Puppet Class: system_users::disable_system_account

Defined in:
manifests/disable_system_account.pp

Overview

System_users::Disable_system_accounts

Lock the shell of: system users (system_uids - uid < 1000) - or - low uid users (low_uids - uid < 500)

For system accounts present on this node excluding: * root * sync * shutdown * halt

The data on users in the UID range is sourced from the user_audit fact which ships inside this module. The fact itself excludes the root user.

Parameters:

  • uid_range (Enum['low_uids', 'system_uids']) (defaults to: 'system_uids')

    Range of UIDs to lockdown (see above)



18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# File 'manifests/disable_system_account.pp', line 18

class system_users::disable_system_account(
    Enum['low_uids', 'system_uids'] $uid_range = 'system_uids',
) {
  dig($facts,'user_audit', $uid_range).then |$users| {
    $users.each |$user| {
      if $user in ["sync", "shutdown", "halt"] {
        $shell = undef
      } else {
        $shell = "/sbin/nologin"
      }


      user { $user:
        password => "*",
        shell    => $shell,
      }
    }
  }
}