Disable System Accounts

[igoraj]

As per CIS-CAT also system accounts should be hardened, their shell set to /usr/sbin/nologin and their password locked, so I made a few changes to support that in this module.

Could not find any section on how to contribute so let me know if this is acceptable or not or would you want something approached in different way.

[arlimus]

@igoraj Awesome, thank you for contributing! I'll take an extra round testing this one, before merging.

[igoraj]

@arlimus cool, and as i said, let me know if i should redo some parts.

[arlimus]

@igoraj Sorry for the delay, I finally had a go at everything :)

I was thinking about the naming of the attribute: What do you think about skip_users or ignore_users instead of leave_alone_users? (maybe make it a bit shorter)
Other than that, I'd love to get this merged 👍

Side-note: Short-term I believe we will be able to replace the parsing of login.defs, as we also write this file. There is one more issue (added as #57) to fix to wrap it up.

[igoraj]

ignore_users make so much more sense! there you go!
i also added validation in case class gets something else than array from user.
might be worth adding those for all input vars (but I'll do a separate PR)

[arlimus]

@igoraj This looks great, thank you so much! :)

Funny issue, it's currently breaking my test env (not visible here yet; our test kitchen runs separately), because all vagrant test users fall inside sys-uid range (incorrectly, imho). I'll takle that env issue and finally merge this.

[igoraj]

@arlimus do you have any ETA for that? can i help somehow?

[arlimus]

@igoraj Sorry for the delay, i'll finally wrap this up today.

[arlimus]

I'll bump the release at the end of next week. Thank you for adding this :)