lock *nix user accounts with no password

34 views
Skip to first unread message

Brian Keating

unread,
Dec 16, 2014, 5:54:19 AM12/16/14
to puppet...@googlegroups.com
Hi,
Our security policy states we lock *nix accounts that have no passwords.  I wrote a bash script that does the job but my onlyif statement isn't working.  I want it to check and only trigger when true - not every time.  I'm new to puppet trying to learn how to write 'onlyif' statements - can someone point me in the right direction?  

Here is manifest - the onlyif statement and the bash lock-out-no-password-account.sh script are working in isolation.  Augeas would be ideal to handle this kind of task but I have yet to find one to suit.  Help & guidance is appreciated.

exec { 'lock-accout-no-pass' :
                command => "/admin/scripts/lock-out-no-password-account.sh",
                onlyif => "/bin/cat /etc/shadow | /bin/awk -F : '{ print $2 }' | /bin/grep ^$ | tail -1 | /bin/grep -c ^$"
        }

#!/bin/bash
#
# Lock out active accounts with no password

for NAME in `awk -F: '( $2 == "" ) { print $1 }' /etc/shadow`; do
MyUID=`id -u $NAME`
        if [ $MyUID -gt 500 -a $NAME != 'root' ]; then
        usermod -L -s /dev/null $NAME
        fi
done

Thanks,
Brian.

jcbollinger

unread,
Dec 19, 2014, 10:08:39 AM12/19/14
to puppet...@googlegroups.com


On Tuesday, December 16, 2014 4:54:19 AM UTC-6, Brian Keating wrote:
Hi,
Our security policy states we lock *nix accounts that have no passwords.  I wrote a bash script that does the job but my onlyif statement isn't working.  I want it to check and only trigger when true - not every time.  I'm new to puppet trying to learn how to write 'onlyif' statements - can someone point me in the right direction?  

Here is manifest - the onlyif statement and the bash lock-out-no-password-account.sh script are working in isolation.  Augeas would be ideal to handle this kind of task but I have yet to find one to suit.  Help & guidance is appreciated.

exec { 'lock-accout-no-pass' :
                command => "/admin/scripts/lock-out-no-password-account.sh",
                onlyif => "/bin/cat /etc/shadow | /bin/awk -F : '{ print $2 }' | /bin/grep ^$ | tail -1 | /bin/grep -c ^$"
        }



Probably the $2 is being interpolated as an (undefined) Puppet variable, so that you are running a different command than you suppose.  I would in any case suggest reducing the number of moving parts with a command more like this:

/bin/grep -q '^[^:]\+::' /etc/shadow

That has the additional advantage of sidestepping the interpolation issue altogether.

John


Lowe Schmidt

unread,
Dec 19, 2014, 10:52:05 AM12/19/14
to puppet...@googlegroups.com
You should probably use PAM to enforce password complexity instead of using a homegrown bash script. 

--
Lowe Schmidt | +46 723 867 157

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3dbb467c-6f00-4389-b627-46133fdafb34%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages