Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status

The libuuid-user cookbook has been deprecated

Author provided reason for deprecation:

The libuuid-user cookbook has been deprecated and is no longer being maintained by its authors. Use of the libuuid-user cookbook is no longer recommended.

RSS

libuuid-user (3) Versions 1.0.1

Set a non-login shell for the libuuid user on Ubuntu/Debian and validate that it is correct.

Policyfile
Berkshelf
Knife
cookbook 'libuuid-user', '= 1.0.1', :supermarket
cookbook 'libuuid-user', '= 1.0.1'
knife supermarket install libuuid-user
knife supermarket download libuuid-user
README
Dependencies
Changelog
Quality 100%

libuuid-user

Set a non-login shell for the libuuid user on Ubuntu/Debian and validate that it is correct.

This cookbook serves two purposes.

  1. Remediate the issue reported in Ubuntu and Debian regarding the libuuid user missing a shell that disables login.
  2. Provide examples that show the difference between Chef's audit mode (which uses Serverspec), and "regular" Serverspec.

Usage

Include recipe[libuuid-user] on any nodes that need to have this user updated to ensure that the shell is set correctly.

Include recipe[libuuid-user::verify] on any node where audit mode should be used to verify that the libuuid user's shell is set correctly.

The verify recipe can be used independently on nodes with audit mode set to :audit_only (chef-client --audit-mode audit_only) to check for non-compliant systems before using the default recipe.

Audit Mode

Use the default and verify recipes and run audit mode with :enabled. The test validates that the policy is correct:

The libuuid user should have its shell set to /bin/false

The control has a single test that the user's shell is set to /bin/false, as that is the defined policy. We use /bin/false instead of /usr/sbin/nologin because in Ubuntu 15.04 or Debian 8 and newer releases, the user is set to use /bin/false as the shell.

Serverspec

Use test kitchen from this cookbook's repository with kitchen test or kitchen verify to run the default and verify recipes and run the tests with Serverspec.

The test verifies that the root user cannot su to the libuuid user - the su command will return exit status 1 when attempting to log in with a user that has their shell set to /bin/false. This is subtley different than the audit mode test, as the implementation of the shell is not the important part to test. It's the inability to login that is most relevant. If the shell were set to /usr/sbin/nologin, for example, it would still exit with a status of 1.

Requirements

Chef 12.1.0+

Ubuntu 14.04 or Debian 7.8.

Debian 8+ is not affected. It appears that Ubuntu 15.04 is not affected either.

Other platforms are not supported. Older versions of Ubuntu or Debian may work with or without modification.

License and Author

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

There are no cookbooks that are contingent upon this one.

v1.0.1

  • #1 Use /bin/false instead of /usr/sbin/nologin.

v1.0.0

  • Initial release

Collaborator Number Metric
            

1.0.1 passed this metric

Contributing File Metric
            

1.0.1 passed this metric

Foodcritic Metric
            

1.0.1 passed this metric

License Metric
            

1.0.1 passed this metric

No Binaries Metric
            

1.0.1 passed this metric

Testing File Metric
            

1.0.1 passed this metric

Version Tag Metric
            

1.0.1 passed this metric