Users, groups and processes
These plugins run on the remote target through SSH.
Groups
- id: create_group
use: identity.group.create
with:
name: myapp
system: true
sudo: true
- id: remove_group
use: identity.group.remove
with:
name: oldgroup
sudo: true
Users
- id: create_user
use: identity.user.create
with:
name: myapp
group: myapp
home: /var/lib/myapp
shell: /usr/sbin/nologin
system: true
sudo: true
- id: modify_user
use: identity.user.modify
with:
name: myapp
shell: /bin/bash
sudo: true
- id: remove_user
use: identity.user.remove
with:
name: olduser
remove_home: true
sudo: true
Processes
- id: wait_for_worker
use: system.process.wait
with:
pattern: "myapp-worker"
state: present
timeout: 60
interval: 2
- id: stop_old_worker
use: system.process.kill
with:
pattern: "old-worker"
signal: TERM
sudo: true
system.process.signal sends a runtime signal by PID or pattern and renders the exact manual command for recovery.
system.process.check is a read-only pgrep assertion used as a pre/post check.
system.process.count.check gates process cardinality with exact, minimum or maximum count checks.
security.sshd.config installs server-side SSH hardening drop-ins and validates them with sshd -t before reload.
os.login.defs.set manages account-aging defaults in /etc/login.defs with backup.
security.password.policy installs pwquality drop-ins for password complexity policy.
security.authselect.profile selects RHEL-style authentication profiles with explicit backup by default.
Account assertions and access changes
identity.user.check and identity.group.check are read-only assertions for account prerequisites. identity.user.lock, identity.user.unlock and identity.user.password.set are explicit account state changes and should be reviewed separately from user creation/removal.