Improved search for unlocked system accounts

This patch adds a better check for system accounts that aren't unlocked. The new logic meets the requirement of V-38496 from the STIG better than the previous version. Only unlocked accounts with UID < 500 will trigger the failure/violation. Closes-Bug: 1550442 Change-Id: I18ccbd8e1cd7c311521d0ffdfcf6f46dbc4e395d
2016-03-24 10:09:49 -05:00 · 2016-03-24 10:09:49 -05:00 · 9058a3f084
commit 9058a3f084
parent 96079d2280
1 changed files with 28 additions and 14 deletions
--- a/tasks/auth.yml
+++ b/tasks/auth.yml
@ -57,30 +57,44 @@
    - cat3
    - V-38480

-# The awk line here comes from the STIG itself. It does the following:
-#  * splits each line of /etc/shadow on colons (:)
-#  * ignores any lines that start with root
-#  * searches 2nd field (password) for accounts that don't start with ! (that
-#    would be a locked account)
-#  * returns a list of those accounts other than root which aren't locked
-# This list should be completely empty for a properly secured system.
- name: Check for default system accounts other than root that aren't locked (for V-38496)
-  shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 \":\" $2}' /etc/shadow | wc -l"
-  register: v38496_result
-  changed_when: v38496_result.stdout != '0'
-  failed_when: False
+- name: V-38496 - Get all system accounts
+  shell: "awk -F: '$1 !~ /^root$/ && $3 < 500 {print $1}' /etc/passwd"
+  register: v38496_system_users
  always_run: True
  tags:
    - auth
    - cat2
    - V-38496

+- name: V-38496 - Loop through system accounts to find unlocked accounts
+  shell: "awk -F: '$1 ~ /^{{ item }}$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow"
+  register: v38496_unlocked_system_users
+  always_run: True
+  with_items: v38496_system_users.stdout_lines
+  tags:
+    - auth
+    - cat2
+    - V-38496
+
+- name: V-38496 - Gather problematic system accounts
+  set_fact:
+    v38496_violations: |
+      {% for i in v38496_unlocked_system_users.results %}
+      {% if i.stdout|length > 0 %}
+      {{ i.stdout }}
+      {% endif %}
+      {% endfor %}
+  tags:
+    - auth
+    - cat2
+    - V-38496
+
 # The playbook will fail here if any default system accounts besides root are
 # not locked.
 - name: V-38496 - Default operating system accounts (other than root) must be locked
  fail:
-    msg: "FAILED: Lock default system user accounts (other than root)"
-  when: v38496_result.stdout != '0'
+    msg: "FAILED: System accounts are unlocked: {{ v38496_violations|trim|replace('\n',', ') }}"
+  when: v38496_violations|length > 0
  tags:
    - auth
    - cat2