Merge pull request #62 from hardening-io/sys_uid_gid

make sys_uid and sys_gid configurable

defaults/main.yml

@@ -12,6 +12,11 @@ os_auth_pam_passwdqc_options: 'min=disabled,disabled,16,12,8'
 os_auth_root_ttys: [console, tty1, tty2, tty3, tty4, tty5, tty6]
 os_auth_uid_min: 1000
 os_auth_gid_min: 1000
+os_auth_sys_uid_min: 100
+os_auth_sys_uid_max: 999
+os_auth_sys_gid_min: 100
+os_auth_sys_gid_max: 999
+
 os_chfn_restrict: ''
 # may contain: change_user
 os_security_users_allow: []

templates/login.defs.j2

@@ -107,15 +107,15 @@ PASS_WARN_AGE	7
 UID_MIN			 {{os_auth_uid_min}}
 UID_MAX			60000
 # System accounts
-#SYS_UID_MIN		  100
-#SYS_UID_MAX		  999
+SYS_UID_MIN		  {{os_auth_sys_uid_min}}
+SYS_UID_MAX		  {{os_auth_sys_uid_max}}
 
 # Min/max values for automatic gid selection in groupadd
 GID_MIN			 {{os_auth_gid_min}}
 GID_MAX			60000
 # System accounts
-#SYS_GID_MIN		  100
-#SYS_GID_MAX		  999
+SYS_GID_MIN		  {{os_auth_sys_gid_min}}
+SYS_GID_MAX		  {{os_auth_sys_gid_max}}
 
 # Max number of login retries if password is bad. This will most likely be overriden by PAM, since the default pam_unix module has it's own built in of 3 retries. However, this is a safe fallback in case you are using an authentication module that does not enforce PAM_MAXTRIES.
 LOGIN_RETRIES		{{os_auth_retries}}