V-38681: GID's in /etc/passwd & /etc/group

Implements: blueprint security-hardening Change-Id: I4fb3cf7d6ef2f09b3eee8601263474f749209551
2015-10-13 08:35:27 -05:00 · 2015-10-13 08:35:27 -05:00 · 31d0e5d86d
commit 31d0e5d86d
parent 2b008d9905
2 changed files with 30 additions and 0 deletions
--- a/doc/source/developer-notes/V-38681.rst
+++ b/doc/source/developer-notes/V-38681.rst
@ -0,0 +1,11 @@
+The Ansible tasks will run ``pwck`` to find any groups that are defined in
+``/etc/passwd`` but not in ``/etc/group``. This could be a sign of an
+accidental misconfiguration or a more serious security problem. If the command
+returns output about missing groups, the playbook will fail.
+
+To see the exact problems on the system when the playbook fails, run this
+command as root:
+
+.. code-block:: bash
+
+    pwck -r | grep 'no group'
--- a/tasks/auth.yml
+++ b/tasks/auth.yml
@ -251,3 +251,22 @@
   - auth
   - cat2
   - V-38599
+
+- name: V-38681 - Check for missing GID's in /etc/group
+  shell: "pwck -r | grep 'no group'"
+  register: v38681_result
+  changed_when: False
+  failed_when: v38681_result.rc > 1
+  tags:
+    - auth
+    - cat3
+    - V-38681
+
+- name: V-38681 - All GID's in /etc/passwd must be defined in /etc/group
+  fail:
+    msg: "FAILED: GID's in /etc/passwd aren't in /etc/group"
+  when: v38681_result.rc != 1
+  tags:
+    - auth
+    - cat3
+    - V-38681