From 67aac22699ed320e13c8f076233e5b46ebca123e Mon Sep 17 00:00:00 2001
From: Michael Geiger <michael.geiger@telekom.de>
Date: Wed, 10 Jan 2018 09:54:53 +0100
Subject: [PATCH] Make paramater USERGROUPS_ENAB in login.defs configurable

Signed-off-by: Michael Geiger <michael.geiger@telekom.de>
---
 README.md                | 2 ++
 manifests/init.pp        | 2 ++
 manifests/login_defs.pp  | 4 ++++
 templates/login.defs.erb | 2 +-
 4 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index d93c8bf..8cb74b3 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,8 @@ This Puppet module provides secure configuration of your base OS with hardening.
   add additional paths to the user's `PATH` variable (default is empty).
 * `umask = "027"`
   umask used for the creation of new home directories by useradd / newusers
+* `usergroups = true`
+  true if you want separate groups for each user, false otherwise
 * `password_max_age = 60`
   maximum password age
 * `password_min_age = 7`
diff --git a/manifests/init.pp b/manifests/init.pp
index 4f2835a..7afb6c9 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -14,6 +14,7 @@
 
   $extra_user_paths         = [],
   $umask                    = undef,
+  $usergroups               = true,
   $sys_uid_min              = undef,
   $sys_gid_min              = undef,
   $password_max_age         = 60,
@@ -118,6 +119,7 @@
   class { 'os_hardening::login_defs':
     extra_user_paths         => $extra_user_paths,
     umask                    => $merged_umask,
+    usergroups               => $usergroups,
     sys_uid_min              => $merged_sys_uid_min,
     sys_gid_min              => $merged_sys_gid_min,
     password_max_age         => $password_max_age,
diff --git a/manifests/login_defs.pp b/manifests/login_defs.pp
index 66cad46..8722b52 100644
--- a/manifests/login_defs.pp
+++ b/manifests/login_defs.pp
@@ -12,6 +12,7 @@
 class os_hardening::login_defs (
   $extra_user_paths         = [],
   $umask                    = '027',
+  $usergroups               = true,
   $sys_uid_min              = 100,
   $sys_gid_min              = 100,
   $password_max_age         = 60,
@@ -25,6 +26,9 @@
   # prepare all variables
   $additional_user_paths = join($extra_user_paths, ':')
 
+  # convert bool to yes/no
+  $usergroups_yn = bool2str($usergroups, 'yes', 'no')
+
   # set the file
   file { '/etc/login.defs':
       ensure  => file,
diff --git a/templates/login.defs.erb b/templates/login.defs.erb
index 95595d9..2633ee6 100644
--- a/templates/login.defs.erb
+++ b/templates/login.defs.erb
@@ -88,7 +88,7 @@ UMASK   <%= @umask %>
 
 # Enable setting of the umask group bits to be the same as owner bits (examples: `022` -> `002`, `077` -> `007`) for non-root users, if the uid is the same as gid, and username is the same as the primary group name.
 # If set to yes, userdel will remove the user's group if it contains no more members, and useradd will create by default a group with the name of the user.
-USERGROUPS_ENAB yes
+USERGROUPS_ENAB <%= @usergroups_yn %>
 
 
 # Password aging controls