Detecting multiple uid = 0 occurrences in /etc/passwd

[Martin Simons]

Dear CFEngineer,

Today we are implementing CIS (Centre of Internet Security) recommendations, one of those being detecting and removing non root users having a uid equal to 0.

I would like to use getusers(exclude_names, exclude_ids), including uid 0.

Any Ideas?

Best regards,

Martin.

[Erlend Leganger]

Call out to grep as a stopgap solution while waiting for a CFE bultin?

--
You received this message because you are subscribed to the Google Groups "help-cfengine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengine+unsubscribe@googlegroups.com.
To post to this group, send email to help-c...@googlegroups.com.
Visit this group at https://groups.google.com/group/help-cfengine.
For more options, visit https://groups.google.com/d/optout.

[Martin Simons]

Dear Erlend,

Well, this policy is potentially nuclear, so I feel using an unmanaged script would be my very last resort.

Best regards,

Martin.

Op woensdag 14 september 2016 11:24:52 UTC+2 schreef Erlend Leganger:

Call out to grep as a stopgap solution while waiting for a CFE bultin?

On 14 September 2016 at 11:03, Martin Simons <mjcm....@gmail.com> wrote:

Dear CFEngineer,

Today we are implementing CIS (Centre of Internet Security) recommendations, one of those being detecting and removing non root users having a uid equal to 0.

I would like to use getusers(exclude_names, exclude_ids), including uid 0.

Any Ideas?

Best regards,

Martin.

--
You received this message because you are subscribed to the Google Groups "help-cfengine" group.

To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengin...@googlegroups.com.

[Neil Watson]

I think the chances of said policy corrupting the system are greater
than the chances of finding a second 0 uid user. Aim for bigger wins or
at least make this a passive policy only.

--
Neil H Watson @neil_h_watson
CFEngine reporting: https://github.com/neilhwatson/delta_reporting
CFEngine policy: https://github.com/neilhwatson/evolve_cfengine_freelib
CFEngine and vim: https://github.com/neilhwatson/vim_cf3

[Nick Anderson]

On 09/14/2016 04:03 AM, Martin Simons wrote:
> I would like to use getusers(exclude_names, exclude_ids),including uid 0.

Hey Martin,

I believe that [getusers()] is not limited to the local system. For
example if the system is configured to authenticate against LDAP or
something those users would also be returned.

I haven't spent much time on the CIS framework recently, but it
contains a bundle that does a [simple check for multiple accounts with
a uid of 0].

If you have a list of user names that contain UID 0 then you can
[filter()] or [difference()] them to get a list of users that does not
contain the `root' users and have them automatically removed.

At any rate, I would probably stick to direct inspection of
`/etc/passwd' and `/etc/shadow' since there is currently no way to
make `getusers()' only query locally.


[getusers()]
https://docs.cfengine.com/lts/reference-functions-getusers.html

[simple check for multiple accounts with a uid of 0]
https://github.com/nickanderson/cfengine-cis/blob/v2/policy/cis_userrelated.cf#L200-L239

[filter()] https://docs.cfengine.com/lts/reference-functions-filter.html

[difference()]
https://docs.cfengine.com/lts/reference-functions-difference.html