Swampcritter
2012-Jun-04 14:41 UTC
[Puppet Users] Need help resolving bad Puppet module entries for STIG
I discovered that a number of our STIG Puppet modules are failing. I am
thinking its because the code is wrong because when I make a quick chance
to the actual code being used, then the code actually works as intended.
STIG Puppet Code Repository:
https://fedorahosted.org/aqueduct/browser/trunk/compliance/Puppet/STIG/rhel5/RHEL-5-Unix-Checklist/base/dev/rhel5/puppet/trunk/etc/puppet/modules/stig
Puppet code being executed:
class gen002640 {
## (GEN002640: CAT II) (Previously - G092) The SA will ensure logon
capability
## to default system accounts (e.g., bin, lib, uucp, news, sys,
guest, daemon,
## and any default account not normally logged onto) will be
disabled by
## making the default shell /bin/false, /usr/bin/false, /sbin/false,
## /sbin/nologin, or /dev/null, and by locking the password.
exec { "/bin/bash -c ''for i in `awk -F: ''\$3 <
500 && \$1 !=
\"root\" { print \$1 }'' /etc/passwd`; do /usr/bin/usermod -L
-s /dev/null
\$i; done''": }
}
Error reported:
Jun 1 12:40:58 rhel-stig-ap puppet-agent[2489]: (/Stage[main]/Gen002640/Ex
ec[/bin/bash -c ''for i in `awk -F: ''$3 < 500 && $1
!= "root" { print $1 }''
/etc/passwd`; do /usr/bin/usermod -L -s /dev/null $i; done'']/returns)
change from notrun to 0 failed: /bin/bash -c ''for i in `awk -F:
''$3 < 500
&& $1 != "root" { print $1 }'' /etc/passwd`; do
/usr/bin/usermod -L -s
/dev/null $i; done'' returned 1 instead of one of [0] at
/etc/puppet/modules/GEN002640/manifests/init.pp:7
When run as a command-line script, it works fine:
#!/bin/bash
set -x
for i in `awk -F: ''$3 < 500 && $1 != "root" {
print $1 }'' /etc/passwd`;
do
/usr/sbin/usermod -L -s /dev/null $i;
done
Output seen:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/dev/null
daemon:x:2:2:daemon:/sbin:/dev/null
adm:x:3:4:adm:/var/adm:/dev/null
lp:x:4:7:lp:/var/spool/lpd:/dev/null
mail:x:8:12:mail:/var/spool/mail:/dev/null
uucp:x:10:14:uucp:/var/spool/uucp:/dev/null
nobody:x:99:99:Nobody:/:/dev/null
nscd:x:28:28:NSCD Daemon:/:/dev/null
vcsa:x:69:69:virtual console memory owner:/dev:/dev/null
dbus:x:81:81:System message bus:/:/dev/null
avahi:x:70:70:Avahi daemon:/:/dev/null
mailnull:x:47:47::/var/spool/mqueue:/dev/null
smmsp:x:51:51::/var/spool/mqueue:/dev/null
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/dev/null
haldaemon:x:68:68:HAL daemon:/:/dev/null
gdm:x:42:42::/var/gdm:/dev/null
I tried the following changes to the code, but still no help.
Change #1
exec { "/bin/bash -c ''for i in `awk -F: ''\$3 < 500
&& \$1 != \"root\" {
print \$1 }'' /etc/passwd`; do /usr/bin/usermod -L -s /dev/null \$i;
done''":
}
Change #1 Error:
err: Could not retrieve catalog from remote server: Error 400 on SERVER:
Could not parse for environment production: Syntax error at
''for''; expected
''}'' at /etc/puppet/modules/GEN002
640/manifests/init.pp:8
Change #2
exec { "/bin/bash -c ''for i in `awk -F: "\\$3 < 500
&& \\$1 != \"root\" {
print \\$1 }" /etc/passwd`; do echo /usr/bin/usermod -L -s /dev/null $i;
done''": }
Change #2 Error:
err: Could not retrieve catalog from remote server: Error 400 on SERVER:
Could not parse for environment production: Syntax error at
''\''; expected
''}'' at /etc/puppet/modules/GEN002640/manifests/init.pp:7
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/OvJNpeXZ5QwJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
jcbollinger
2012-Jun-05 16:28 UTC
[Puppet Users] Re: Need help resolving bad Puppet module entries for STIG
On Jun 4, 9:41 am, Swampcritter <mawors...@gmail.com> wrote:> I discovered that a number of our STIG Puppet modules are failing. I am > thinking its because the code is wrong because when I make a quick chance > to the actual code being used, then the code actually works as intended.[...]> exec { "/bin/bash -c ''for i in `awk -F: ''\$3 < 500 && \$1 !> \"root\" { print \$1 }'' /etc/passwd`; do /usr/bin/usermod -L -s /dev/null > \$i; done''": }[...]> Jun 1 12:40:58 rhel-stig-ap puppet-agent[2489]: (/Stage[main]/Gen002640/Ex > ec[/bin/bash -c ''for i in `awk -F: ''$3 < 500 && $1 != "root" { print $1 }'' > /etc/passwd`; do /usr/bin/usermod -L -s /dev/null $i; done'']/returns) > change from notrun to 0 failed: /bin/bash -c ''for i in `awk -F: ''$3 < 500 > && $1 != "root" { print $1 }'' /etc/passwd`; do /usr/bin/usermod -L -s > /dev/null $i; done'' returned 1 instead of one of [0] at > /etc/puppet/modules/GEN002640/manifests/init.pp:7 > > When run as a command-line script, it works fine:Your Exec tries to run ''awk'', but it does not specify a path either in the command itself or via a ''path'' parameter to the Exec. Most consistent with the rest of your Exec would be: exec { "/bin/bash -c ''for i in `/usr/bin/awk -F: ''\$3 < 500 && \ $1 != \"root\" { print \$1 }'' /etc/passwd`; do /usr/bin/usermod -L -s / dev/null \$i; done''": } John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Possibly Parallel Threads
- icy-metaint in header and in stream data
- problem with X11 forwarding and use_localhost on Linux (solution) (fwd)
- Reporting and documenting in Modules/Classes
- DoD approval of Centos Was RE: Firefox fails to authenticate .mil sites with New DoDCAC
- NAT/SIP solution?