From 300c9f8c1b8dbbd53f728711eb82ba1d7096333d Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Mon, 14 Nov 2016 20:12:35 -0600 Subject: [PATCH] Check for other UID 0 accounts This patch checks for accounts with UID 0 that aren't root. Implements: blueprint security-rhel7-stig Change-Id: I983b4ba3fcd311af72bc7165bd90862cb77de1f8 --- doc/metadata/rhel7/RHEL-07-020310.rst | 11 ++++++++--- tasks/rhel7stig/auth.yml | 23 +++++++++++++++++++++++ 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/doc/metadata/rhel7/RHEL-07-020310.rst b/doc/metadata/rhel7/RHEL-07-020310.rst index ccdfbcc1..ea150403 100644 --- a/doc/metadata/rhel7/RHEL-07-020310.rst +++ b/doc/metadata/rhel7/RHEL-07-020310.rst @@ -1,7 +1,12 @@ --- id: RHEL-07-020310 -status: not implemented -tag: misc +status: implemented +tag: auth --- -This STIG requirement is not yet implemented. +If an account with UID 0 other than ``root`` exists on the system, the playbook +will fail with an error message that includes the other accounts which have a +UID of 0. + +Deployers are strongly urged to keep only one account with UID 0, ``root``, and +to use ``sudo`` any situations where root access is required. diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml index 4b7293a1..beb9b2f2 100644 --- a/tasks/rhel7stig/auth.yml +++ b/tasks/rhel7stig/auth.yml @@ -47,3 +47,26 @@ - auth - high - RHEL-07-010260 + +- name: Get all accounts with UID 0 + shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd" + changed_when: False + check_mode: no + register: root_user_check + tags: + - auth + - high + - RHEL-07-020310 + - skip_ansible_lint + +- name: RHEL-07-020310 - The root account must be the only account having unrestricted access to the system + fail: + msg: | + Only the 'root' user should have UID 0. Other users were found: + {{ root_user_check.stdout_lines | join(', ') }}" + when: + - root_user_check.stdout != 'root' + tags: + - auth + - high + - RHEL-07-020310