useradd
Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.22.1 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-useradd', '0.5.0'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
- Description
- Setup - The basics of getting started with useradd
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Description
useradd is a Puppet module that manages settings regarding users and user creation.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they may be submitted to our bug tracker.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review the
$client_nets
,$enable_*
and$use_*
parameters inmanifests/init.pp
for details.
Setup
What useradd affects
This module can configure:
/etc/default/nss
/etc/default/useradd
/etc/group
/etc/group-
/etc/gshadow
/etc/gshadow-
/etc/libuser.conf
/etc/login.defs
/etc/passwd
/etc/passwd-
/etc/profile.d/
/etc/securetty
/etc/security/opasswd
/etc/shadow
/etc/shadow-
/etc/shells
/etc/sysconfig/init
Beginning with useradd
To use this module with it's default settings, just instantiate it. The following example is in hiera:
---
classes:
- useradd
Usage
Each file can be managed or unmanaged individually, using the following variables:
- useradd::manage_etc_profile
- useradd::manage_libuser_conf
- useradd::manage_login_defs
- useradd::manage_nss
- useradd::manage_passwd_perms
- useradd::manage_sysconfig_init
- useradd::manage_useradd
Reference
Please refer to the REFERENCE.md.
Limitations
SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the metadata.json
file for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.
Development
Please read our [Contribution Guide] (https://simp.readthedocs.io/en/stable/contributors_guide/index.html)
Reference
Table of Contents
Classes
useradd
: Manage settings regarding users and user creation author: SIMP Team simp@simp-project.comuseradd::etc_profile
: This class takes various SIMP security-related settings and applies them to the appropriate /etc/profile.d/simp.* files to enforce them at louseradd::libuser_conf
: Sets up /etc/libuser.conf. See libuser.conf(5) for information on the various variables. author: SIMP Team simp@simp-project.comuseradd::login_defs
: Set up the /etc/login.defs configuration file. All option values are taken directly from the system documentation. Any parameter that is a luseradd::nss
: Install and configure the NSS configuration file. See nss(5) for more details. author: SIMP Team simp@simp-project.comuseradd::passwd
: Manage the permissions of shadow and passwd related files author: SIMP Team simp@simp-project.comuseradd::sysconfig_init
: Allow for the configuration of /etc/sysconfig/init See /usr/share/doc/initscripts-/sysconfig.txt for variable definitions. For auseradd::useradd
: Install and configure the useradd default configuration file. See useradd(8) for more details. author: SIMP Team simp@simp-project.com
Data types
Useradd::Bootup
: Boot mode sysconfig optionUseradd::CryptStyle
: The algorithm to use for password encryption when creating new passwordsUseradd::LibuserModule
: Valid libuser modules
Classes
useradd
Manage settings regarding users and user creation
author: SIMP Team simp@simp-project.com
Parameters
The following parameters are available in the useradd
class.
manage_useradd
Data type: Boolean
If true, manage /etc/default/useradd
Default value: true
manage_login_defs
Data type: Boolean
If true, manage /etc/login.defs
Default value: true
manage_libuser_conf
Data type: Boolean
If true, manage /etc/libuser.conf
Default value: true
manage_etc_profile
Data type: Boolean
If true, manage /etc/profile/simp.*
Default value: true
manage_sysconfig_init
Data type: Boolean
If true, manage /etc/sysconfig/init
Default value: true
manage_nss
Data type: Boolean
If true, manage /etc/default/nss
Default value: true
manage_passwd_perms
Data type: Boolean
If true, manage the permissions of shadow and passwd related files
Default value: true
securetty
Data type: Variant[Boolean,Array[String]]
List of ttys available to log into Defaults to ['tty0', 'tty1', 'tty2', 'tty3', 'tty4']
- If set to false, management of /etc/securetty will be disabled
- If the Array is empty(default) or set to true, root will not be able to log into any physical console. This does not prevent root login from anywhere else.
- If the string 'ANY_SHELL' is found in the Array, then the
/etc/securetty
file will be removed and root will be able to login from anywhere.
