Forge Home


Audit and manage system users with puppet


6,363 latest version

2.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.5.5 (latest)
  • 0.5.4
  • 0.5.3
  • 0.5.2
  • 0.5.1
  • 0.5.0
  • 0.4.0
  • 0.3.1
  • 0.1.4
released Aug 28th 2018

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'geoffwilliams-system_users', '0.5.5'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add geoffwilliams-system_users
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install geoffwilliams-system_users --version 0.5.5

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



geoffwilliams/system_users — version 0.5.5 Aug 28th 2018

Build Status


Table of Contents

  1. Description
  2. Usage - Configuration options and additional functionality
  3. Limitations - OS compatibility, etc.
  4. Development - Guide for contributing to the module


This module provides various classes for locking down local users on a system in order to set password policies, remove invalid users, etc. The other main feature of the module is to provide a fact called user_audit that includes information about all local users, any suspicious files they possess and details of users breaking various aspects of the login system integrity such as duplicated or mismatched UIDs or GIDs.

The user_audit fact is structured as follows:

"user_audit": {
  "empty_password": [],         // array of users who have empty passwords
  "low_uids": [],               // array of 'low uid' users (UID < 500)
  "system_uids": [],            // array of 'system' users (UID < 1000) 
  "homedirs": {                 // home directory information for each user (only one shown for clarity)
    "root": {
      "path": "/root",
      "ensure": "directory",
      "owner": "root",
      "group": "root",
      "mode": "0550",
      "og_write": []            // array of other/group writable dotfiles in the top level directory
  "local_users": {              // user ID information for all local users (only one shown for clarity, password info on RHEL/Solaris only)
    "root": {
      "uid": "0",
      "gid": "0",
      "comment": "root",
      "home": "/root",
      "shell": "/bin/bash",
      "last_change_days": "17207",
      "change_allowed_days": "0",
      "must_change_days": "99999",
      "warning_days": "7",
      "expires_days": "",
      "disabled_days": ""
  "duplicate": {
    "uid": [],                // array of duplicated UIDs
    "username": [],           // array of duplicated usernames
    "gid": [],                // array of duplicated GIDs
    "groupname": [],          // array of duplicated groupnames
    "root_alias": []          // array of duplicated root users (UID==0)


Most classes will need to be loaded using the class resource syntax in order to pass the appropriate class defaults, eg:

class { "foo:bar":
  param1 => "value1",
  param2 => "value2",

Parameters, where available, are documented inside the individual classes. See Reference section.


  • AIX 6.1/7.1, RHEL 6/7, Solaris 10 only
  • Not supported by Puppet, Inc.


PRs accepted :)


This module supports testing using PDQTest.

Test can be executed with:

bundle install
bundle exec pdqtest all

See .travis.yml for a working CI example