Complete CIS requirement for system accounts

controls/cis_rhel8.yml

@@ -2347,20 +2347,15 @@ controls:
     rules:
       - accounts_password_last_change_is_in_past
 
-  # NEEDS RULE
-  # We are missing the component of this control which locks non-root system accounts
-  # https://github.com/ComplianceAsCode/content/issues/7352
   - id: 5.6.2
     title: Ensure system accounts are secured (Automated)
     levels:
       - l1_server
       - l1_workstation
-    status: partial
+    status: automated
     rules:
-      - no_shelllogin_for_systemaccounts
-    related_rules:
       - no_password_auth_for_systemaccounts
-      # This rule needs OVAL and remediation
+      - no_shelllogin_for_systemaccounts
 
   - id: 5.6.3
     title: Ensure default user shell timeout is 900 seconds or less (Automated)

controls/cis_rhel9.yml

@@ -2195,20 +2195,15 @@ controls:
     rules:
       - accounts_password_last_change_is_in_past
 
-  # NEEDS RULE
-  # We are missing the component of this control which locks non-root system accounts
-  # https://github.com/ComplianceAsCode/content/issues/7352
   - id: 5.6.2
     title: Ensure system accounts are secured (Automated)
     levels:
       - l1_server
       - l1_workstation
-    status: partial
+    status: automated
     rules:
-      - no_shelllogin_for_systemaccounts
-    related_rules:
       - no_password_auth_for_systemaccounts
-      # This rule needs OVAL and remediation
+      - no_shelllogin_for_systemaccounts
 
   - id: 5.6.3
     title: Ensure default user shell timeout is 900 seconds or less (Automated)

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_password_auth_for_systemaccounts/ansible/shared.yml

@@ -0,0 +1,26 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = medium
+
+- name: {{{ rule_title }}} - Get All Local Users From /etc/passwd
+  ansible.builtin.getent:
+    database: passwd
+    split: ':'
+
+- name: {{{ rule_title }}} - Create local_users Variable From getent_passwd Facts
+  ansible.builtin.set_fact:
+    local_users: '{{ ansible_facts.getent_passwd | dict2items }}'
+    # Creates a dictionary where the key is the first field of the /etc/passwd file, the username.
+    # The list of values are the next 6 fields from /etc/passwd. Example for the root entry:
+    # The "root" key would have these values: ["x", "0", "0", "root", "/root", "/bin/bash"]
+
+- name: {{{ rule_title }}} - Lock System Accounts
+  ansible.builtin.user:
+    name: '{{ item.key }}'
+    password_lock: true
+  loop: '{{ local_users }}'
+  when:
+    - item.value[1]|int < {{{ uid_min }}}
+    - item.key not in ['root', 'halt', 'sync', 'shutdown', 'nfsnobody']

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_password_auth_for_systemaccounts/bash/shared.sh

@@ -0,0 +1,13 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = medium
+
+readarray -t systemaccounts < <(awk -F: \
+  '($3 < {{{ uid_min }}} && $3 != root && $3 != halt && $3 != sync && $3 != shutdown \
+  && $3 != nfsnobody) { print $1 }' /etc/passwd)
+
+for systemaccount in "${systemaccounts[@]}"; do
+    usermod -L "$systemaccount"
+done

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_password_auth_for_systemaccounts/oval/shared.xml

