kubeasz/roles/os-harden/tasks/user_accounts.yml

48 lines
1.3 KiB
YAML
Raw Normal View History

---
- name: get UID_MIN from login.defs
shell: awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs
args:
removes: /etc/login.defs
register: uid_min
2021-01-19 23:35:31 +08:00
check_mode: false
changed_when: false
- name: calculate UID_MAX from UID_MIN by substracting 1
set_fact:
uid_max: '{{ uid_min.stdout | int - 1 }}'
2021-01-19 23:35:31 +08:00
when: uid_min.stdout|int > 0
- name: set UID_MAX on Debian-systems if no login.defs exist
set_fact:
uid_max: '999'
2021-01-19 23:35:31 +08:00
when:
- ansible_facts.os_family == 'Debian'
- uid_max is not defined
- name: set UID_MAX on other systems if no login.defs exist
set_fact:
uid_max: '499'
2021-01-19 23:35:31 +08:00
when: uid_max is not defined
- name: get all system accounts
command: awk -F'':'' '{ if ( $3 <= {{ uid_max|quote }} ) print $1}' /etc/passwd
args:
removes: /etc/passwd
2021-01-19 23:35:31 +08:00
changed_when: false
check_mode: false
register: sys_accs
- name: remove always ignored system accounts from list
set_fact:
sys_accs_cond: '{{ sys_accs.stdout_lines | difference(os_always_ignore_users) }}'
2021-01-19 23:35:31 +08:00
check_mode: false
- name: change system accounts not on the user provided ignore-list
user:
name: '{{ item }}'
shell: '{{ os_nologin_shell_path }}'
password: '*'
2021-01-19 23:35:31 +08:00
createhome: false
with_flattened:
- '{{ sys_accs_cond | default([]) | difference(os_ignore_users) | list }}'