Next fun topic for today: our security folks want to change all the /sbin/nologin and related shells to /dev/null. Augeas seems the perfect tool for this, but I'm having a devil of a time getting close to something that'll work:
augeas { 'fix-bad-passwd-shells':
context => "/files/etc/passwd",
changes => "set */shell[.='/sbin/nologin'] /dev/null",
onlyif => "match */shell[.='/sbin/nologin'] size > 0",
}
I really wanted my onlyif to look more like:
onlyif => "match */shell includes nologin"
to catch other variations (like /usr/sbin/nologin), but that didn't work at all. Is there a way to make that work?
And this match works in augtool and when I run puppet, but the "set" doesn't. It just doesn't do anything. I think I'm close -- any augeas experts care to show me the error of my ways? This really feels like black magic.
Bret