From 9058a3f084961a52408dd1576dd386db8ff4d0d0 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Thu, 24 Mar 2016 10:09:49 -0500
Subject: [PATCH] Improved search for unlocked system accounts

This patch adds a better check for system accounts that aren't
unlocked. The new logic meets the requirement of V-38496 from the
STIG better than the previous version. Only unlocked accounts with
UID < 500 will trigger the failure/violation.

Closes-Bug: 1550442

Change-Id: I18ccbd8e1cd7c311521d0ffdfcf6f46dbc4e395d
---
 tasks/auth.yml | 42 ++++++++++++++++++++++++++++--------------
 1 file changed, 28 insertions(+), 14 deletions(-)

diff --git a/tasks/auth.yml b/tasks/auth.yml
index a77bb7cf..ec921d5a 100644
--- a/tasks/auth.yml
+++ b/tasks/auth.yml
@@ -57,19 +57,33 @@
     - cat3
     - V-38480
 
-# The awk line here comes from the STIG itself. It does the following:
-#  * splits each line of /etc/shadow on colons (:)
-#  * ignores any lines that start with root
-#  * searches 2nd field (password) for accounts that don't start with ! (that
-#    would be a locked account)
-#  * returns a list of those accounts other than root which aren't locked
-# This list should be completely empty for a properly secured system.
-- name: Check for default system accounts other than root that aren't locked (for V-38496)
-  shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 \":\" $2}' /etc/shadow | wc -l"
-  register: v38496_result
-  changed_when: v38496_result.stdout != '0'
-  failed_when: False
+- name: V-38496 - Get all system accounts
+  shell: "awk -F: '$1 !~ /^root$/ && $3 < 500 {print $1}' /etc/passwd"
+  register: v38496_system_users
+  always_run: True
+  tags:
+    - auth
+    - cat2
+    - V-38496
+
+- name: V-38496 - Loop through system accounts to find unlocked accounts
+  shell: "awk -F: '$1 ~ /^{{ item }}$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow"
+  register: v38496_unlocked_system_users
   always_run: True
+  with_items: v38496_system_users.stdout_lines
+  tags:
+    - auth
+    - cat2
+    - V-38496
+
+- name: V-38496 - Gather problematic system accounts
+  set_fact:
+    v38496_violations: |
+      {% for i in v38496_unlocked_system_users.results %}
+      {% if i.stdout|length > 0 %}
+      {{ i.stdout }}
+      {% endif %}
+      {% endfor %}
   tags:
     - auth
     - cat2
@@ -79,8 +93,8 @@
 # not locked.
 - name: V-38496 - Default operating system accounts (other than root) must be locked
   fail:
-    msg: "FAILED: Lock default system user accounts (other than root)"
-  when: v38496_result.stdout != '0'
+    msg: "FAILED: System accounts are unlocked: {{ v38496_violations|trim|replace('\n',', ') }}"
+  when: v38496_violations|length > 0
   tags:
     - auth
     - cat2