- in inspec >= 3.0.0 there are changes in schema
which require to have tests/integration dir
to contain tests, otherwise fails
- this is temporary workaround until we decide
proper fix
Change-Id: Ie251c093e3d66532d027a47a56272936cf3cbcb3
This typo mistake affects behavior of user.present module function
as it uses 'useradd' linux utility under the hood.
Missing USERGROUPS_ENAB parameter == do not create user groups by default.
This change in behavior of useradd util breaks all states, which are relaying
on creation of user group during new user creation procedure, e.g. set up
cassandra backups.
Change-Id: Ie17aae58fc6673b9c5d53bb68f681446f30d0a1a
Related-bug: PROD-23741
https://gerrit.mcp.mirantis.com/25351/ was merged but linux.system.shell
state wasn't included into init.yml and was never used.
This commit fixes this.
Related-Prod: PROD-23581
Change-Id: I89e09247dd2566b8a5b0c0e67e8ca9c789ed57f6
CIS 5.4.1.4 should be configured in /etc/default/useradd
cis-5-4-1-4.yml attempts to configure this item in
pillar that relates to /etc/login.defs and should be removed.
Related-Prod: PROD-23600
Change-Id: Iea93a54a44df919c07001fc02e3551276ef9583c
To simplify filtering in Kibana change
systemd.source prefix to record field "source".
Change-Id: I7729ae6721a1050a938370a588d35313f91f971a
Related-bug: PROD-21827 (PROD:21827)
Previous implementation was not able to add port 'dpdk0' to bridge
'br-dpdk0' since both matches 'grep' condition. To fix this we need to
look for port in a particular bridge
Change-Id: Ie83cebc3ab73c45a48f68fae2d6f474743215908
* CIS 5.4.1.1 Ensure password expiration is 90 days or less (Scored)
* CIS 5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored)
* CIS 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
* CIS 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)
Related-Prod: PROD-18386
Change-Id: I42697c31823c631acb1528ca917b39c069fb72bf
The following parameters defined in /etc/login.defs can
be overridden per-user:
* PASS_MAX_DAYS
* PASS_MIN_DAYS
* PASS_WARN_DAYS
* INACTIVE
Related-Prod: PROD-18386
Change-Id: I5b182128f9dd8a043b48fb86e61febb2fd5c7e0a
* Ubuntu pinning params allow to be used
multiply times. In same time, old `list`
format now allowing to be predictable
iterated inside jinja
Related-Bug: PROD-21604 (PROD:21604)
Change-Id: If1c0f0f834a296b9a19d0af5fc7673c9229a7ac5
Permissions 640 root:root doesn't allow regular user to read
/etc/{at,cron}.allow files, that changes behavior of at / crontab
commands:
* crontab command can't read /etc/cron.allow and allow any user to modify
their crontab files.
* at command can't read /etc/at.allow and deny every user.
at / crontab files have SGID bits set, so setting correct group
on /etc/{at,cron}.allow fixes the issue.
Change-Id: I4a3fc8d8e823498d6715e26307424e3065cbd6ca
* CIS 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
* CIS 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored)
Related-Prod: PROD-20765
Change-Id: I5ff5e5bc76e1d87432caec70f2b35eec288e9213
* CIS 1.5.4 Ensure prelink is disabled
* CIS 2.3.1 Ensure NIS Client is not installed
* CIS 2.3.2 Ensure rsh client is not installed
* CIS 2.3.3 Ensure talk client is not installed
* CIS 2.3.4 Ensure telnet client is not installed
Change-Id: I0eb11d39deaa28f238a2e618bf95cc248189197c
linux/system/user.sls ignores 'shell' option if a
user is system. This is quite strange behavior, and it
breaks CIS:
* 5.4.2 Ensure system accounts are non-login
Change-Id: I32dd44ac4fcc1425ea47eb4cf60acf41f6ce0887
Related-Prod: PROD-20764