mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
add support for managing users that can ssh to a node via key
This commit is contained in:
m0duspwnens
2
pillar/users/init.sls
Normal file
2
pillar/users/init.sls
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
# users pillar goes here
|
||||||
|
users:
|
||||||
19
pillar/users/pillar.example
Normal file
19
pillar/users/pillar.example
Normal file
@@ -0,0 +1,19 @@
|
|||||||
|
users:
|
||||||
|
sclapton:
|
||||||
|
# required fields
|
||||||
|
status: present
|
||||||
|
# node_access determines which node types the user can access.
|
||||||
|
# this can either be by grains.role or by final part of the minion id after the _
|
||||||
|
node_access:
|
||||||
|
- standalone
|
||||||
|
- searchnode
|
||||||
|
# optional fields
|
||||||
|
- fullname: Stevie Claptoon
|
||||||
|
- uid: 1001
|
||||||
|
- gid: 1001
|
||||||
|
- homephone: does not have a phone
|
||||||
|
groups:
|
||||||
|
- mygroup1
|
||||||
|
- mygroup2
|
||||||
|
- wheel # give sudo access
|
||||||
|
|
||||||
20
pillar/users/pillar.usage
Normal file
20
pillar/users/pillar.usage
Normal file
@@ -0,0 +1,20 @@
|
|||||||
|
users:
|
||||||
|
sclapton:
|
||||||
|
# required fields
|
||||||
|
status: <present | absent>
|
||||||
|
# node_access determines which node types the user can access.
|
||||||
|
# this can either be by grains.role or by final part of the minion id after the _
|
||||||
|
node_access:
|
||||||
|
- standalone
|
||||||
|
- searchnode
|
||||||
|
# optional fields
|
||||||
|
- fullname: <string>
|
||||||
|
- uid: <integer>
|
||||||
|
- gid: <integer>
|
||||||
|
- roomnumber: <string>
|
||||||
|
- workphone: <string>
|
||||||
|
- homephone: <string>
|
||||||
|
groups:
|
||||||
|
- <string>
|
||||||
|
- <string>
|
||||||
|
- wheel # give sudo access
|
||||||
117
salt/users/init.sls
Normal file
117
salt/users/init.sls
Normal file
@@ -0,0 +1,117 @@
|
|||||||
|
# The creation of a user will require a pub key placed in /opt/so/saltstack/local/salt/users/authorized_keys/<username>
|
||||||
|
|
||||||
|
# If a user is changed from present to absent, their usergroup will be removed, but any additional usergroups that were created
|
||||||
|
# for that user will remain.
|
||||||
|
|
||||||
|
{% for username, userdeets in pillar.get('users', {}).items() %}
|
||||||
|
{% if 'status' in userdeets %}
|
||||||
|
{% if userdeets.status == 'absent' %}
|
||||||
|
|
||||||
|
remove_user_{{username}}:
|
||||||
|
user.absent:
|
||||||
|
- name: {{ username }}
|
||||||
|
{% if 'purge' in userdeets %}
|
||||||
|
- purge: {{ userdeets.purge }}
|
||||||
|
{% endif %}
|
||||||
|
- force: True
|
||||||
|
|
||||||
|
{% elif userdeets.status == 'present' %}
|
||||||
|
|
||||||
|
{% if 'node_access' in userdeets %}
|
||||||
|
{% if grains.role in userdeets.node_access or grains.id.split('_')|last in userdeets.node_access %}
|
||||||
|
|
||||||
|
{% for group in userdeets.get('groups', []) %}
|
||||||
|
add_user_groups_{{username}}_{{group}}:
|
||||||
|
group.present:
|
||||||
|
- name: {{ group }}
|
||||||
|
{% if group == 'sudo' %}
|
||||||
|
- system: True
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
add_user_{{username}}:
|
||||||
|
user.present:
|
||||||
|
- name: {{ username }}
|
||||||
|
- home: {{ userdeets.get('home', "/home/%s" % username) }}
|
||||||
|
- shell: {{ userdeets.get('shell', '/bin/bash') }}
|
||||||
|
- usergroup: True
|
||||||
|
|
||||||
|
{% if 'fullname' in userdeets %}
|
||||||
|
- fullname: {{ userdeets.fullname }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if 'uid' in userdeets %}
|
||||||
|
- uid: {{ userdeets.uid }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if 'gid' in userdeets %}
|
||||||
|
- gid: {{ userdeets.gid }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if 'roomnumber' in userdeets %}
|
||||||
|
- roomnumber: {{ userdeets.roomnumber }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if 'workphone' in userdeets %}
|
||||||
|
- workphone: {{ userdeets.workphone }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if 'homephone' in userdeets %}
|
||||||
|
- homephone: {{ userdeets.homephone }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if 'groups' in userdeets %}
|
||||||
|
- groups:
|
||||||
|
{% for group in userdeets.groups %}
|
||||||
|
- {{ group }}
|
||||||
|
{% endfor %}
|
||||||
|
- require:
|
||||||
|
{% for group in userdeets.groups %}
|
||||||
|
- group: {{ group }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{{username}}_authorized_keys:
|
||||||
|
file.managed:
|
||||||
|
- name: /home/{{username}}/.ssh/authorized_keys
|
||||||
|
- source: salt://users/authorized_keys/{{username}}
|
||||||
|
- user: {{username}}
|
||||||
|
- group: {{username}}
|
||||||
|
- mode: 644
|
||||||
|
- show_diff: False
|
||||||
|
- makedirs: True
|
||||||
|
- require:
|
||||||
|
- user: add_user_{{username}}
|
||||||
|
{% for group in userdeets.get('groups', []) %}
|
||||||
|
- group: {{ group }}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% else %}
|
||||||
|
|
||||||
|
unknown_status_or_password_not_provided_for_user_{{username}}:
|
||||||
|
test.fail_without_changes:
|
||||||
|
- comment: "Verify status is 'present' or 'absent' and a password is provided for {{username}} in the users pillar."
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% else %}
|
||||||
|
|
||||||
|
status_not_provided_for_user_{{username}}:
|
||||||
|
test.fail_without_changes:
|
||||||
|
- comment: "Status should be 'present' or 'absent'."
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
disable_wheel_pwd_required:
|
||||||
|
file.comment:
|
||||||
|
- name: /etc/sudoers
|
||||||
|
- regex: "%wheel\\s+ALL=\\(ALL\\)\\s+ALL"
|
||||||
|
|
||||||
|
allow_wheel_no_pwd:
|
||||||
|
file.uncomment:
|
||||||
|
- name: /etc/sudoers
|
||||||
|
- regex: "%wheel\\s+ALL=\\(ALL\\)\\s+NOPASSWD: ALL"
|
||||||
Reference in New Issue
Block a user