Check for groups that don't exist [+Docs]

The STIG requires that all GIDs in `/etc/passwd` are present in
`/etc/group` and this patch adds a check for that condition.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: If6657bd91b5f77c2a7da534d763d3f4c5dc8e0cf

doc/metadata/rhel7/RHEL-07-020300.rst

@@ -1,7 +1,9 @@
 ---
 id: RHEL-07-020300
-status: not implemented
+status: implemented
-tag: misc
+tag: auth
 ---
 
-This STIG requirement is not yet implemented.
+If any users are found with invalid GIDs, those users are printed in the
+Ansible output. Deployers should review the list and ensure all users are
+assigned to a valid group that is defined in ``/etc/group``.

tasks/rhel7stig/auth.yml

@@ -14,8 +14,7 @@
 # limitations under the License.
 
 - name: Get a list of users on the system to use throughout the auth tasks
-  get_users:
+  action: get_users
-    min_uid: 1000
   register: user_list
   check_mode: no
   tags:
@@ -305,6 +304,19 @@
     - RHEL-07-020310
     - skip_ansible_lint
 
+- name: Check for groups in /etc/passwd that are not in /etc/group
+  debug:
+    msg: >
+      The following users have GIDs in /etc/passwd that do not exist in /etc/group:
+      {{ user_list.users | selectattr('group', 'equalto', False) | map(attribute='name') | join(', ') }}
+  when:
+    - user_list is defined
+    - user_list.users | selectattr('group', 'equalto', False) | list | length > 0
+  tags:
+    - auth
+    - low
+    - RHEL-07-020300
+
 - name: RHEL-07-020310 - The root account must be the only account having unrestricted access to the system
   fail:
     msg: |