From 31d0e5d86d061d04241c6969b85ff20027c9e4cc Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Tue, 13 Oct 2015 08:35:27 -0500
Subject: [PATCH] V-38681: GID's in /etc/passwd & /etc/group

Implements: blueprint security-hardening

Change-Id: I4fb3cf7d6ef2f09b3eee8601263474f749209551
---
 doc/source/developer-notes/V-38681.rst | 11 +++++++++++
 tasks/auth.yml                         | 19 +++++++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 doc/source/developer-notes/V-38681.rst

diff --git a/doc/source/developer-notes/V-38681.rst b/doc/source/developer-notes/V-38681.rst
new file mode 100644
index 00000000..dabfed00
--- /dev/null
+++ b/doc/source/developer-notes/V-38681.rst
@@ -0,0 +1,11 @@
+The Ansible tasks will run ``pwck`` to find any groups that are defined in
+``/etc/passwd`` but not in ``/etc/group``. This could be a sign of an
+accidental misconfiguration or a more serious security problem. If the command
+returns output about missing groups, the playbook will fail.
+
+To see the exact problems on the system when the playbook fails, run this
+command as root:
+
+.. code-block:: bash
+
+    pwck -r | grep 'no group'
diff --git a/tasks/auth.yml b/tasks/auth.yml
index e38d19ad..1beb8127 100644
--- a/tasks/auth.yml
+++ b/tasks/auth.yml
@@ -251,3 +251,22 @@
    - auth
    - cat2
    - V-38599
+
+- name: V-38681 - Check for missing GID's in /etc/group
+  shell: "pwck -r | grep 'no group'"
+  register: v38681_result
+  changed_when: False
+  failed_when: v38681_result.rc > 1
+  tags:
+    - auth
+    - cat3
+    - V-38681
+
+- name: V-38681 - All GID's in /etc/passwd must be defined in /etc/group
+  fail:
+    msg: "FAILED: GID's in /etc/passwd aren't in /etc/group"
+  when: v38681_result.rc != 1
+  tags:
+    - auth
+    - cat3
+    - V-38681