Default value: ['tty0', 'tty1', 'tty2', 'tty3', 'tty4']
shells_default
Data type: Array[Stdlib::AbsolutePath]
List of shells that will appear on the system by default
- These have been set to the usual suspects and users should use the
shells
parameter to add to the list
Default value: [ '/bin/sh','/bin/bash','/sbin/nologin','/usr/bin/sh','/usr/bin/bash','/usr/sbin/nologin' ]
shells
Data type: Variant[Boolean,Array[Stdlib::AbsolutePath]]
List of shells available to the user to set as default
- Set to false to disable management
- Will be combined with
shells_default
in /etc/shells
Default value: []
useradd::etc_profile
This class takes various SIMP security-related settings and applies them to the appropriate /etc/profile.d/simp.* files to enforce them at login for all users.
Currently only supports csh and sh files in profile.d.
author: SIMP Team simp@simp-project.com
Parameters
The following parameters are available in the useradd::etc_profile
class.
session_timeout
Data type: Integer
The number of minutes that a user may be idle prior to being logged out. This is a logical extension of the SCAP Security Guide requirements for Graphical and SSH timeouts and takes the place of a terminal screen lock since we haven't found one that works in 100% of the authentication scenarios.
Default value: 15
umask
Data type: String
The umask that will be applied to the user upon login. Covers CCE-26917-5, CCE-27034-8, and CCE-26669-2
Default value: '0077'
mesg
Data type: Boolean
Boolean If true, set mesg to allow writes to user terminals using wall, etc...
Default value: false
user_whitelist
Data type: Array
A list of users that you don't want to be affected by these settings.
Default value: []
prepend
Data type: Hash
Content that you want prepended to the settings scripts. The hash takes the form 'extension' => 'content'. Content will be written exactly as provided, no custom formatting will be performed.
Example: { 'sh' => 'if [ $UID -eq 0 ]; then echo "foo"; fi ' } Result: = /etc/profile.d/simp.sh = if [ $UID -eq 0 ]; then echo "foo"; fi
Default value: {}
append
Data type: Hash
Content that you want appended to the settings scripts. See $prepend for usage.
Default value: {}
useradd::libuser_conf
Sets up /etc/libuser.conf. See libuser.conf(5) for information on the various variables.
author: SIMP Team simp@simp-project.com
Parameters
The following parameters are available in the useradd::libuser_conf
class.
defaults_modules
Data type: Array[Useradd::LibuserModule]
Default value: ['files','shadow']
defaults_create_modules
Data type: Array[Useradd::LibuserModule]
Default value: ['files','shadow']
defaults_crypt_style
Data type: Useradd::CryptStyle
Default value: 'sha512'
defaults_hash_rounds_min
Data type: Optional[Integer[1000,999999999]]
Default value: undef
defaults_hash_rounds_max
Data type: Optional[Integer[1000,999999999]]
Default value: undef
defaults_mailspooldir
Data type: Optional[Stdlib::AbsolutePath]
Default value: undef
defaults_moduledir
Data type: Optional[Stdlib::AbsolutePath]
Default value: undef
defaults_skeleton
Data type: Optional[Stdlib::AbsolutePath]
Default value: undef
import_login_defs
Data type: Stdlib::AbsolutePath
Default value: '/etc/login.defs'
import_default_useradd
Data type: Stdlib::AbsolutePath
Default value: '/etc/default/useradd'
userdefaults
Data type: String
Default value: "LU_USERNAME = %n\nLU_GIDNUMBER = %u"
groupdefaults
Data type: String
Default value: 'LU_GROUPNAME = %n'
files_directory
Data type: Optional[Stdlib::AbsolutePath]
Default value: undef
files_nonroot
Data type: Optional[Boolean]
Default value: undef
shadow_directory
Data type: Optional[Stdlib::AbsolutePath]
Default value: undef
shadow_nonroot
Data type: Optional[Boolean]
Default value: undef
ldap_userbranch
Data type: Optional[String]
Default value: undef
ldap_groupbranch
Data type: Optional[String]
Default value: undef
ldap_server
Data type: Optional[String]
Default value: undef
ldap_basedn
Data type: Optional[String]
Default value: undef
ldap_binddn
Data type: Optional[String]
Default value: undef
ldap_user
Data type: Optional[String]
Default value: undef
ldap_password
Data type: Optional[String]
Default value: undef
ldap_authuser
Data type: Optional[String]
Default value: undef
ldap_bindtype
Data type: Optional[String]
Default value: undef
sasl_appname
Data type: Optional[String]
Default value: undef
sasl_domain
Data type: Optional[String]
Default value: undef
useradd::login_defs
Set up the /etc/login.defs configuration file. All option values are taken directly from the system documentation.
