Check for other UID 0 accounts

This patch checks for accounts with UID 0 that aren't root.

Implements: blueprint security-rhel7-stig
Change-Id: I983b4ba3fcd311af72bc7165bd90862cb77de1f8

doc/metadata/rhel7/RHEL-07-020310.rst

@@ -1,7 +1,12 @@
 ---
 id: RHEL-07-020310
-status: not implemented
-tag: misc
+status: implemented
+tag: auth
 ---
 
-This STIG requirement is not yet implemented.
+If an account with UID 0 other than ``root`` exists on the system, the playbook
+will fail with an error message that includes the other accounts which have a
+UID of 0.
+
+Deployers are strongly urged to keep only one account with UID 0, ``root``, and
+to use ``sudo`` any situations where root access is required.

tasks/rhel7stig/auth.yml

@@ -47,3 +47,26 @@
     - auth
     - high
     - RHEL-07-010260
+
+- name: Get all accounts with UID 0
+  shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd"
+  changed_when: False
+  check_mode: no
+  register: root_user_check
+  tags:
+    - auth
+    - high
+    - RHEL-07-020310
+    - skip_ansible_lint
+
+- name: RHEL-07-020310 - The root account must be the only account having unrestricted access to the system
+  fail:
+    msg: |
+      Only the 'root' user should have UID 0. Other users were found:
+      {{ root_user_check.stdout_lines | join(', ') }}"
+  when:
+    - root_user_check.stdout != 'root'
+  tags:
+    - auth
+    - high
+    - RHEL-07-020310