PASS_MIN_LEN	Minimum acceptable password length.
+PASS_MIN_LEN	<%= @pass_min_len %>
+
+#	PASS_WARN_AGE	Number of days warning given before a password expires.
+PASS_WARN_AGE	<%= @pass_warn_age %>
+
+#
+# Min/max values for automatic uid/gid selection in useradd
+#
+UID_MIN                  <%= @uid_min %>
+UID_MAX                  <%= @uid_max %>
+GID_MIN                  <%= @gid_min %>
+GID_MAX                  <%= @gid_max %>
+<% if defined?(@sys_uid_min) -%>
+SYS_UID_MIN               <%= @sys_uid_min %>
+<% end -%>
+<% if defined?(@sys_uid_max) -%>
+SYS_UID_MAX               <%= @sys_uid_max %>
+<% end -%>
+<% if defined?(@sys_gid_min) -%>
+SYS_GID_MIN               <%= @sys_gid_min %>
+<% end -%>
+<% if defined?(@sys_gid_max) -%>
+SYS_GID_MAX               <%= @sys_gid_max %>
+<% end -%>
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD	/usr/sbin/userdel_local
+
+#
+# If useradd should create home directories for users by default
+# On RH systems, we do. This option is overridden with the -m flag on
+# useradd command line.
+#
+CREATE_HOME	yes
+
+# The permission mask is initialized to this value. If not specified,
+# the permission mask will be initialized to 022.
+UMASK           077
+
+# This enables userdel to remove user groups if no members exist.
+#
+USERGROUPS_ENAB yes
+
+# Use SHA512 to encrypt password.
+ENCRYPT_METHOD SHA512

templates/useradd/useradd.erb

@@ -0,0 +1,11 @@
+#
+# puppet managed file
+#
+# useradd defaults file
+#
+GROUP=<%= @group %>
+HOME=<%= @home %>
+INACTIVE=<%= @inactive %>
+EXPIRE=<%= @expire %>
+SHELL=<%= @shell %>
+SKEL=<%= @skel %>