Any parameter that is a list will require an array to be passed.
NOTE: pass_min_len and pass_max_len will NOT have any effect on a stock RedHat machine.
* Max length will only affect 3des encryption, which is not used on modern machines.
* Min length should be configured using /etc/pam.d/ or /etc/security/pwquality.conf.
author: SIMP Team simp@simp-project.com
Parameters
The following parameters are available in the useradd::login_defs
class.
encrypt_method
Data type: Enum['DES','MD5','SHA256','SHA512']
Default value: 'SHA512'
chfn_auth
Data type: Boolean
Default value: false
chfn_restrict
Data type: Pattern['^[frwh]+$']
Default value: 'frwh'
chsh_auth
Data type: Boolean
Default value: false
console
Data type: Optional[Array[Stdlib::AbsolutePath,1]]
Default value: undef
console_groups
Data type: Optional[Array[String,1]]
Default value: undef
create_home
Data type: Boolean
Default value: true
default_home
Data type: Boolean
Default value: false
env_hz
Data type: Optional[String]
Default value: undef
env_path
Data type: Optional[Array[Stdlib::AbsolutePath,1]]
Default value: undef
env_supath
Data type: Optional[Array[Stdlib::AbsolutePath,1]]
Default value: undef
env_tz
Data type: Optional[String]
Default value: undef
environ_file
Data type: Optional[Stdlib::AbsolutePath]
Default value: undef
erasechar
Data type: Optional[Integer]
Default value: undef
fail_delay
Data type: Integer
Default value: 4
faillog_enab
Data type: Boolean
Default value: true
fake_shell
Data type: Optional[Stdlib::AbsolutePath]
Default value: undef
ftmp_file
Data type: Optional[Stdlib::AbsolutePath]
Default value: undef
gid_max
Data type: Integer[1]
Default value: simplib::lookup('simp_options::gid::max', { 'default_value' => pick(fact('login_defs.gid_max'), 500000 ) })
gid_min
Data type: Integer[0]
Default value: simplib::lookup('simp_options::gid::min', { 'default_value' => pick(fact('login_defs.gid_min'), 1000 ) })
hushlogin_file
Data type: Optional[Stdlib::AbsolutePath]
Default value: undef
issue_file
Data type: Stdlib::AbsolutePath
Default value: '/etc/issue'
killchar
Data type: Optional[Integer]
Default value: undef
lastlog_enab
Data type: Boolean
Default value: true
login_string
Data type: Optional[String]
Default value: undef
login_retries
Data type: Integer
Default value: 3
login_timeout
Data type: Integer
Default value: 60
log_ok_logins
Data type: Boolean
Default value: true
log_unkfail_enab
Data type: Boolean
Default value: true
mail_check_enab
Data type: Boolean
Default value: true
mail_dir
Data type: Stdlib::AbsolutePath
Default value: '/var/spool/mail'
mail_file
Data type: Optional[Stdlib::AbsolutePath]
Default value: undef
max_members_per_group
Data type: Optional[Integer]
Default value: undef
motd_file
Data type: Optional[Array[Stdlib::AbsolutePath,1]]
Default value: undef
nologins_file
Data type: Optional[Stdlib::AbsolutePath]
Default value: undef
obscure_checks_enab
Data type: Boolean
Default value: true
pass_always_warn
Data type: Boolean
Default value: true
pass_change_tries
Data type: Integer
Default value: 3
pass_max_days
Data type: Integer
Default value: 180
pass_min_days
Data type: Integer
Default value: 1
pass_warn_age
Data type: Integer
Default value: 14
pass_max_len
Data type: Optional[Integer]
Default value: undef
pass_min_len
Data type: Integer
Default value: 15
porttime_checks_enab
Data type: Boolean
Default value: true
quotas_enab
Data type: Boolean
