V-38683: Check for non-unique usernames

Implements: blueprint security-hardening Change-Id: I6f76bbcf44c8d464ea814572eef6c1608372ff89
2015-10-13 08:27:50 -05:00 · 2015-10-13 08:27:50 -05:00 · 711537051b
commit 711537051b
parent d0f4a70d9c
2 changed files with 30 additions and 0 deletions
--- a/doc/source/developer-notes/V-38683.rst
+++ b/doc/source/developer-notes/V-38683.rst
@ -0,0 +1,12 @@
+The Ansible task will use the ``pwck`` command to search for non-unique
+usernames on the system. If any matching usernames are found, an error
+will be printed and the playbook will fail.
+
+**NOTE:** The ``pwck`` command will find other abnormalities on the system,
+including users that exist in ``/etc/passwd`` but not in ``/etc/shadow``, and
+vice versa. If the playbook fails on this task, try to run this command
+on the system as root to find out what caused the failure:
+
+.. code-block:: bash
+
+    pwck -rq
--- a/tasks/auth.yml
+++ b/tasks/auth.yml
@ -311,3 +311,21 @@
    - auth
    - cat3
    - V-38692
+
+- name: Checking for accounts with non-unique usernames (for V-38683)
+  shell: pwck -rq | wc -l
+  register: v38683_result
+  changed_when: False
+  tags:
+    - auth
+    - cat3
+    - V-38683
+
+- name: V-38683 - All accounts on the system must have unique user/account names
+  fail:
+    msg: "FAILED: Found accounts without unique usernames"
+  when: v38683_result.stdout != '0'
+  tags:
+    - auth
+    - cat3
+    - V-38683