Improved search for unlocked system accounts
This patch adds a better check for system accounts that aren't unlocked. The new logic meets the requirement of V-38496 from the STIG better than the previous version. Only unlocked accounts with UID < 500 will trigger the failure/violation. Closes-Bug: 1550442 Change-Id: I18ccbd8e1cd7c311521d0ffdfcf6f46dbc4e395d
This commit is contained in:
Major Hayden
parent
96079d2280
commit
9058a3f084
|
|
@ -57,30 +57,44 @@
|
|||
- cat3
|
||||
- V-38480
|
||||
|
||||
# The awk line here comes from the STIG itself. It does the following:
|
||||
# * splits each line of /etc/shadow on colons (:)
|
||||
# * ignores any lines that start with root
|
||||
# * searches 2nd field (password) for accounts that don't start with ! (that
|
||||
# would be a locked account)
|
||||
# * returns a list of those accounts other than root which aren't locked
|
||||
# This list should be completely empty for a properly secured system.
|
||||
- name: Check for default system accounts other than root that aren't locked (for V-38496)
|
||||
shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 \":\" $2}' /etc/shadow | wc -l"
|
||||
register: v38496_result
|
||||
changed_when: v38496_result.stdout != '0'
|
||||
failed_when: False
|
||||
- name: V-38496 - Get all system accounts
|
||||
shell: "awk -F: '$1 !~ /^root$/ && $3 < 500 {print $1}' /etc/passwd"
|
||||
register: v38496_system_users
|
||||
always_run: True
|
||||
tags:
|
||||
- auth
|
||||
- cat2
|
||||
- V-38496
|
||||
|
||||
- name: V-38496 - Loop through system accounts to find unlocked accounts
|
||||
shell: "awk -F: '$1 ~ /^{{ item }}$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow"
|
||||
register: v38496_unlocked_system_users
|
||||
always_run: True
|
||||
with_items: v38496_system_users.stdout_lines
|
||||
tags:
|
||||
- auth
|
||||
- cat2
|
||||
- V-38496
|
||||
|
||||
- name: V-38496 - Gather problematic system accounts
|
||||
set_fact:
|
||||
v38496_violations: |
|
||||
{% for i in v38496_unlocked_system_users.results %}
|
||||
{% if i.stdout|length > 0 %}
|
||||
{{ i.stdout }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
tags:
|
||||
- auth
|
||||
- cat2
|
||||
- V-38496
|
||||
|
||||
# The playbook will fail here if any default system accounts besides root are
|
||||
# not locked.
|
||||
- name: V-38496 - Default operating system accounts (other than root) must be locked
|
||||
fail:
|
||||
msg: "FAILED: Lock default system user accounts (other than root)"
|
||||
when: v38496_result.stdout != '0'
|
||||
msg: "FAILED: System accounts are unlocked: {{ v38496_violations|trim|replace('\n',', ') }}"
|
||||
when: v38496_violations|length > 0
|
||||
tags:
|
||||
- auth
|
||||
- cat2
|
||||
|
|
|
|||
Loading…
Reference in New Issue