diff --git a/doc/source/developer-notes/V-38496.rst b/doc/source/developer-notes/V-38496.rst new file mode 100644 index 00000000..27275b4d --- /dev/null +++ b/doc/source/developer-notes/V-38496.rst @@ -0,0 +1,13 @@ +**Exception** + +The Ansible tasks will check for default system accounts (other than root) +that are not locked. The tasks won't take any action, however, because +any action could cause authorized users to be unable to access the system. +However, if any unlocked default system accounts are found, the playbook will +fail with an error message until the user accounts are locked. + +Deployers who intentionally want to skip this step should use +``--skip-tags V-38496`` to avoid a playbook failure on this check. + +Deployers are urged to audit the accounts on their systems and lock any users +that don't need to log in via consoles or via ssh. diff --git a/tasks/auth.yml b/tasks/auth.yml index 465e24ab..33301ea7 100644 --- a/tasks/auth.yml +++ b/tasks/auth.yml @@ -57,6 +57,33 @@ - cat3 - V-38480 +# The awk line here comes from the STIG itself. It does the following: +# * splits each line of /etc/shadow on colons (:) +# * ignores any lines that start with root +# * searches 2nd field (password) for accounts that don't start with ! (that +# would be a locked account) +# * returns a list of those accounts other than root which aren't locked +# This list should be completely empty for a properly secured system. +- name: Check for default system accounts other than root that aren't locked (for V-38496) + shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 \":\" $2}' /etc/shadow | wc -l" + register: v38496_result + changed_when: v38496_result.stdout != '0' + tags: + - auth + - cat2 + - V-38496 + +# The playbook will fail here if any default system accounts besides root are +# not locked. +- name: V-38496 - Default operating system accounts (other than root) must be locked + fail: + msg: "FAILED: Lock default system user accounts (other than root)" + when: v38496_result.stdout != '0' + tags: + - auth + - cat2 + - V-38496 + # RHEL 6 keeps this content in /etc/pam.d/system-auth, but Ubuntu keeps it in # /etc/pam.d/common-auth - name: V-38497 - The system must not have accounts configured with blank or null passwords.