Default value: true
sha_crypt_min_rounds
Data type: Integer
Default value: 5000
sha_crypt_max_rounds
Data type: Integer
Default value: 10000
sulog_file
Data type: Optional[Stdlib::AbsolutePath]
Default value: undef
su_name
Data type: String
Default value: 'su'
su_wheel_only
Data type: Boolean
Default value: false
sys_gid_max
Data type: Optional[Integer]
Default value: undef
sys_gid_min
Data type: Optional[Integer]
Default value: undef
sys_uid_max
Data type: Optional[Integer]
Default value: undef
sys_uid_min
Data type: Optional[Integer]
Default value: undef
syslog_sg_enab
Data type: Boolean
Default value: true
syslog_su_enab
Data type: Boolean
Default value: true
ttygroup
Data type: Optional[String]
Default value: undef
ttyperm
Data type: Optional[Simplib::Umask]
Default value: undef
ttytype_file
Data type: Optional[Stdlib::AbsolutePath]
Default value: undef
uid_max
Data type: Integer[1]
Default value: simplib::lookup('simp_options::uid::max', { 'default_value' => pick(fact('login_defs.uid_max'), 1000000 ) })
uid_min
Data type: Integer[0]
Default value: simplib::lookup('simp_options::uid::min', { 'default_value' => pick(fact('login_defs.uid_min'), 1000 ) })
umask
Data type: String
Default value: '007'
ulimit
Data type: Optional[Integer]
Default value: undef
userdel_cmd
Data type: Optional[Stdlib::AbsolutePath]
Default value: undef
usergroups_enab
Data type: Boolean
Default value: true
useradd::nss
Install and configure the NSS configuration file. See nss(5) for more details.
author: SIMP Team simp@simp-project.com
Parameters
The following parameters are available in the useradd::nss
class.
netid_authoritative
Data type: Boolean
Default value: false
services_authoritative
Data type: Boolean
Default value: false
setent_batch_read
Data type: Boolean
Default value: true
useradd::passwd
Manage the permissions of shadow and passwd related files
author: SIMP Team simp@simp-project.com
useradd::sysconfig_init
Allow for the configuration of /etc/sysconfig/init
See /usr/share/doc/initscripts-/sysconfig.txt for variable definitions.
For all setcolor
variables, use the following color options as a string:
- default
- black
- red
- green
- yellow
- blue
- magenta
- cyan
- white
author: SIMP Team simp@simp-project.com
Parameters
The following parameters are available in the useradd::sysconfig_init
class.
bootup
Data type: Useradd::Bootup
Default value: 'color'
res_col
Data type: Integer
Default value: 60
move_to_col
Data type: Optional[String]
- By default, undef will add the code
"echo -en \\033[${RES_COL}G"
to /etc/sysconfig/init - Optional string of code will be substituted if included
Default value: undef
setcolor_success
Data type: String
Default value: 'green'
setcolor_failure
Data type: String
Default value: 'red'
setcolor_warning
Data type: String
Default value: 'yellow'
setcolor_normal
Data type: String
Default value: 'default'
single_user_login
Data type: Stdlib::AbsolutePath
Default value: '/sbin/sulogin'
loglvl
Data type: Integer[1,8]
Default value: 3
prompt
Data type: Boolean
Default value: false
autoswap
Data type: Boolean
AUTOSWAP option is only useful in el6. Not present in el7 or later.
Default value: false
useradd::useradd
Install and configure the useradd default configuration file. See useradd(8) for more details.
author: SIMP Team simp@simp-project.com
Parameters
The following parameters are available in the useradd::useradd
class.
