From d5ee4c331c2f20c38089d29e7cb8bcc701ba9d25 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Fri, 2 Dec 2016 12:34:53 -0600 Subject: [PATCH] Check for groups that don't exist [+Docs] The STIG requires that all GIDs in `/etc/passwd` are present in `/etc/group` and this patch adds a check for that condition. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: If6657bd91b5f77c2a7da534d763d3f4c5dc8e0cf --- doc/metadata/rhel7/RHEL-07-020300.rst | 8 +++++--- tasks/rhel7stig/auth.yml | 16 ++++++++++++++-- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/doc/metadata/rhel7/RHEL-07-020300.rst b/doc/metadata/rhel7/RHEL-07-020300.rst index df9b03b0..343c7199 100644 --- a/doc/metadata/rhel7/RHEL-07-020300.rst +++ b/doc/metadata/rhel7/RHEL-07-020300.rst @@ -1,7 +1,9 @@ --- id: RHEL-07-020300 -status: not implemented -tag: misc +status: implemented +tag: auth --- -This STIG requirement is not yet implemented. +If any users are found with invalid GIDs, those users are printed in the +Ansible output. Deployers should review the list and ensure all users are +assigned to a valid group that is defined in ``/etc/group``. diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml index 4808db02..ee221ef5 100644 --- a/tasks/rhel7stig/auth.yml +++ b/tasks/rhel7stig/auth.yml @@ -14,8 +14,7 @@ # limitations under the License. - name: Get a list of users on the system to use throughout the auth tasks - get_users: - min_uid: 1000 + action: get_users register: user_list check_mode: no tags: @@ -305,6 +304,19 @@ - RHEL-07-020310 - skip_ansible_lint +- name: Check for groups in /etc/passwd that are not in /etc/group + debug: + msg: > + The following users have GIDs in /etc/passwd that do not exist in /etc/group: + {{ user_list.users | selectattr('group', 'equalto', False) | map(attribute='name') | join(', ') }} + when: + - user_list is defined + - user_list.users | selectattr('group', 'equalto', False) | list | length > 0 + tags: + - auth + - low + - RHEL-07-020300 + - name: RHEL-07-020310 - The root account must be the only account having unrestricted access to the system fail: msg: |