@@ -0,0 +1,32 @@
+<def-group>
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
+        {{{ oval_metadata("Ensure that System Accounts Are Locked") }}}
+        <criteria >
+            <criterion test_ref="test_{{{ rule_id }}}"
+                comment="system accounts must not have a password defined"/>
+        </criteria>
+    </definition>
+
+    {{%- set system_accounts_object = "object_" ~ rule_id ~ "_objects" -%}}
+    {{{ create_system_accounts_list_object(system_accounts_object) }}}
+
+    <local_variable id="var_{{{ rule_id }}}_usernames" datatype="string" version="1"
+        comment="Variable including usernames of system accounts">
+        <object_component item_field="username" object_ref="{{{ system_accounts_object }}}"/>
+    </local_variable>
+
+    <unix:shadow_object id="object_{{{ rule_id }}}" version="1">
+        <unix:username var_ref="var_{{{ rule_id }}}_usernames" var_check="at least one"/>
+        <filter action="exclude">filter_{{{ rule_id }}}_no_passwords_or_locked_accounts</filter>
+    </unix:shadow_object>
+
+    <unix:shadow_state id="filter_{{{ rule_id }}}_no_passwords_or_locked_accounts" version="1">
+        <unix:password operation="pattern match">^(!|!!|!\*|\*|!locked).*$</unix:password>
+    </unix:shadow_state>
+
+    <unix:shadow_test id="test_{{{ rule_id }}}" version="1"
+        check="all" check_existence="none_exist"
+        comment="system accounts with a password defined">
+        <unix:object object_ref="object_{{{ rule_id }}}"/>
+    </unix:shadow_test>
+</def-group>

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_password_auth_for_systemaccounts/rule.yml

@@ -3,38 +3,40 @@ documentation_complete: true
 title: 'Ensure that System Accounts Are Locked'
 
 description: |-
-    Some accounts are not associated with a human user of the system, and exist to
-    perform some administrative function. An attacker should not be able to log into
-    these accounts.
-    <br /><br />
-    System accounts are those user accounts with a user ID
-    less than UID_MIN, where value of the UID_MIN directive is set in
-    <tt>/etc/login.defs</tt> configuration file. In the default configuration UID_MIN is set
-    to 500, thus system accounts are those user accounts with a user ID less than
-    500. If any system account <i>SYSACCT</i> (other than root) has an unlocked password,
-    disable it with the command:
-    <pre>$ sudo passwd -l <i>SYSACCT</i></pre>
+    Some accounts are not associated with a human user of the system, and exist to perform some
+    administrative functions. An attacker should not be able to log into these accounts.
+    <br/><br/>
+    System accounts are those user accounts with a user ID less than <tt>{{{ uid_min }}}</tt>.
+    If any system account other than <tt>root</tt>, <tt>halt</tt>, <tt>sync</tt>, <tt>shutdown</tt>
+    and <tt>nfsnobody</tt> has an unlocked password, disable it with the command:
+    <pre>$ sudo usermod -L <i>account</i></pre>
 
 rationale: |-
-    Disabling authentication for default system accounts makes it more difficult
-    for attackers to make use of them to compromise a system.false
+    Disabling authentication for default system accounts makes it more difficult for attackers
+    to make use of them to compromise a system.
 
 severity: medium
 
 identifiers:
     cce@rhel7: CCE-80650-5
+    cce@rhel8: CCE-86112-0
+    cce@rhel9: CCE-86113-8
 
 references:
+    cis@rhel8: 5.6.2
+    cis@rhel9: 5.6.2
     nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2
     nist: AC-6,CM-6(a)
 
-ocil_clause: 'it is not'
+ocil_clause: 'system accounts are not locked'
 
 ocil: |-
-    To obtain a listing of all users and the contents of their shadow password
-    field, run the command:
-    <pre>$ sudo awk -F: '$1 !~ /^root$/ &amp;&amp; $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow</pre>
-    Identify the system accounts from this listing. These will primarily be the accounts
-    with UID numbers less than UID_MIN, other than root. Value of the UID_MIN
-    directive is set in <tt>/etc/login.defs</tt> configuration file. In the default
-    configuration, UID_MIN is set to 500.
+    To obtain a list of all users and the content of their shadow password field, run the command:
+    <pre>$ sudo readarray -t systemaccounts < <(awk -F: \
+        '($3 < {{{ uid_min }}} && $3 != root && $3 != halt && $3 != sync && $3 != shutdown \
+        && $3 != nfsnobody) { print $1 }' /etc/passwd)
+
+        for account in "${systemaccounts[@]}"; do
+            awk -v user="$account" -F: '$1~account { print $1 ":" $2 }' /etc/shadow
+        done</pre>
+    Verify if all accounts are locked.

