2017-04-24 12:22:51 +00:00
|
|
|
---
|
|
|
|
- name: get UID_MIN from login.defs
|
2018-12-17 12:50:15 +00:00
|
|
|
shell: awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs
|
|
|
|
args:
|
|
|
|
removes: /etc/login.defs
|
2017-04-24 12:22:51 +00:00
|
|
|
register: uid_min
|
2018-12-17 12:50:15 +00:00
|
|
|
check_mode: False
|
2017-04-24 12:22:51 +00:00
|
|
|
changed_when: False
|
|
|
|
|
|
|
|
- name: calculate UID_MAX from UID_MIN by substracting 1
|
2018-12-17 12:50:15 +00:00
|
|
|
set_fact:
|
|
|
|
uid_max: '{{ uid_min.stdout | int - 1 }}'
|
2017-04-24 12:22:51 +00:00
|
|
|
when: uid_min is defined
|
|
|
|
|
|
|
|
- name: set UID_MAX on Debian-systems if no login.defs exist
|
2018-12-17 12:50:15 +00:00
|
|
|
set_fact:
|
|
|
|
uid_max: '999'
|
2017-04-24 12:22:51 +00:00
|
|
|
when: ansible_os_family == 'Debian' and not uid_min
|
|
|
|
|
|
|
|
- name: set UID_MAX on other systems if no login.defs exist
|
2018-12-17 12:50:15 +00:00
|
|
|
set_fact:
|
|
|
|
uid_max: '499'
|
2017-04-24 12:22:51 +00:00
|
|
|
when: not uid_min
|
|
|
|
|
|
|
|
- name: get all system accounts
|
2018-12-17 12:50:15 +00:00
|
|
|
command: awk -F'':'' '{ if ( $3 <= {{ uid_max|quote }} ) print $1}' /etc/passwd
|
|
|
|
args:
|
|
|
|
removes: /etc/passwd
|
2017-04-24 12:22:51 +00:00
|
|
|
changed_when: False
|
2018-12-17 12:50:15 +00:00
|
|
|
check_mode: False
|
2017-04-24 12:22:51 +00:00
|
|
|
register: sys_accs
|
|
|
|
|
|
|
|
- name: remove always ignored system accounts from list
|
|
|
|
set_fact:
|
2018-12-17 12:50:15 +00:00
|
|
|
sys_accs_cond: '{{ sys_accs.stdout_lines | difference(os_always_ignore_users) }}'
|
|
|
|
check_mode: False
|
2017-04-24 12:22:51 +00:00
|
|
|
|
|
|
|
- name: change system accounts not on the user provided ignore-list
|
2018-12-17 12:50:15 +00:00
|
|
|
user:
|
|
|
|
name: '{{ item }}'
|
|
|
|
shell: '{{ os_nologin_shell_path }}'
|
|
|
|
password: '*'
|
|
|
|
createhome: False
|
|
|
|
with_flattened:
|
|
|
|
- '{{ sys_accs_cond | default([]) | difference(os_ignore_users) | list }}'
|