From f6bd74aadf055f9600d677958093d2969827b7c6 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 23 Jun 2021 15:21:19 -0400
Subject: [PATCH] add a list of reserved usernames for centos

---
 salt/users/init.sls  |  4 +++-
 salt/users/map.jinja | 38 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 salt/users/map.jinja

diff --git a/salt/users/init.sls b/salt/users/init.sls
index 2f6f44c03..c6876e269 100644
--- a/salt/users/init.sls
+++ b/salt/users/init.sls
@@ -3,7 +3,9 @@
 # If a user is changed from present to absent, their usergroup will be removed, but any additional usergroups that were created
 # for that user will remain.
 
-{% for username, userdeets in pillar.get('users', {}).items() %}
+{% from 'users/map.jinja' import reserved_usernames with context %}
+
+{% for username, userdeets in pillar.get('users', {}).items() if username not in reserved_usernames %}
   {% if 'status' in userdeets %}
     {% if userdeets.status == 'absent' %}
 
diff --git a/salt/users/map.jinja b/salt/users/map.jinja
new file mode 100644
index 000000000..ef99d14cd
--- /dev/null
+++ b/salt/users/map.jinja
@@ -0,0 +1,38 @@
+{% set reserved_usernames = [
+    'root',
+    'bin',
+    'daemon',
+    'adm',
+    'lp',
+    'sync',
+    'shutdown',
+    'halt',
+    'mail',
+    'operator',
+    'games',
+    'ftp',
+    'nobody',
+    'systemd-network',
+    'dbus',
+    'polkitd',
+    'tss',
+    'sshd',
+    'ossec',
+    'postfix',
+    'chrony',
+    'ntp',
+    'tcpdump',
+    'socore',
+    'soremote',
+    'elasticsearch',
+    'stenographer',
+    'suricata',
+    'zeek',
+    'curator',
+    'kratos',
+    'kibana',
+    'elastalert',
+    'ossecm',
+    'ossecr',
+    'logstash'
+] %}