2018-05-01 10:16:11 +08:00
|
|
|
---
|
|
|
|
- name: get UID_MIN from login.defs
|
|
|
|
shell: awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs
|
|
|
|
args:
|
|
|
|
removes: /etc/login.defs
|
|
|
|
register: uid_min
|
2021-01-19 23:35:31 +08:00
|
|
|
check_mode: false
|
|
|
|
changed_when: false
|
2018-05-01 10:16:11 +08:00
|
|
|
|
|
|
|
- name: calculate UID_MAX from UID_MIN by substracting 1
|
|
|
|
set_fact:
|
|
|
|
uid_max: '{{ uid_min.stdout | int - 1 }}'
|
2021-01-19 23:35:31 +08:00
|
|
|
when: uid_min.stdout|int > 0
|
2018-05-01 10:16:11 +08:00
|
|
|
|
|
|
|
- name: set UID_MAX on Debian-systems if no login.defs exist
|
|
|
|
set_fact:
|
|
|
|
uid_max: '999'
|
2021-01-19 23:35:31 +08:00
|
|
|
when:
|
|
|
|
- ansible_facts.os_family == 'Debian'
|
|
|
|
- uid_max is not defined
|
2018-05-01 10:16:11 +08:00
|
|
|
|
|
|
|
- name: set UID_MAX on other systems if no login.defs exist
|
|
|
|
set_fact:
|
|
|
|
uid_max: '499'
|
2021-01-19 23:35:31 +08:00
|
|
|
when: uid_max is not defined
|
2018-05-01 10:16:11 +08:00
|
|
|
|
|
|
|
- name: get all system accounts
|
|
|
|
command: awk -F'':'' '{ if ( $3 <= {{ uid_max|quote }} ) print $1}' /etc/passwd
|
|
|
|
args:
|
|
|
|
removes: /etc/passwd
|
2021-01-19 23:35:31 +08:00
|
|
|
changed_when: false
|
|
|
|
check_mode: false
|
2018-05-01 10:16:11 +08:00
|
|
|
register: sys_accs
|
|
|
|
|
|
|
|
- name: remove always ignored system accounts from list
|
|
|
|
set_fact:
|
|
|
|
sys_accs_cond: '{{ sys_accs.stdout_lines | difference(os_always_ignore_users) }}'
|
2021-01-19 23:35:31 +08:00
|
|
|
check_mode: false
|
2018-05-01 10:16:11 +08:00
|
|
|
|
|
|
|
- name: change system accounts not on the user provided ignore-list
|
|
|
|
user:
|
|
|
|
name: '{{ item }}'
|
|
|
|
shell: '{{ os_nologin_shell_path }}'
|
|
|
|
password: '*'
|
2021-01-19 23:35:31 +08:00
|
|
|
createhome: false
|
2018-05-01 10:16:11 +08:00
|
|
|
with_flattened:
|
|
|
|
- '{{ sys_accs_cond | default([]) | difference(os_ignore_users) | list }}'
|