group
Data type: Integer
Default value: 100
home
Data type: Stdlib::AbsolutePath
Default value: '/home'
inactive
Data type: Integer
Default value: 35
expire
Data type: Optional[String]
Default value: undef
shell
Data type: Stdlib::AbsolutePath
Default value: '/bin/bash'
skel
Data type: Stdlib::AbsolutePath
Default value: '/etc/skel'
create_mail_spool
Data type: Boolean
Default value: true
Data types
Useradd::Bootup
Boot mode sysconfig option
Alias of Enum['graphical', 'color', 'verbose', 'plain']
Useradd::CryptStyle
The algorithm to use for password encryption when creating new passwords
Alias of Enum['BLOWFISH', 'DES', 'MD5', 'SHA256', 'SHA512', 'blowfish', 'des', 'md5', 'sha256', 'sha512']
Useradd::LibuserModule
Valid libuser modules
Alias of Enum['files', 'shadow', 'ldap']
- Thu Jun 17 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 0.5.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Sat Dec 19 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 0.4.2
- Removed EL6 support
- Mon Mar 23 2020 Trevor Vaughan tvaughan@onyxpont.com - 0.4.1
- Add explicit support for setting the rescue/emergency shell on systemd systems.
- Thu Jan 09 2020 Liz Nemsick lnemsick.simp@gmail.com - 0.4.0
- Add EL8 support
- Update the upper bound of simp-simplib to < 5.0.0
- Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 0.4.0
- Drop Puppet 4 support
- Add Puppet 6 support
- Add puppetlabs-stdlib 6 support
- Tue Jun 04 2019 Steven Pritchard steven.pritchard@onyxpoint.com - 0.3.0
- Add v2 compliance_markup data
- Tue Feb 12 2019 Liz Nemsick lnemsick.simp@gmail.com - 0.2.3
- Use Simplib::Umask data type in lieu of validate_umask(), a deprecated simplib Puppet 3 function.
- Update the upper bound of stdlib to < 6.0.0
- Update a URL in the README.md
- Fri Aug 24 2018 Nick Miller nick.miller@onyxpoint.com - 0.2.2
- Add support for Puppet 5 and OEL
- Update badges in README.md
- Wed Dec 13 2017 Trevor Vaughan tvaughan@onyxpoint.com - 0.2.1
- Set the minimum and maximum UID and GID allowed onto the system to the default defined in /etc/login.defs or a sensible default if not otherwise specified
- Wed Jun 14 2017 Brandon Riden brandon.riden@onyxpoint.com - 0.2.0
- Allow users to specify colors as strings instead of ansi codes in sysconfig/init
- Updated sysconfig_init.pp to reflect these changes as well as add notes
- Updated template to convert color strings to ansi code
- Wed Jun 14 2017 Brandon Riden brandon.riden@onyxpoint.com - 0.2.0
- Fix bug in libuser.conf where userBranch was referencing groupbranch variable
- Added/fixed author on all manifests
- Created Acceptance test
- Updated spec/spec_helper_acceptance.rb
- Added Managed by Puppet comment to all file templates
- updated default nodeset
- Added notes to login_defs.pp regarding min and max passwd length
- Cleaned up documentation and made style changes
- Mon Jun 12 2017 Liz Nemsick lnemsick.simp@gmail.com - 0.2.0
- Populate /etc/securetty with tty0-tty4, by default.
- Wed Apr 26 2017 Trevor Vaughan tvaughan@onyxpoint.com - 0.1.1
- Fixed useradd::libuser::defaults_crypt_style to only be a String of the allowed values
- Ensure that the 'modules' field is not printed if the passed Array is empty
- Ensure that defaults_hash_rounds_min is less than defaults_hash_rounds_max and that both are within an allowed range
- Update useradd::login_defs::pass_min_len to 15 to match the rest of the module updates
- Sat Mar 25 2017 Trevor Vaughan tvaughan@onyxpoint.com - 0.1.0
- Provided the ability to simply add shells to /etc/shells
- Removed all entries from /etc/securetty by default to match the latest standard best practices. This removed ZSH.
- Tue Feb 7 2017 Nick Miller nick.miller@onyxpoint.com - 0.0.1
- Add useradd::passwd to manage passwd and related files
- Manages /etc/securetty and /etc/shells
- Mon Dec 5 2016 Nick Miller nick.miller@onyxpoint.com - 0.0.1
- Initial release of module
- This module is a collection of conf files regarding users and user creation.
- Most of the content used to be in simplib
Dependencies
- simp/simplib (>= 3.9.0 < 5.0.0)
- puppetlabs/stdlib (>= 6.6.0 < 8.0.0)
- camptocamp/systemd (>= 2.2.0 < 3.0.0)
useradd - A SIMP puppet module for managing settings regarding users and user creation Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.