From 16dc00b13e8933ebac6d4436498c9438e0ec8531 Mon Sep 17 00:00:00 2001 From: Jordi Prats Date: Tue, 4 Jul 2017 16:47:20 +0200 Subject: [PATCH] proves centos7 --- README.md | 30 ++++++------- manifests/logindefs.pp | 74 +++++++++++++++++++++++++++++++ manifests/logindefs/config.pp | 11 +++++ manifests/params.pp | 60 ++++++++++++++++++++++--- manifests/useradd.pp | 13 ++++++ manifests/useradd/config.pp | 11 +++++ metadata.json | 16 ++++--- templates/logindefs/logindefs.erb | 68 ++++++++++++++++++++++++++++ templates/useradd/useradd.erb | 11 +++++ 9 files changed, 265 insertions(+), 29 deletions(-) create mode 100644 manifests/logindefs.pp create mode 100644 manifests/logindefs/config.pp create mode 100644 manifests/useradd.pp create mode 100644 manifests/useradd/config.pp create mode 100644 templates/logindefs/logindefs.erb create mode 100644 templates/useradd/useradd.erb diff --git a/README.md b/README.md index 3df5a06..cd8fae1 100644 --- a/README.md +++ b/README.md @@ -23,26 +23,18 @@ OS/Puppet version it works with. ## Module Description -If applicable, this section should have a brief description of the technology -the module integrates with and what that integration enables. This section -should answer the questions: "What does this module *do*?" and "Why would I use -it?" - -If your module has a range of functionality (installation, configuration, -management, etc.) this is the time to mention it. +**/etc/default/useradd** and **login.defs** management ## Setup ### What shadow affects -* A list of files, packages, services, or operations that the module will alter, - impact, or execute on the system it's installed on. -* This is a great place to stick any warnings. -* Can be in list or paragraph form. +* manages package containing **/etc/default/useradd** +* **/etc/default/useradd** itself ### Setup Requirements -This module requires pluginsync enabled +This module requires pluginsync enabled ### Beginning with shadow @@ -59,10 +51,16 @@ the fancy stuff with your module here. ## Reference -Here, list the classes, types, providers, facts, etc contained in your module. -This section should include all of the under-the-hood workings of your module so -people know what the module is touching on their system but don't need to mess -with things. (We are working on automating this section!) +### classes + +#### useradd + +* **group**: The group name or ID for a new user's initial group (when the **-N/--no-user-group** is used or when the **USERGROUPS_ENAB** variable is set to **no** in **/etc/login.defs**). The named group must exist, and a numerical group **ID** must have an existing entry (default: 100) +* **home**: The default base directory for the system if no homedir (-d) is specified. **home** is concatenated with the account name to define the home directory. (default: /home) +* **inactive**: The number of days after a password expires until the account is permanently disabled. A value of 0 disables the account as soon as the password has expired, and a value of -1 disables the feature (default: -1) +* **expire**: The date on which the user account will be disabled. The date is specified in the format YYYY-MM-DD (default: undef) +* **shell**: The name of the user's login shell (default: /sbin/nologin) +* **skel**: The skeleton directory, which contains files and directories to be copied in the user's home directory, when the home directory is created by useradd. (default: /etc/skel) ## Limitations diff --git a/manifests/logindefs.pp b/manifests/logindefs.pp new file mode 100644 index 0000000..8c9eeab --- /dev/null +++ b/manifests/logindefs.pp @@ -0,0 +1,74 @@ +class shadow::logindefs ( + $maildir = $shadow::params::maildir_default, + $pass_max_days = $shadow::params::pass_max_days_default, + $pass_min_days = $shadow::params::pass_min_days_default, + $pass_min_len = $shadow::params::pass_min_len_default, + $pass_warn_age = $shadow::params::pass_warn_age_default, + $uid_min = '1000', + $uid_max = '60000', + $gid_min = '1000', + $gid_max = '60000', + $sys_uid_min = $shadow::params::sys_uid_min_default, + $sys_uid_max = $shadow::params::sys_uid_max_default, + $sys_gid_min = $shadow::params::sys_gid_min_default, + $sys_gid_max = $shadow::params::sys_gid_max_default, + ) inherits shadow { + + class { '::shadow::install': } -> + class { '::shadow::logindefs::config': } -> + Class['::shadow::logindefs'] + + case $::osfamily + { + 'redhat': + { + case $::operatingsystemrelease + { + /^[6-7].