diff --git a/techniques/systemSettings/userManagement/userManagement/3.0/metadata.xml b/techniques/systemSettings/userManagement/userManagement/3.0/metadata.xml new file mode 100644 index 000000000..9d3bcc7e7 --- /dev/null +++ b/techniques/systemSettings/userManagement/userManagement/3.0/metadata.xml @@ -0,0 +1,180 @@ + + + + + This technique manages the target host(s) users. + + It will ensure that the defined users are present on the system. + true + + Debian + RHEL / CentOS + SuSE LES / DES / OpenSuSE + cfengine-community + + + + check_usergroup_user_parameters + + + + + + + + USERGROUP_USER_LOGIN + + + + +
+ + USERGROUP_USER_LOGIN + Login name for this account + + + USERGROUP_USER_NAME + Full name for this account + + true + + + + USERGROUP_USER_ACTION + Policy to apply on this account + + + add + + + + remove + + + + checkhere + + + + checknothere + + + add + + + + USERGROUP_USER_PASSWORD_POLICY + How often do you want to want to check the password + + + oneshot + + + + everytime + + + everytime + + + + USERGROUP_USER_FORCE_LOCAL + Force local user creation + Force user local creation, helps when useradd cannot be used (Duplicate network user etc...) /!\ You must provide UID and GID to use this option + + boolean + false + + + + USERGROUP_USER_HOME_PERSONNALIZE + Use the default home directory + + boolean + true + + + + USERGROUP_USER_HOME + Home directory, if not default + + true + + + + USERGROUP_USER_SHELL + Shell for this account + Will be used only on UNIX systems + + /bin/bash + + +
+ + USERGROUP_USER_SET_UID + Set user ID ? + + boolean + false + + + + USERGROUP_USER_UID + User ID + + true + + +
+
+ + USERGROUP_USER_SET_GID + Set user default group ID ? + + boolean + false + + + + USERGROUP_USER_GID + Default group ID + Must exists if you don't force user creation locally + + true + + +
+
+ + USERGROUP_USER_PASSWORD + Password for this account + + true + password + linux-shadow-md5,linux-shadow-sha256,linux-shadow-sha512 + + +
+
+ + + diff --git a/techniques/systemSettings/userManagement/userManagement/3.0/userManagement.st b/techniques/systemSettings/userManagement/userManagement/3.0/userManagement.st new file mode 100644 index 000000000..c600d6f7f --- /dev/null +++ b/techniques/systemSettings/userManagement/userManagement/3.0/userManagement.st @@ -0,0 +1,431 @@ +##################################################################################### +# Copyright 2011 Normation SAS +##################################################################################### +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, Version 3. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +##################################################################################### + +########################################################################## +# User/Group management PT # +# # +# Objective : Apply user/group policies on the target host # +########################################################################## + +bundle agent check_usergroup_user_parameters +{ + + vars: + + &USERGROUP_USER_LOGIN:{login |"usergroup_user_login[&i&]" string => "&login&"; +}& + + &USERGROUP_USER_NAME:{name |"usergroup_user_fullname[&i&]" string => "&name&"; +}& + + &USERGROUP_USER_PASSWORD:{password |"usergroup_user_password[&i&]" string => "&password&"; +}& + + &USERGROUP_USER_PASSWORD_POLICY:{passwordpol |"usergroup_user_password_policy[&i&]" string => "&passwordpol&"; +}& + + &USERGROUP_USER_ACTION:{action |"usergroup_user_action[&i&]" string => "&action&"; +}& + + &USERGROUP_USER_SET_UID:{setuid |"usergroup_user_setuid[&i&]" string => "&setuid&"; +}& + + &USERGROUP_USER_UID:{uid |"usergroup_user_uid[&i&]" string => "&uid&"; +}& + + &USERGROUP_USER_SET_GID:{setgid |"usergroup_user_setgid[&i&]" string => "&setgid&"; +}& + + &USERGROUP_USER_GID:{gid |"usergroup_user_gid[&i&]" string => "&gid&"; +}& + + &USERGROUP_USER_FORCE_LOCAL:{forcelocal |"usergroup_user_forcelocal[&i&]" string => "&forcelocal&"; +}& + + &USERGROUP_USER_HOME_PERSONNALIZE:{homeperso |"usergroup_user_home_perso[&i&]" string => "&homeperso&"; +}& + + &USERGROUP_USER_HOME:{home |"usergroup_user_home[&i&]" string => "&home&"; +}& + + &USERGROUP_USER_SHELL:{shell |"usergroup_user_shell[&i&]" string => "&shell&"; +}& + + &TRACKINGKEY:{directiveId |"usergroup_directive_id[&i&]" string => "&directiveId&"; +}& + + "usergroup_user_index" slist => getindices("usergroup_user_login"); + + + any_2nd_pass:: + + # Options to use whether Fullname is defined or not + "nameopt[${usergroup_user_index}]" + string => "", + ifvarclass => "usermanagement_user_nameempty_${usergroup_user_index}"; + + ## On UNIX + "nameopt[${usergroup_user_index}]" + string => "-c \"${usergroup_user_fullname[${usergroup_user_index}]}\"", + ifvarclass => "!usermanagement_user_nameempty_${usergroup_user_index}.!windows"; + + ## On Windows + "nameopt[${usergroup_user_index}]" + string => "/FULLNAME:\"${usergroup_user_fullname[${usergroup_user_index}]}\"", + ifvarclass => "!usermanagement_user_nameempty_${usergroup_user_index}.windows"; + + ## Part of reports to return whether Fullname is defined or not + "repname[${usergroup_user_index}]" + string => "Without any defined full name", + ifvarclass => "usermanagement_user_nameempty_${usergroup_user_index}"; + + "repname[${usergroup_user_index}]" + string => "${usergroup_user_fullname[${usergroup_user_index}]}", + ifvarclass => "!usermanagement_user_nameempty_${usergroup_user_index}"; + + classes: + + # Actions + + "usermanagement_user_update_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","add"); + + "usermanagement_user_remove_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","remove"); + + "usermanagement_user_checkpres_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","checkhere"); + + "usermanagement_user_checkabs_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","checknothere"); + + "usermanagement_user_setuid_${usergroup_user_index}" expression => strcmp("${usergroup_user_setuid[${usergroup_user_index}]}","true"); + + "usermanagement_user_setgid_${usergroup_user_index}" expression => strcmp("${usergroup_user_setgid[${usergroup_user_index}]}","true"); + + "usermanagement_user_group_exists_${usergroup_user_index}" expression => groupexists("${usergroup_user_gid[${usergroup_user_index}]}"); + + "usermanagement_user_forcelocal_${usergroup_user_index}" expression => strcmp("${usergroup_user_forcelocal[${usergroup_user_index}]}","true"); + + "usermanagement_user_pershome_${usergroup_user_index}" not => strcmp("${usergroup_user_home_perso[${usergroup_user_index}]}","true"); + + "usermanagement_user_custom_home_defined_${usergroup_user_index}" expression => isvariable("usergroup_user_home[${usergroup_user_index}]"); + + "usermanagement_user_exists_${usergroup_user_index}" expression => userexists("${usergroup_user_login[${usergroup_user_index}]}"); + + "usermanagement_user_pwoneshot_${usergroup_user_index}" expression => strcmp("${usergroup_user_password_policy[${usergroup_user_index}]}","oneshot"); + + "usermanagement_user_pweverytime_${usergroup_user_index}" expression => strcmp("${usergroup_user_password_policy[${usergroup_user_index}]}","everytime"); + + "usermanagement_user_pwempty_${usergroup_user_index}" not => isvariable("usergroup_user_password[${usergroup_user_index}]"); + + "usermanagement_user_nameempty_${usergroup_user_index}" not => isvariable("usergroup_user_fullname[${usergroup_user_index}]"); + + # Class 'any' is executed before others classes defined. + # Same as 'any' but execution will be after all classes defined + "any_2nd_pass" expression => "any"; + + "showtime" expression => isvariable("nameopt[1]"); + + commands: + +&if(NOVA)& + windows.showtime:: + + "\"${sys.winsysdir}\net.exe\"" + args => "USER ${usergroup_user_login[${usergroup_user_index}]} ${usergroup_user_password[${usergroup_user_index}]} /ADD ${nameopt[${usergroup_user_index}]}", + classes => cf2_if_else("usermanagement_login_add_${usergroup_user_index}_repaired", "usermanagement_login_add_${usergroup_user_index}_error"), + comment => "Create the user ${usergroup_user_login[${usergroup_user_index}]}", + ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}"; + + "\"${sys.winsysdir}\net.exe\"" + args => "USER ${usergroup_user_login[${usergroup_user_index}]} /DELETE", + classes => cf2_if_else("usermanagement_login_remove_${usergroup_user_index}_repaired", "usermanagement_login_remove_${usergroup_user_index}_error"), + comment => "Delete the user ${usergroup_user_login[${usergroup_user_index}]}", + ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_remove_${usergroup_user_index}"; + + "\"${sys.winsysdir}\net.exe\"" + args => "USER ${usergroup_user_login[${usergroup_user_index}]} ${usergroup_user_password[${usergroup_user_index}]}", + ifvarclass => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})"; +&endif& + + linux.showtime:: + + # Default + "/usr/sbin/useradd" + args => "-m ${nameopt[${usergroup_user_index}]} -s ${usergroup_user_shell[${usergroup_user_index}]} ${usergroup_user_login[${usergroup_user_index}]}", + classes => cf2_if_else("usermanagement_login_add_${usergroup_user_index}_repaired", "usermanagement_login_add_${usergroup_user_index}_error"), + comment => "Create the user", + ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.!usermanagement_user_pershome_${usergroup_user_index}.!usermanagement_user_setuid_${usergroup_user_index}.!usermanagement_user_setgid_${usergroup_user_index}"; + + # Default + homedir + "/usr/sbin/useradd" + args => "-m ${nameopt[${usergroup_user_index}]} -s ${usergroup_user_shell[${usergroup_user_index}]} -d ${usergroup_user_home[${usergroup_user_index}]} ${usergroup_user_login[${usergroup_user_index}]}", + classes => cf2_if_else("usermanagement_login_add_${usergroup_user_index}_repaired", "usermanagement_login_add_${usergroup_user_index}_error"), + comment => "Create the user", + ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.usermanagement_user_pershome_${usergroup_user_index}.usermanagement_user_custom_home_defined_${usergroup_user_index}.!usermanagement_user_setuid_${usergroup_user_index}.!usermanagement_user_setgid_${usergroup_user_index}"; + + # Default + homedir + GID + "/usr/sbin/useradd" + args => "-m ${nameopt[${usergroup_user_index}]} -s ${usergroup_user_shell[${usergroup_user_index}]} -g ${usergroup_user_gid[${usergroup_user_index}]} -d ${usergroup_user_home[${usergroup_user_index}]} ${usergroup_user_login[${usergroup_user_index}]}", + classes => cf2_if_else("usermanagement_login_add_${usergroup_user_index}_repaired", "usermanagement_login_add_${usergroup_user_index}_error"), + comment => "Create the user", + ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.usermanagement_user_pershome_${usergroup_user_index}.usermanagement_user_custom_home_defined_${usergroup_user_index}.!usermanagement_user_setuid_${usergroup_user_index}.usermanagement_user_setgid_${usergroup_user_index}.usermanagement_user_group_exists_${usergroup_user_index}"; + + # Default + UID + "/usr/sbin/useradd" + args => "-m ${nameopt[${usergroup_user_index}]} -s ${usergroup_user_shell[${usergroup_user_index}]} -u ${usergroup_user_uid[${usergroup_user_index}]} ${usergroup_user_login[${usergroup_user_index}]}", + classes => cf2_if_else("usermanagement_login_add_${usergroup_user_index}_repaired", "usermanagement_login_add_${usergroup_user_index}_error"), + comment => "Create the user", + ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.usermanagement_user_setuid_${usergroup_user_index}.!usermanagement_user_pershome_${usergroup_user_index}.!usermanagement_user_setgid_${usergroup_user_index}"; + + # Default + UID + GID + "/usr/sbin/useradd" + args => "-m ${nameopt[${usergroup_user_index}]} -s ${usergroup_user_shell[${usergroup_user_index}]} -u ${usergroup_user_uid[${usergroup_user_index}]} -g ${usergroup_user_gid[${usergroup_user_index}]} ${usergroup_user_login[${usergroup_user_index}]}", + classes => cf2_if_else("usermanagement_login_add_${usergroup_user_index}_repaired", "usermanagement_login_add_${usergroup_user_index}_error"), + comment => "Create the user", + ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.usermanagement_user_setuid_${usergroup_user_index}.!usermanagement_user_pershome_${usergroup_user_index}.usermanagement_user_setgid_${usergroup_user_index}.usermanagement_user_group_exists_${usergroup_user_index}"; + + # Default + UID + homedir + "/usr/sbin/useradd" + args => "-m ${nameopt[${usergroup_user_index}]} -s ${usergroup_user_shell[${usergroup_user_index}]} -u ${usergroup_user_uid[${usergroup_user_index}]} -d ${usergroup_user_home[${usergroup_user_index}]} ${usergroup_user_login[${usergroup_user_index}]}", + classes => cf2_if_else("usermanagement_login_add_${usergroup_user_index}_repaired", "usermanagement_login_add_${usergroup_user_index}_error"), + comment => "Create the user", + ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.usermanagement_user_setuid_${usergroup_user_index}.usermanagement_user_pershome_${usergroup_user_index}.usermanagement_user_custom_home_defined_${usergroup_user_index}.!usermanagement_user_setgid_${usergroup_user_index}"; + + # Default + UID + homedir + GID + "/usr/sbin/useradd" + args => "-m ${nameopt[${usergroup_user_index}]} -s ${usergroup_user_shell[${usergroup_user_index}]} -u ${usergroup_user_uid[${usergroup_user_index}]} -g ${usergroup_user_gid[${usergroup_user_index}]} -d ${usergroup_user_home[${usergroup_user_index}]} ${usergroup_user_login[${usergroup_user_index}]}", + classes => cf2_if_else("usermanagement_login_add_${usergroup_user_index}_repaired", "usermanagement_login_add_${usergroup_user_index}_error"), + comment => "Create the user", + ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.usermanagement_user_setuid_${usergroup_user_index}.usermanagement_user_pershome_${usergroup_user_index}.usermanagement_user_custom_home_defined_${usergroup_user_index}.usermanagement_user_setgid_${usergroup_user_index}.usermanagement_user_group_exists_${usergroup_user_index}"; + + "/usr/sbin/userdel" + args => "${usergroup_user_login[${usergroup_user_index}]}", + classes => cf2_if_else("usermanagement_login_remove_${usergroup_user_index}_repaired", "usermanagement_login_remove_${usergroup_user_index}_error"), + comment => "Delete the user ${usergroup_user_login[${usergroup_user_index}]}", + ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_remove_${usergroup_user_index}"; + + files: + + "/etc/passwd" + create => "false", + edit_line => set_user_fullname("${usergroup_user_login[${usergroup_user_index}]}","${usergroup_user_index}","${usergroup_user_fullname[${usergroup_user_index}]}"), + ifvarclass => "usermanagement_user_update_${usergroup_user_index}.!usermanagement_user_nameempty_${usergroup_user_index}"; + + "/etc/passwd" + create => "false", + edit_line => set_user_fullname("${usergroup_user_login[${usergroup_user_index}]}","${usergroup_user_index}","${usergroup_user_fullname[${usergroup_user_index}]}"), + action => warn_only, + ifvarclass => "usermanagement_user_checkpres_${usergroup_user_index}.!usermanagement_user_nameempty_${usergroup_user_index}"; + + # Set default GID if account exists + "/etc/passwd" + create => "false", + edit_line => set_user_field("${usergroup_user_login[${usergroup_user_index}]}", 4, "${usergroup_user_gid[${usergroup_user_index}]}"), + classes => kept_if_else("usermanagement_user_gid_ok_${usergroup_user_index}", "usermanagement_user_gid_repaired_${usergroup_user_index}", "usermanagement_user_gid_failed_${usergroup_user_index}"), + ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_setgid_${usergroup_user_index}"; + + # Enforce UID if user exists and setuid is checked + "/etc/passwd" + create => "false", + edit_line => set_user_field("${usergroup_user_login[${usergroup_user_index}]}", 3, "${usergroup_user_uid[${usergroup_user_index}]}"), + classes => rudder_common_classes("usermanagement_user_uid_${usergroup_user_index}"), + ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_setuid_${usergroup_user_index}"; + + # Define password when user has already been created + "/etc/shadow" + create => "false", + edit_line => set_user_field("${usergroup_user_login[${usergroup_user_index}]}", 2, "${usergroup_user_password[${usergroup_user_index}]}"), + classes => kept_if_else("usermanagement_user_password_ok_${usergroup_user_index}", "usermanagement_user_password_repaired_${usergroup_user_index}", "usermanagement_user_password_failed_${usergroup_user_index}"), + ifvarclass => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_update_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})"; + + # Force user creation by modifying files directly + "/etc/passwd" + create => "false", + edit_line => append_or_change_user("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_login[${usergroup_user_index}]}:x:${usergroup_user_uid[${usergroup_user_index}]}:${usergroup_user_gid[${usergroup_user_index}]}:${usergroup_user_fullname[${usergroup_user_index}]}:${usergroup_user_home[${usergroup_user_index}]}:${usergroup_user_shell[${usergroup_user_index}]}"), + ifvarclass => "usermanagement_user_forcelocal_${usergroup_user_index}.usermanagement_user_pershome_${usergroup_user_index}"; + + "/etc/passwd" + create => "false", + edit_line => append_or_change_user("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_login[${usergroup_user_index}]}:x:${usergroup_user_uid[${usergroup_user_index}]}:${usergroup_user_gid[${usergroup_user_index}]}:${usergroup_user_fullname[${usergroup_user_index}]}:/home/${usergroup_user_login[${usergroup_user_index}]}:${usergroup_user_shell[${usergroup_user_index}]}"), + ifvarclass => "usermanagement_user_forcelocal_${usergroup_user_index}.!usermanagement_user_pershome_${usergroup_user_index}"; + + "/etc/shadow" + create => "false", + edit_line => append_or_change_passwd("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_login[${usergroup_user_index}]}:${usergroup_user_password[${usergroup_user_index}]}:::99999:7:::"), + ifvarclass => "usermanagement_user_forcelocal_${usergroup_user_index}"; + + + # Call user homedir creation for locally forced accounts + methods: + + "any" usebundle => force_create_user_homedir("${usergroup_user_home[${usergroup_user_index}]}", "${usergroup_user_uid[${usergroup_user_index}]}", "${usergroup_user_gid[${usergroup_user_index}]}"), + ifvarclass => "usermanagement_user_forcelocal_${usergroup_user_index}.usermanagement_user_pershome_${usergroup_user_index}"; + + "any" usebundle => force_create_user_homedir("/home/${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_uid[${usergroup_user_index}]}", "${usergroup_user_gid[${usergroup_user_index}]}"), + ifvarclass => "usermanagement_user_forcelocal_${usergroup_user_index}.!usermanagement_user_pershome_${usergroup_user_index}"; + + + reports: + + (linux|windows).showtime:: + + # Add user + ## Does exist (Success) + "@@userGroupManagement@@result_success@@${usergroup_directive_id[${usergroup_user_index}]}@@Users@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is already present on the system" + ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.!usermanagement_login_add_${usergroup_user_index}_repaired.(usermanagement_user_nameempty_${usergroup_user_index}|usermanagement_fullname_edit_${usergroup_user_index}_kept)"; + + ## Seems to exist with a wrong Full Name (Repaired) + "@@userGroupManagement@@result_repaired@@${usergroup_directive_id[${usergroup_user_index}]}@@Users@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) had a wrong fullname" + ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.!usermanagement_user_nameempty_${usergroup_user_index}.(usermanagement_fullname_edit_${usergroup_user_index}_repaired|usermanagement_fullname_edit_${usergroup_user_index}_error)"; + + ## Added (Repaired) + "@@userGroupManagement@@result_repaired@@${usergroup_directive_id[${usergroup_user_index}]}@@Users@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) has been added to the system" + ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.usermanagement_login_add_${usergroup_user_index}_repaired"; + + ## Error + "@@userGroupManagement@@result_error@@${usergroup_directive_id[${usergroup_user_index}]}@@Users@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be added to the system" + ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.usermanagement_login_add_${usergroup_user_index}_error"; + + ## Could not be added, for the default path was not selected, but the custom one was not defined + "@@userGroupManagement@@result_error@@${usergroup_directive_id[${usergroup_user_index}]}@@Users@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be added to the system because the default home directory was not selected, but the custom path was not specified" + ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.usermanagement_user_pershome_${usergroup_user_index}.!usermanagement_user_custom_home_defined_${usergroup_user_index}"; + + # Remove