Next fun topic for today: our security folks want to change all the
/sbin/nologin and related shells to /dev/null. Augeas seems the perfect
tool for this, but I''m having a devil of a time getting close to
something
that''ll work:
augeas { ''fix-bad-passwd-shells'':
context => "/files/etc/passwd",
changes => "set */shell[.=''/sbin/nologin'']
/dev/null",
onlyif => "match */shell[.=''/sbin/nologin''] size
> 0",
}
I really wanted my onlyif to look more like:
onlyif => "match */shell includes nologin"
to catch other variations (like /usr/sbin/nologin), but that didn''t
work at
all. Is there a way to make that work?
And this match works in augtool and when I run puppet, but the "set"
doesn''t. It just doesn''t do anything. I think I''m
close -- any augeas
experts care to show me the error of my ways? This really feels like black
magic.
Bret
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/ca56fd84-1395-49e7-a547-efbbaf47dae4%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
David Lutterkort
2013-Nov-13 19:47 UTC
[Puppet Users] Re: Managing account shells with augeas
On Wednesday, November 13, 2013 11:23:15 AM UTC-8, Bret Wortman wrote:> > Next fun topic for today: our security folks want to change all the > /sbin/nologin and related shells to /dev/null. Augeas seems the perfect > tool for this, but I''m having a devil of a time getting close to something > that''ll work: > > augeas { ''fix-bad-passwd-shells'': > context => "/files/etc/passwd", > changes => "set */shell[.=''/sbin/nologin''] /dev/null", > onlyif => "match */shell[.=''/sbin/nologin''] size > 0", > } >The problem is that set will only change a single node, and barf if you give it an expression that matches multiple nodes. What you need is setm: augeas { ''fix-bad-passwd-shells'': context => "/files/etc/passwd", changes => "setm */shell[.=''/sbin/nologin''] . /dev/null", onlyif => "match */shell[.=''/sbin/nologin''] size > 0", }> I really wanted my onlyif to look more like: > > onlyif => "match */shell includes nologin" >You shouldn''t really need the onlyif at all - Augeas is smart enough to not do anything when your setm didn''t result in any changes (and IIRC the Puppet Augeas type has the same kind of smarts)> to catch other variations (like /usr/sbin/nologin), but that didn''t work > at all. Is there a way to make that work? >You can also select nodes by doing a regexp match against their content; the following should work: match */shell[. =~ regexp(''.*/nologin$'')] David -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/270de415-d94b-4412-96a7-c78ef3bb358b%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Bret Wortman
2013-Nov-14 15:33 UTC
Re: [Puppet Users] Re: Managing account shells with augeas
You know what''s sad? I looked at setm when I was poking around with augtool, but didn''t see any examples using Puppet so I never circled back to it. I ended up writing a shell script with a sed script inside, distributing that using file and then executing it via an exec in refreshonly mode. I''ll give this a second try shortly, though. Thanks! *Bret Wortman* http://about.me/wortmanbret On Wed, Nov 13, 2013 at 2:47 PM, David Lutterkort <lutter@puppetlabs.com>wrote:> On Wednesday, November 13, 2013 11:23:15 AM UTC-8, Bret Wortman wrote: >> >> Next fun topic for today: our security folks want to change all the >> /sbin/nologin and related shells to /dev/null. Augeas seems the perfect >> tool for this, but I''m having a devil of a time getting close to something >> that''ll work: >> >> augeas { ''fix-bad-passwd-shells'': >> context => "/files/etc/passwd", >> changes => "set */shell[.=''/sbin/nologin''] /dev/null", >> onlyif => "match */shell[.=''/sbin/nologin''] size > 0", >> } >> > > The problem is that set will only change a single node, and barf if you > give it an expression that matches multiple nodes. What you need is setm: > > augeas { ''fix-bad-passwd-shells'': > context => "/files/etc/passwd", > changes => "setm */shell[.=''/sbin/nologin''] . /dev/null", > onlyif => "match */shell[.=''/sbin/nologin''] size > 0", > } > > > >> I really wanted my onlyif to look more like: >> >> onlyif => "match */shell includes nologin" >> > > You shouldn''t really need the onlyif at all - Augeas is smart enough to > not do anything when your setm didn''t result in any changes (and IIRC the > Puppet Augeas type has the same kind of smarts) > > >> to catch other variations (like /usr/sbin/nologin), but that didn''t work >> at all. Is there a way to make that work? >> > > You can also select nodes by doing a regexp match against their content; > the following should work: > > match */shell[. =~ regexp(''.*/nologin$'')] > > David > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Puppet Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/puppet-users/l28JtX83izY/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > puppet-users+unsubscribe@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/270de415-d94b-4412-96a7-c78ef3bb358b%40googlegroups.com > . > For more options, visit https://groups.google.com/groups/opt_out. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAN9oxgSxYJuYXzyTN_y%2BVRe67PpysadFhOCxOo7rN6_2jrzYcQ%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.