Rewrite system account detection and hardening and create tests

[rndmh3ro]

@DonEstefan I messed up your PR when trying to resolve merge conflicts.

Can you please either:

• do a fource push from your local branch (system_account_hardeining_rewrite) to github to get the changes back or
• look a this PR and check if all changes are there (I think so)

[DonEstefan]

I'll try to find some time later this week to look into it. I know I had a hard time splitting up the initial pull request into multiple smaller requests. It makes sense that re-uniting them is just as complicated 😋

[DonEstefan]

I lost the content of the branch/pullrequest that kept the sys accounts changes separate from the other stuff. But I still have a copy of the final user_accounts.yml file, that has all the changes that I tried to split in separate pull requests (user accounts + system accounts + root accounts).

It seems like you undid some of the inital changes during merge of master branch.

From what I can see, I think by now you can remove the 5 plays below from the file. "uid_min" and "uid_max" should not be used any longer. Instead we now rely on os_auth_sys_uid_max/os_auth_uid_min/os_auth_uid_max from the vars file.

- name: Get UID_MIN from login.defs
  shell: awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs
  args:
    removes: /etc/login.defs
  register: uid_min
  check_mode: false
  changed_when: false

- name: Calculate UID_MAX from UID_MIN by substracting 1
  set_fact:
    uid_max: '{{ uid_min.stdout | int - 1 }}'
  when: uid_min.stdout|int > 0

- name: Set UID_MAX on Debian-systems if no login.defs exist
  set_fact:
    uid_max: '999'
  when:
    - ansible_facts.os_family == 'Debian'
    - uid_max is not defined

- name: Set UID_MAX on other systems if no login.defs exist
  set_fact:
    uid_max: '499'
  when: uid_max is not defined

- name: Get all system accounts
  command: awk -F'':'' '{ if ( $3 <= {{ uid_max | quote }} ) print $1}' /etc/passwd
  args:
    removes: /etc/passwd
  changed_when: false
  check_mode: false
  register: sys_accs

[DonEstefan]

You also might want to consider splitting this:

- name: Remove shell+password for linux system accounts
  user:
    name: '{{ item }}'
    shell: '{{ os_nologin_shell_path }}'
    password: '*'
    createhome: false
  loop: "{{ system_users }}"

in 2 separate tasks, to make detection of existing password locks more reliable

- name: remove shell for linux system accounts
  user:
    name: '{{ item }}'
    shell: '{{ os_nologin_shell_path }}'
    createhome: false
  loop: "{{ system_users }}"

- name: lock passwords from linux system accounts
  user:
    name: '{{ item }}'
    password: '*'
    createhome: false
  loop: "{{ system_users }}"
  when:
    - getent_shadow[item][0] is not match("\!") # password hashes containing illegal characters like "!" are unusable already (locked)

Sorry, for texting this, but I don't have editing rights in this pull request.

[DonEstefan]

I rebased to your current master branch and force-pushed my changes to master...DonEstefan:ansible-collection-hardening:system_account_hardeining_rewrite
I hope this helps.

[schurzi]

Great cleanup, Just the minor change in the name of the test prepare task and I also like the suggestion from @DonEstefan to split up the setting of shell and password.