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_password_auth_for_systemaccounts/tests/sysaccounts_with_password.fail.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M -r $USER
+echo "simplepass" | passwd --stdin $USER

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_password_auth_for_systemaccounts/tests/sysaccounts_without_password.pass.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# lock all system accounts (ID < 1000) from /etc/passwd
+readarray -t systemaccounts < <(awk -F: \
+  '($3 < {{{ uid_min }}} && $3 != root && $3 != halt && $3 != sync && $3 != shutdown \
+  && $3 != nfsnobody) { print $1 }' /etc/passwd)
+
+for systemaccounts in "${systemaccounts[@]}"; do
+    usermod -L "$systemaccounts"
+done

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/ansible/shared.yml

@@ -0,0 +1,27 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = medium
+
+- name: {{{ rule_title }}} - Get All Local Users From /etc/passwd
+  ansible.builtin.getent:
+    database: passwd
+    split: ':'
+
+- name: {{{ rule_title }}} - Create local_users Variable From getent_passwd Facts
+  ansible.builtin.set_fact:
+    local_users: '{{ ansible_facts.getent_passwd | dict2items }}'
+    # Creates a dictionary where the key is the first field of the /etc/passwd file, the username.
+    # The list of values are the next 6 fields from /etc/passwd. Example for the root entry:
+    # The "root" key would have these values: ["x", "0", "0", "root", "/root", "/bin/bash"]
+
+- name: {{{ rule_title }}} -  Disable Login Shell for System Accounts
+  ansible.builtin.user:
+    name: '{{ item.key }}'
+    shell: /sbin/nologin
+  loop: '{{ local_users }}'
+  when:
+    - item.key not in ['root']
+    - item.value[1]|int < {{{ uid_min }}}
+    - item.value[5] not in ['/sbin/shutdown', '/sbin/halt', '/bin/sync']

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/bash/shared.sh

@@ -0,0 +1,13 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = medium
+
+readarray -t systemaccounts < <(awk -F: '($3 < {{{ uid_min }}} && $3 != root \
+  && $7 != "\/sbin\/shutdown" && $7 != "\/sbin\/halt" && $7 != "\/bin\/sync") \
+  { print $1 }' /etc/passwd)
+
+for systemaccount in "${systemaccounts[@]}"; do
+    usermod -s /sbin/nologin "$systemaccount"
+done

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml

@@ -5,22 +5,19 @@ prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sl
 title: 'Ensure that System Accounts Do Not Run a Shell Upon Login'
 
 description: |-
-    Some accounts are not associated with a human user of the system, and exist to
-    perform some administrative function. Should an attacker be able to log into
-    these accounts, they should not be granted access to a shell.
-    <br /><br />
-    The login shell for each local account is stored in the last field of each line
-    in <tt>/etc/passwd</tt>. System accounts are those user accounts with a user ID
-    less than UID_MIN, where value of UID_MIN directive is set in
-    /etc/login.defs configuration file. In the default configuration UID_MIN is set
-    to 1000, thus system accounts are those user accounts with a user ID less than
-    1000. The user ID is stored in the third field. If any system account
-    <i>SYSACCT</i> (other than root) has a login shell, disable it with the
-    command: <pre>$ sudo usermod -s /sbin/nologin <i>SYSACCT</i></pre>
+    Some accounts are not associated with a human user of the system, and exist to perform some
+    administrative functions. Should an attacker be able to log into these accounts, they should
+    not be granted access to a shell.
+    <br/><br/>
+    The login shell for each local account is stored in the last field of each line in
+    <tt>/etc/passwd</tt>. System accounts are those user accounts with a user ID less than
+    <tt>{{{ uid_min }}}</tt>. The user ID is stored in the third field. If any system account
+    other than <tt>root</tt> has a login shell, disable it with the command:
+    <pre>$ sudo usermod -s /sbin/nologin <i>account</i></pre>
 
 rationale: |-
-    Ensuring shells are not given to system accounts upon login makes it more
-    difficult for attackers to make use of system accounts.
+    Ensuring shells are not given to system accounts upon login makes it more difficult for
+    attackers to make use of system accounts.
 
