From 711537051b7220cafc388dfc717977c1bcc252b3 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Tue, 13 Oct 2015 08:27:50 -0500
Subject: [PATCH] V-38683: Check for non-unique usernames

Implements: blueprint security-hardening

Change-Id: I6f76bbcf44c8d464ea814572eef6c1608372ff89
---
 doc/source/developer-notes/V-38683.rst | 12 ++++++++++++
 tasks/auth.yml                         | 18 ++++++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 doc/source/developer-notes/V-38683.rst

diff --git a/doc/source/developer-notes/V-38683.rst b/doc/source/developer-notes/V-38683.rst
new file mode 100644
index 00000000..5818a09b
--- /dev/null
+++ b/doc/source/developer-notes/V-38683.rst
@@ -0,0 +1,12 @@
+The Ansible task will use the ``pwck`` command to search for non-unique
+usernames on the system. If any matching usernames are found, an error
+will be printed and the playbook will fail.
+
+**NOTE:** The ``pwck`` command will find other abnormalities on the system,
+including users that exist in ``/etc/passwd`` but not in ``/etc/shadow``, and
+vice versa. If the playbook fails on this task, try to run this command
+on the system as root to find out what caused the failure:
+
+.. code-block:: bash
+
+    pwck -rq
diff --git a/tasks/auth.yml b/tasks/auth.yml
index a1999af7..e5a44585 100644
--- a/tasks/auth.yml
+++ b/tasks/auth.yml
@@ -311,3 +311,21 @@
     - auth
     - cat3
     - V-38692
+
+- name: Checking for accounts with non-unique usernames (for V-38683)
+  shell: pwck -rq | wc -l
+  register: v38683_result
+  changed_when: False
+  tags:
+    - auth
+    - cat3
+    - V-38683
+
+- name: V-38683 - All accounts on the system must have unique user/account names
+  fail:
+    msg: "FAILED: Found accounts without unique usernames"
+  when: v38683_result.stdout != '0'
+  tags:
+    - auth
+    - cat3
+    - V-38683