user + ## Does not exist (Success) + "@@userGroupManagement@@result_success@@${usergroup_directive_id[${usergroup_user_index}]}@@Users@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) does not exist, as required" + ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_remove_${usergroup_user_index}"; + + ## Removed (Repaired) + "@@userGroupManagement@@result_repaired@@${usergroup_directive_id[${usergroup_user_index}]}@@Users@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) has been removed from the system" + ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_remove_${usergroup_user_index}.usermanagement_login_remove_${usergroup_user_index}_repaired"; + + ## Error + "@@userGroupManagement@@result_error@@${usergroup_directive_id[${usergroup_user_index}]}@@Users@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be removed from the system" + ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_remove_${usergroup_user_index}.usermanagement_login_remove_${usergroup_user_index}_error"; + + # Check user not exists + ## Does not exist (Success) + "@@userGroupManagement@@result_success@@${usergroup_directive_id[${usergroup_user_index}]}@@Users@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is not present on the system, which is in accordance with the non presence policy" + ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_checkabs_${usergroup_user_index}"; + + ## Does exist (Error) + "@@userGroupManagement@@result_error@@${usergroup_directive_id[${usergroup_user_index}]}@@Users@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, which violates the non presence policy" + ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_checkabs_${usergroup_user_index}"; + + # Check user exists + ## Does exist (Success) + "@@userGroupManagement@@result_success@@${usergroup_directive_id[${usergroup_user_index}]}@@Users@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, which is in conformance with the presence policy" + ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_checkpres_${usergroup_user_index}.(usermanagement_user_nameempty_${usergroup_user_index}|usermanagement_fullname_edit_${usergroup_user_index}_kept)"; + + ## Seems to exist with a wrong Full Name (Error) + "@@userGroupManagement@@result_error@@${usergroup_directive_id[${usergroup_user_index}]}@@Users@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, but does not have the right fullname" + ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_checkpres_${usergroup_user_index}.!usermanagement_user_nameempty_${usergroup_user_index}.(usermanagement_fullname_edit_${usergroup_user_index}_repaired|usermanagement_fullname_edit_${usergroup_user_index}_error)"; + + ## Does not exist (Error) + "@@userGroupManagement@@result_error@@${usergroup_directive_id[${usergroup_user_index}]}@@Users@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is not present on the system, which violates the presence policy" + ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_checkpres_${usergroup_user_index}"; + + # Password handling + ## Is OK (Success) + "@@userGroupManagement@@result_success@@${usergroup_directive_id[${usergroup_user_index}]}@@Password@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) password is OK" + ifvarclass => "usermanagement_user_password_ok_${usergroup_user_index}"; + + ## Has been changed (Repaired) + "@@userGroupManagement@@result_repaired@@${usergroup_directive_id[${usergroup_user_index}]}@@Password@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) password has been changed" + ifvarclass => "usermanagement_user_password_repaired_${usergroup_user_index}"; + + ## Could not be changed (Error) + "@@userGroupManagement@@result_error@@${usergroup_directive_id[${usergroup_user_index}]}@@Password@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) password could NOT be changed !" + ifvarclass => "usermanagement_user_password_failed_${usergroup_user_index}"; + + ## Change not needed (Success) + "@@userGroupManagement@@result_success@@${usergroup_directive_id[${usergroup_user_index}]}@@Password@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) password change is not required" + ifvarclass => "(!usermanagement_user_password_ok_${usergroup_user_index}.!usermanagement_user_password_repaired_${usergroup_user_index}.!usermanagement_user_password_failed_${usergroup_user_index}).usermanagement_user_pwoneshot_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}"; + + # GID handling + ## Is OK (Success) + "@@userGroupManagement@@result_success@@${usergroup_directive_id[${usergroup_user_index}]}@@Group ID@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) Group ID is OK" + ifvarclass => "usermanagement_user_gid_ok_${usergroup_user_index}"; + + ## Has been changed (Repaired) + "@@userGroupManagement@@result_repaired@@${usergroup_directive_id[${usergroup_user_index}]}@@Group ID@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) Group ID has been changed" + ifvarclass => "usermanagement_user_gid_repaired_${usergroup_user_index}"; + + ## Could not be changed (Error) + "@@userGroupManagement@@result_error@@${usergroup_directive_id[${usergroup_user_index}]}@@Group ID@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) Group ID could NOT be changed !" + ifvarclass => "usermanagement_user_gid_failed_${usergroup_user_index}"; + + ## Change not needed (Success) + "@@userGroupManagement@@result_success@@${usergroup_directive_id[${usergroup_user_index}]}@@Group ID@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) Group ID change is not required" + ifvarclass => "!usermanagement_user_gid_ok_${usergroup_user_index}.!usermanagement_user_gid_repaired_${usergroup_user_index}.!usermanagement_user_gid_failed_${usergroup_user_index}"; + + # UID handling + ## Is OK (Success) + "@@userGroupManagement@@result_success@@${usergroup_directive_id[${usergroup_user_index}]}@@User ID@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) UID is OK" + ifvarclass => "usermanagement_user_uid_${usergroup_user_index}_kept"; + + ## Has been changed (Repaired) + "@@userGroupManagement@@result_repaired@@${usergroup_directive_id[${usergroup_user_index}]}@@User ID@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) UID has been changed" + ifvarclass => "usermanagement_user_uid_${usergroup_user_index}_repaired"; + + ## Could not be changed (Error) + "@@userGroupManagement@@result_error@@${usergroup_directive_id[${usergroup_user_index}]}@@User ID@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) UID could NOT be changed !" + ifvarclass => "usermanagement_user_uid_${usergroup_user_index}_error"; + + ## Change not needed (Success) + "@@userGroupManagement@@result_success@@${usergroup_directive_id[${usergroup_user_index}]}@@User ID@@${usergroup_user_login[${usergroup_user_index}]}@@${g.execRun}##${g.uuid}@#The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) UID change is not required" + ifvarclass => "!usermanagement_user_uid_${usergroup_user_index}_kept.!usermanagement_user_uid_${usergroup_user_index}_repaired.!usermanagement_user_uid_${usergroup_user_index}_error"; + +} + +bundle edit_line set_user_fullname(user,user_index,fullname) +{ + field_edits: + "${user}:.*" + # Edit GECOS on /etc/passwd + edit_field => col(":", "5", "${fullname}", "set"), + classes => kept_if_else("usermanagement_fullname_edit_${user_index}_kept","usermanagement_fullname_edit_${user_index}_repaired","usermanagement_fullname_edit_${user_index}_error"); + +} + +bundle edit_line append_or_change_user(user, user_string) { + delete_lines: + "^.*$(user).*"; + + insert_lines: + "$(user_string)", + comment => "Append users into a password file format", + classes => cf2_if_else("usermanagement_login_add_${usergroup_user_index}_repaired", "usermanagement_login_add_${usergroup_user_index}_error"); +} + +bundle edit_line append_or_change_passwd(user, pass_string) { + delete_lines: + "^.*$(user).*"; + + insert_lines: + "$(pass_string)" + comment => "Append user password in shadow file format", + classes => kept_if_else("usermanagement_user_password_ok_${usergroup_user_index}", "usermanagement_user_password_repaired_${usergroup_user_index}", "usermanagement_user_password_failed_${usergroup_user_index}"); +} + +bundle agent force_create_user_homedir(home, uid, gid) { + files: + "$(home)/." + create => "true", + perms => mog("700", "$(uid)", "$(gid)"); + +} +