Account module¶
Description¶
This example objects combination
Checks and create users and groups exists and have theirs properties correctly set
Checks and setup users’ group membership
Checks and install sudo privileges for the users
Checks and install ssh key trusts for the users
Supported operating systems¶
Unix
Ouputs¶
Valid check:
group testgrp2 gid: 1008
group testgrp gid: 1007
user testusr2 shell: /bin/bash
user testusr2 uid: 1008
user testusr2 gid: 1008
user testusr2 gecos: compliance test
user testusr2 home: /home/testusr2
/home/testusr2 owner is testusr2
user testusr shell: /bin/bash
user testusr uid: 1007
user testusr gid: 1007
user testusr gecos: compliance test
user testusr home: /home/testusr
/home/testusr owner is testusr
group testgrp members: testusr2
/home/testusr/.ssh/authorized_keys2
key 'ssh-dss AAAAB3Nza...+6fepcAltTSAeAt4Vrpw== testusr' is correctly installed for user testusr
/etc/sudoers.d/testusr is ok
Invalid check:
group testgrp2 gid: 1008
ERR: group testgrp members: | target: testusr2
group testgrp gid: 1007
user testusr2 shell: /bin/bash
user testusr2 uid: 1008
user testusr2 gid: 1008
user testusr2 gecos: compliance test
user testusr2 home: /home/testusr2
/home/testusr2 owner is testusr2
user testusr shell: /bin/bash
user testusr uid: 1007
user testusr gid: 1007
user testusr gecos: compliance test
user testusr home: /home/testusr
/home/testusr owner is testusr
/home/testusr/.ssh/authorized_keys2
key 'ssh-dss AAAAB3Nza...+6fepcAltTSAeAt4Vrpw== testusr' is correctly installed for user testusr
/etc/sudoers.d/testusr is ok
Fix:
usermod -G testgrp testusr2
Ruleset¶
As designed¶
As used by the module¶
# om node compliance show ruleset | grep _TEST_
OSVC_COMP_TEST_AUTHKEY_1='{"action": "add", "authfile": "authorized_keys2", "user": "testusr", "key": "ssh-dss AAAAB3NzaC1kc3MAAACBAOFv1n8yT033rRh6VhRrgIfxFTcGMsFxiCsCzcZyq2d7/OIUFq49jZp84B8rBIuK4vSggYPahZ2e/UbMcdveNUQXNdwAmnb/OKYzPGKagTyTT1q/HOdcGvjqwAodrtFi77uuG5tTiRS65EKnd70Fc3wGBuFGWeb6o4Nj/xN1TGRBAAAAFQDiC+sDhZEWM2Zw+dLRX2VFa8UxVwAAAIBoF+zJ7DRL8Yt0E+EPYhMzkJPjoAz+Ce1C08jAxWIL+JZMMgMKNlrW+QzazHN7Xh3xNGu7R/ueTeVmtAaPRD5x9VVHqtA9I1YGk7mC3RJFQktB8DN+/PyaK7230dVWxqHklrTS9HhKrNcmp1fmVKT64lMO56O1gb+Kc6t2fypaSQAAAIAtyg+TyvaKc1zNUNZLPOSQd32EiDYBIjDFMGTcBDJf52fXcLLJV9Az0rZcw+yAjnGtyYuYN8A/NZQklVCs/twhLmtARc9NS2y3ukGw0PGyk1kz6Y3THPbyV0bn+L6As/pwtBwD/q6V1FRffdkRzinlh8+6fepcAltTSAeAt4Vrpw== testusr"}'
OSVC_COMP_TEST_FILE_1='{"path": "/etc/sudoers.d/testusr", "fmt": "testusr\\tALL=(ALL:ALL) /bin/su - testusr2", "gid": "root", "mode": 600, "uid": "root"}'
OSVC_COMP_TEST_GROUP_1='{"testgrp2": {"gid": 1008}, "testgrp": {"gid": 1007, "members": ["testusr2"]}}'
OSVC_COMP_TEST_USER_1='{"testusr2": {"shell": "/bin/bash", "uid": 1008, "gid": 1008, "gecos": "compliance test", "home": "/home/testusr2"}, "testusr": {"shell": "/bin/bash", "uid": 1007, "gid": 1007, "gecos": "compliance test", "home": "/home/testusr"}}'
Module code¶
#!/bin/bash
PATH_SCRIPT="$(cd $(/usr/bin/dirname $(type -p -- $0 || echo $0));pwd)"
PATH_LIB=$PATH_SCRIPT/com.opensvc
PREFIX=OSVC_COMP_TEST
typeset -i r=0
case $1 in
check)
$PATH_LIB/groups.py ${PREFIX}_GROUP check
[ $? -eq 1 ] && r=1
$PATH_LIB/users.py ${PREFIX}_USER check
[ $? -eq 1 ] && r=1
$PATH_LIB/groups_membership.py ${PREFIX}_GROUP check
[ $? -eq 1 ] && r=1
$PATH_LIB/authkeys.py ${PREFIX}_AUTHKEY check
[ $? -eq 1 ] && r=1
$PATH_LIB/files.py ${PREFIX}_FILE check
[ $? -eq 1 ] && r=1
;;
fix)
$PATH_LIB/groups.py ${PREFIX}_GROUP fix
[ $? -eq 1 ] && exit 1
$PATH_LIB/users.py ${PREFIX}_USER fix
[ $? -eq 1 ] && exit 1
$PATH_LIB/groups_membership.py ${PREFIX}_GROUP fix
[ $? -eq 1 ] && exit 1
$PATH_LIB/authkeys.py ${PREFIX}_AUTHKEY fix
[ $? -eq 1 ] && exit 1
$PATH_LIB/files.py ${PREFIX}_FILE fix
[ $? -eq 1 ] && exit 1
;;
fixable)
exit 2
;;
esac
exit $r