diff --git a/tasks/auth.yml b/tasks/auth.yml index a77bb7cf..ec921d5a 100644 --- a/tasks/auth.yml +++ b/tasks/auth.yml @@ -57,19 +57,33 @@ - cat3 - V-38480 -# The awk line here comes from the STIG itself. It does the following: -# * splits each line of /etc/shadow on colons (:) -# * ignores any lines that start with root -# * searches 2nd field (password) for accounts that don't start with ! (that -# would be a locked account) -# * returns a list of those accounts other than root which aren't locked -# This list should be completely empty for a properly secured system. -- name: Check for default system accounts other than root that aren't locked (for V-38496) - shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 \":\" $2}' /etc/shadow | wc -l" - register: v38496_result - changed_when: v38496_result.stdout != '0' - failed_when: False +- name: V-38496 - Get all system accounts + shell: "awk -F: '$1 !~ /^root$/ && $3 < 500 {print $1}' /etc/passwd" + register: v38496_system_users + always_run: True + tags: + - auth + - cat2 + - V-38496 + +- name: V-38496 - Loop through system accounts to find unlocked accounts + shell: "awk -F: '$1 ~ /^{{ item }}$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow" + register: v38496_unlocked_system_users always_run: True + with_items: v38496_system_users.stdout_lines + tags: + - auth + - cat2 + - V-38496 + +- name: V-38496 - Gather problematic system accounts + set_fact: + v38496_violations: | + {% for i in v38496_unlocked_system_users.results %} + {% if i.stdout|length > 0 %} + {{ i.stdout }} + {% endif %} + {% endfor %} tags: - auth - cat2 @@ -79,8 +93,8 @@ # not locked. - name: V-38496 - Default operating system accounts (other than root) must be locked fail: - msg: "FAILED: Lock default system user accounts (other than root)" - when: v38496_result.stdout != '0' + msg: "FAILED: System accounts are unlocked: {{ v38496_violations|trim|replace('\n',', ') }}" + when: v38496_violations|length > 0 tags: - auth - cat2