utilities/parameterised_accounts: adds an account with a strong password by default

vulnerabilities/crackable_user_account: adds an account with a weak password by default

modules/generators/content/name_based_username/secgen_local/local.rb

@@ -13,7 +13,7 @@ class NameBasedUsernameGenerator < StringEncoder
 
   # Generate a username based on a random adjective and a random noun
   def encode_all
-    self.outputs << Faker::Internet.user_name(self.name, %w(nil _))
+    self.outputs << Faker::Internet.user_name(self.name, ['_',''])
   end
 
   def get_options_array

modules/utilities/unix/system/parameterised_accounts/secgen_metadata.xml

@@ -7,8 +7,8 @@
   <author>Thomas Shaw</author>
   <author>Puppet Labs</author>
   <module_license>Apache v2</module_license>
-  <description>Parameterised user account creation and modification. Adds an account with a random strength randomly
-    generated password by default.
+  <description>Parameterised user account creation and modification. Adds an account with a strong randomly generated password
+    by default.
   </description>
 
   <type>system</type>
@@ -21,13 +21,14 @@
 
   <default_input into="accounts">
     <generator type="account">
-      <input into="password">
-        <generator type="weak_password_generator"/>
+      <input into="username">
+        <generator module_path=".*random_username.*"/>
       </input>
-    </generator>
-    <generator type="account">
       <input into="password">
-        <generator type="password_generator"/>
+        <generator type="strong_password_generator"/>
+      </input>
+      <input into="super_user">
+        <value>false</value>
       </input>
     </generator>
   </default_input>

modules/vulnerabilities/unix/system/crackable_user_account/crackable_user_account.pp

@@ -0,0 +1 @@
+require crackable_user_account::init

modules/vulnerabilities/unix/system/crackable_user_account/manifests/init.pp

@@ -0,0 +1,15 @@
+class crackable_user_account::init {
+  $json_inputs = base64('decode', $::base64_inputs)
+  $secgen_parameters = parsejson($json_inputs)
+
+  $account = parsejson($secgen_parameters['accounts'][0])
+  $username = $account['username']
+
+  ::parameterised_accounts::account { "crackable_user_account_$username":
+    username        => $username,
+    password        => $account['password'],
+    super_user      => str2bool($account['super_user']),
+    strings_to_leak => $secgen_parameters['strings_to_leak'],
+    leaked_filenames => $account['leaked_filenames']
+  }
+}

modules/vulnerabilities/unix/system/crackable_user_account/secgen_metadata.xml

@@ -0,0 +1,48 @@
+<?xml version="1.0"?>
+
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+  <name>Crackable User Account</name>
+  <author>Thomas Shaw</author>
+  <module_license>MIT</module_license>
+  <description>Unprivileged user account with a weak password.</description>
+
+  <type>system</type>
+  <privilege>user_rwx</privilege>
+  <access>local</access>
+  <platform>linux</platform>
+
+  <read_fact>strings_to_leak</read_fact>
+  <read_fact>accounts</read_fact>
+
+  <default_input into="strings_to_leak">
+    <generator type="flag_generator"/>
+  </default_input>
+
+  <default_input into="accounts">
+    <generator type="account">
+      <input into="username">
+        <generator module_path=".*random_username.*"/>
+      </input>
+      <input into="password">
+        <generator type=".*weak_password.*"/>
+      </input>
+      <input into="super_user">
+        <value>false</value>
+      </input>
+    </generator>
+  </default_input>
+
+  <!--optional details-->
+  <reference>https://forge.puppet.com/puppetlabs/accounts</reference>
+
+  <requires>
+    <module_path>utilities/unix/system/parameterised_accounts</module_path>
+  </requires>
+
+  <requires>
+    <privilege>root_r</privilege>
+  </requires>
+
+</vulnerability>