*$/: + { + $package_name='shadow-utils' + $maildir_default = '/var/spool/mail' + } + default: { fail("Unsupported RHEL/CentOS version! - ${::operatingsystemrelease}") } + } + } + 'Debian': + { + case $::operatingsystem + { + 'Ubuntu': + { + case $::operatingsystemrelease + { + /^1[4-7].*$/: + { + fail('not implemented') + } + default: { fail("Unsupported Ubuntu version! - ${::operatingsystemrelease}") } + } + } + 'Debian': { fail('Unsupported') } + default: { fail('Unsupported Debian flavour!') } + } + } + 'Suse': + { + case $::operatingsystem + { + 'SLES': + { + case $::operatingsystemrelease + { + '11.3': + { + fail('not implemented') + } + default: { fail("Unsupported operating system ${::operatingsystem} ${::operatingsystemrelease}") } + } + } + default: { fail("Unsupported operating system ${::operatingsystem}") } + } + } + default: { fail('Unsupported OS!') } + } +} diff --git a/manifests/logindefs/config.pp b/manifests/logindefs/config.pp new file mode 100644 index 0000000..6e14c83 --- /dev/null +++ b/manifests/logindefs/config.pp @@ -0,0 +1,11 @@ +class shadow::logindefs::config inherits useradd { + + file { '/etc/login.defs': + ensure => 'present', + group => 'root', + owner => 'root', + mode => '0644', + content => template("${module_name}/logindefs/logindefs.erb"), + } + +} diff --git a/manifests/params.pp b/manifests/params.pp index b5f404c..ac5ce67 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,7 +1,19 @@ class shadow::params { - $package_name='shadow' - $service_name='shadow' + $pass_min_len_default='5' + $pass_warn_age_default='7' + + if(hiera('eypshadow::hardening', false)) + { + #hardening = true + $pass_max_days_default='90' + $pass_min_days_default='7' + } + else + { + $pass_max_days_default='99999' + $pass_min_days_default='0' + } case $::osfamily { @@ -9,8 +21,23 @@ { case $::operatingsystemrelease { - /^[5-7].*$/: + /^[5-6].*$/: { + $package_name='shadow-utils' + $maildir_default = '/var/spool/mail' + $sys_uid_min_default = undef + $sys_uid_max_default = undef + $sys_gid_min_default = undef + $sys_gid_max_default = undef + } + /^7.*$/: + { + $package_name='shadow-utils' + $maildir_default = '/var/spool/mail' + $sys_uid_min_default = '201' + $sys_uid_max_default = '999' + $sys_gid_min_default = '201' + $sys_gid_max_default = '999' } default: { fail("Unsupported RHEL/CentOS version! - ${::operatingsystemrelease}") } } @@ -23,11 +50,11 @@ { case $::operatingsystemrelease { - /^14.*$/: - { - } - /^16.*$/: + /^1[4-7].*$/: { + $package_name='passwd' + $maildir_default = '/var/spool/mail' + #TODO sys_gid_min_default ... } default: { fail("Unsupported Ubuntu version! - ${::operatingsystemrelease}") } } @@ -36,6 +63,25 @@ default: { fail('Unsupported Debian flavour!') } } } + 'Suse': + { + case $::operatingsystem + { + 'SLES': + { + case $::operatingsystemrelease + { + '11.3': + { + $package_name='pwdutils' + #TODO variables login.defs + } + default: { fail("Unsupported operating system ${::operatingsystem} ${::operatingsystemrelease}") } + } + } + default: { fail("Unsupported operating system ${::operatingsystem}") } + } + } default: { fail('Unsupported OS!') } } } diff --git a/manifests/useradd.pp b/manifests/useradd.pp new file mode 100644 index 0000000..29c6326 --- /dev/null +++ b/manifests/useradd.pp @@ -0,0 +1,13 @@ +class shadow::useradd ( + $group = '100', + $home = '/home', + $inactive = '-1', + $expire = undef, + $shell = '/sbin/nologin', + $skel = '/etc/skel', + ) inherits shadow { + + class { '::shadow::install': } -> + class { '::shadow::useradd::config': } -> + Class['::shadow::useradd'] +} diff --git a/manifests/useradd/config.pp b/manifests/useradd/config.pp new file mode 100644 index 0000000..8adca04 --- /dev/null +++ b/manifests/useradd/config.pp @@ -0,0 +1,11 @@ +class shadow::useradd::config inherits useradd { + + file { '/etc/default/useradd': + ensure => 'present', + group => 'root', + owner => 'root', + mode => '0600', + content => template("${module_name}/useradd/useradd.erb"), + } + +} diff --git a/metadata.json b/metadata.json index 3be2350..26f9412 100644 --- a/metadata.json +++ b/metadata.json @@ -2,7 +2,7 @@ "name": "eyp-shadow", "version": "0.1.0", "author": "eyp", - "summary": null, + "summary": "manages useradd and login.defs defaults", "license": "Apache-2.0", "source": "https://github.com/NTTCom-MS/eyp-shadow", "project_page": "https://github.com/NTTCom-MS/eyp-shadow", @@ -14,27 +14,31 @@ "operatingsystem_support": [ { "operatingsystem": "RedHat", - "operatingsystemrelease": [ "5", "6", "7" ] + "operatingsystemrelease": [ "6", "7" ] }, { "operatingsystem": "CentOS", - "operatingsystemrelease": [ "5", "6", "7" ] + "operatingsystemrelease": [ "6", "7" ] }, { "operatingsystem": "Scientific", - "operatingsystemrelease": [ "5", "6", "7" ] + "operatingsystemrelease": [ "6", "7" ] }, { "operatingsystem": "OEL", - "operatingsystemrelease": [ "5", "6", "7" ] + "operatingsystemrelease": [ "6", "7" ] }, { "operatingsystem": "OracleLinux", - "operatingsystemrelease": [ "5", "6", "7" ] + "operatingsystemrelease": [ "6", "7" ] }, { "operatingsystem": "Ubuntu", "operatingsystemrelease": [ "14.04", "16.04" ] + }, + { + "operatingsystem": "SLES", + "operatingsystemrelease": [ "11.3" ] } ], "requirements": [ diff --git a/templates/logindefs/logindefs.erb b/templates/logindefs/logindefs.erb new file mode 100644 index 0000000..91122f1 --- /dev/null +++ b/templates/logindefs/logindefs.erb @@ -0,0 +1,68 @@ +# +# puppet managed file +# +# /etc/login.defs - Configuration control definitions for the login package. +# + + +MAIL_DIR <%= @maildir %> + + +# Password aging controls: + +# PASS_MAX_DAYS Maximum number of days a password may be used. +PASS_MAX_DAYS <%= @pass_max_days %> + +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +PASS_MIN_DAYS <%= @pass_min_days %> + +# PASS_MIN_LEN Minimum acceptable password length. +PASS_MIN_LEN <%= @pass_min_len %> + +# PASS_WARN_AGE Number of days warning given before a password expires. +PASS_WARN_AGE <%= @pass_warn_age %> + +# +# Min/max values for automatic uid/gid selection in useradd +# +UID_MIN <%= @uid_min %> +UID_MAX <%= @uid_max %> +GID_MIN <%= @gid_min %> +GID_MAX <%= @gid_max %> +<% if defined?(@sys_uid_min) -%> +SYS_UID_MIN <%= @sys_uid_min %> +<% end -%> +<% if defined?(@sys_uid_max) -%> +SYS_UID_MAX <%= @sys_uid_max %> +<% end -%> +<% if defined?(@sys_gid_min) -%> +SYS_GID_MIN <%= @sys_gid_min %> +<% end -%> +<% if defined?(@sys_gid_max) -%> +SYS_GID_MAX <%= @sys_gid_max %> +<% end -%> + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If useradd should create home directories for users by default +# On RH systems, we do. This option is overridden with the -m flag on +# useradd command line. +# +CREATE_HOME yes + +# The permission mask is initialized to this value. If not specified, +# the permission mask will be initialized to 022. +UMASK 077 + +# This enables userdel to remove user groups if no members exist. +# +USERGROUPS_ENAB yes + +# Use SHA512 to encrypt password. +ENCRYPT_METHOD SHA512 diff --git a/templates/useradd/useradd.erb b/templates/useradd/useradd.erb new file mode 100644 index 0000000..a594d65 --- /dev/null +++ b/templates/useradd/useradd.erb @@ -0,0 +1,11 @@ +# +# puppet managed file +# +# useradd defaults file +# +GROUP=<%= @group %> +HOME=<%= @home %> +INACTIVE=<%= @inactive %> +EXPIRE=<%= @expire %> +SHELL=<%= @shell %> +SKEL=<%= @skel %>