I discovered that a number of our STIG Puppet modules are failing. I am thinking its because the code is wrong because when I make a quick chance to the actual code being used, then the code actually works as intended.
STIG Puppet Code Repository: https://fedorahosted.org/aqueduct/browser/trunk/compliance/Puppet/STIG/rhel5/RHEL-5-Unix-Checklist/base/dev/rhel5/puppet/trunk/etc/puppet/modules/stig Puppet code being executed: class gen002640 { ## (GEN002640: CAT II) (Previously - G092) The SA will ensure logon capability ## to default system accounts (e.g., bin, lib, uucp, news, sys, guest, daemon, ## and any default account not normally logged onto) will be disabled by ## making the default shell /bin/false, /usr/bin/false, /sbin/false, ## /sbin/nologin, or /dev/null, and by locking the password. exec { "/bin/bash -c 'for i in `awk -F: '\$3 < 500 && \$1 != \"root\" { print \$1 }' /etc/passwd`; do /usr/bin/usermod -L -s /dev/null \$i; done'": } } Error reported: Jun 1 12:40:58 rhel-stig-ap puppet-agent[2489]: (/Stage[main]/Gen002640/Ex ec[/bin/bash -c 'for i in `awk -F: '$3 < 500 && $1 != "root" { print $1 }' /etc/passwd`; do /usr/bin/usermod -L -s /dev/null $i; done']/returns) change from notrun to 0 failed: /bin/bash -c 'for i in `awk -F: '$3 < 500 && $1 != "root" { print $1 }' /etc/passwd`; do /usr/bin/usermod -L -s /dev/null $i; done' returned 1 instead of one of [0] at /etc/puppet/modules/GEN002640/manifests/init.pp:7 When run as a command-line script, it works fine: #!/bin/bash set -x for i in `awk -F: '$3 < 500 && $1 != "root" { print $1 }' /etc/passwd`; do /usr/sbin/usermod -L -s /dev/null $i; done Output seen: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/dev/null daemon:x:2:2:daemon:/sbin:/dev/null adm:x:3:4:adm:/var/adm:/dev/null lp:x:4:7:lp:/var/spool/lpd:/dev/null mail:x:8:12:mail:/var/spool/mail:/dev/null uucp:x:10:14:uucp:/var/spool/uucp:/dev/null nobody:x:99:99:Nobody:/:/dev/null nscd:x:28:28:NSCD Daemon:/:/dev/null vcsa:x:69:69:virtual console memory owner:/dev:/dev/null dbus:x:81:81:System message bus:/:/dev/null avahi:x:70:70:Avahi daemon:/:/dev/null mailnull:x:47:47::/var/spool/mqueue:/dev/null smmsp:x:51:51::/var/spool/mqueue:/dev/null sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/dev/null haldaemon:x:68:68:HAL daemon:/:/dev/null gdm:x:42:42::/var/gdm:/dev/null I tried the following changes to the code, but still no help. Change #1 exec { "/bin/bash -c 'for i in `awk -F: '\$3 < 500 && \$1 != \"root\" { print \$1 }' /etc/passwd`; do /usr/bin/usermod -L -s /dev/null \$i; done'": } Change #1 Error: err: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not parse for environment production: Syntax error at 'for'; expected '}' at /etc/puppet/modules/GEN002 640/manifests/init.pp:8 Change #2 exec { "/bin/bash -c 'for i in `awk -F: "\\$3 < 500 && \\$1 != \"root\" { print \\$1 }" /etc/passwd`; do echo /usr/bin/usermod -L -s /dev/null $i; done'": } Change #2 Error: err: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not parse for environment production: Syntax error at '\'; expected '}' at /etc/puppet/modules/GEN002640/manifests/init.pp:7 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/OvJNpeXZ5QwJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