 severity: medium
 
@@ -56,26 +53,24 @@ references:
     stigid@sle12: SLES-12-010631
     stigid@sle15: SLES-15-020091
 
-ocil_clause: 'any system account (other than root) has a login shell'
+ocil_clause: 'any system account other than root has a login shell'
 
 ocil: |-
-    To obtain a listing of all users, their UIDs, and their shells, run the
-    command: <pre>$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd</pre> Identify
-    the system accounts from this listing. These will primarily be the accounts
-    with UID numbers less than UID_MIN, other than root. Value of the UID_MIN
-    directive is set in /etc/login.defs configuration file. In the default
-    configuration UID_MIN is set to 1000.
+    To obtain a listing of all users, their UIDs, and their shells, run the command:
+    <pre>$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd</pre>
+    Identify the system accounts from this listing. These will primarily be the accounts with UID
+    numbers less than {{{ uid_min }}}, other than root.
 
 fixtext: |-
     Configure {{{ full_name }}} so that all non-interactive accounts on the system have no interactive shell assigned to them.
 
     Run the following command to disable the interactive shell for a specific non-interactive user account:
 
-    $ sudo usermod --shell /sbin/nologin nobody
+    $ sudo usermod --shell /sbin/nologin account
 
 srg_requirement: '{{{ full_name }}} system accounts must not have have login shell.'
 
 warnings:
     - functionality: |-
-        Do not perform the steps in this section on the root account. Doing so might
-        cause the system to become inaccessible.
+        Do not perform the steps in this section on the root account. Doing so might cause the
+        system to become inaccessible.

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/first_sys_uid_max.pass.sh

@@ -1,5 +1,4 @@
 #!/bin/bash
-# remediation = none
 
 useradd --system --shell /sbin/nologin -u 999 sysuser
 useradd -u 1000 testuser

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/first_sys_uid_min.pass.sh

@@ -1,5 +1,4 @@
 #!/bin/bash
-# remediation = none
 
 useradd --system --shell /sbin/nologin -u 999 sysuser
 useradd -u 1000 testuser

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/first_uid_min.pass.sh

@@ -1,5 +1,4 @@
 #!/bin/bash
-# remediation = none
 
 useradd --system --shell /sbin/nologin -u 999 sysuser
 useradd -u 1000 testuser

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/last_sys_uid_max.pass.sh

@@ -1,5 +1,4 @@
 #!/bin/bash
-# remediation = none
 
 useradd --system --shell /sbin/nologin -u 999 sysuser
 useradd -u 1000 testuser

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/last_sys_uid_min.pass.sh

@@ -1,5 +1,4 @@
 #!/bin/bash
-# remediation = none
 
 useradd --system --shell /sbin/nologin -u 999 sysuser
 useradd -u 1000 testuser

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/last_uid_min.pass.sh

@@ -1,5 +1,4 @@
 #!/bin/bash
-# remediation = none
 
 useradd --system --shell /sbin/nologin -u 999 sysuser
 useradd -u 1000 testuser

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh

@@ -1,5 +1,4 @@
 #!/bin/bash
-# remediation = none
 
 # Force unset of SYS_UID values
 sed -i '/^SYS_UID_MIN/d' /etc/login.defs

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh

@@ -1,5 +1,4 @@
 #!/bin/bash
-# remediation = none
 
 # remove any non-system user
 sed -Ei '/^root|nologin$|halt$|sync$|shutdown$/!d' /etc/passwd

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/space_uid_min.pass.sh

@@ -1,5 +1,4 @@
 #!/bin/bash
-# remediation = none
 
 useradd --system --shell /sbin/nologin -u 999 sysuser
 useradd -u 1000 testuser

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh

@@ -1,5 +1,4 @@
 #!/bin/bash
-# remediation = none
 
 # change system user "mail" shell to bash
 usermod --shell /bin/bash mail