openstack/ansible-hardening
Code Issues Proposed changes

V-38496: Lock system accounts other than root

Browse Source 
Change-Id: Ie73de29bd0576058120f89bc3ef02cc112905076
This commit is contained in:
Major Hayden 2015-10-07 08:55:52 -05:00
parent 241f6cd074
commit 31779fff93
2 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
doc/source/developer-notes/V-38496.rst Normal file
View File

@ -0,0 +1,13 @@
**Exception**
The Ansible tasks will check for default system accounts (other than root)
that are not locked. The tasks won't take any action, however, because
any action could cause authorized users to be unable to access the system.
However, if any unlocked default system accounts are found, the playbook will
fail with an error message until the user accounts are locked.
Deployers who intentionally want to skip this step should use
``--skip-tags V-38496`` to avoid a playbook failure on this check.
Deployers are urged to audit the accounts on their systems and lock any users
that don't need to log in via consoles or via ssh.

27
tasks/auth.yml
View File

@ -57,6 +57,33 @@
- cat3
- V-38480
# The awk line here comes from the STIG itself. It does the following:
# * splits each line of /etc/shadow on colons (:)
# * ignores any lines that start with root
# * searches 2nd field (password) for accounts that don't start with ! (that
# would be a locked account)
# * returns a list of those accounts other than root which aren't locked
# This list should be completely empty for a properly secured system.
- name: Check for default system accounts other than root that aren't locked (for V-38496)
shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 \":\" $2}' /etc/shadow | wc -l"
register: v38496_result
changed_when: v38496_result.stdout != '0'
tags:
- auth
- cat2
- V-38496
# The playbook will fail here if any default system accounts besides root are
# not locked.
- name: V-38496 - Default operating system accounts (other than root) must be locked
fail:
msg: "FAILED: Lock default system user accounts (other than root)"
when: v38496_result.stdout != '0'
tags:
- auth
- cat2
- V-38496
# RHEL 6 keeps this content in /etc/pam.d/system-auth, but Ubuntu keeps it in
# /etc/pam.d/common-auth
- name: V-38497 - The system must not have accounts configured with blank or null passwords.