>From 3dcd3afa28c00d5bb6fa281a5392bbdffe2c3e92 Mon Sep 17 00:00:00 2001
From: Shawn Wells <shawn@redhat.com>
Date: Sun, 10 Nov 2013 00:59:29 -0500
Subject: [PATCH 04/11] Updated OVAL + remediation for accounts_no_uid_except_zero
 - Updating naming scheme to reflect accounts_* for consistency
 - Added remediation script which will disable any UID=0 accounts other than root.
 The OVAL will continue to fail, however automatically reassigning UIDs seems dirty...

---
 .../fixes/bash/accounts_no_uid_except_zero.sh      |    1 +
 RHEL6/input/profiles/CS2.xml                       |    2 +-
 RHEL6/input/profiles/common.xml                    |    2 +-
 RHEL6/input/profiles/fisma-medium-rhel6-server.xml |    2 +-
 RHEL6/input/profiles/nist-CL-IL-AL.xml             |    2 +-
 RHEL6/input/profiles/rht-ccp.xml                   |    2 +-
 RHEL6/input/profiles/usgcb-rhel6-server.xml        |    2 +-
 .../system/accounts/restrictions/root_logins.xml   |    2 +-
 8 files changed, 8 insertions(+), 7 deletions(-)
 create mode 100644 RHEL6/input/fixes/bash/accounts_no_uid_except_zero.sh

diff --git a/RHEL6/input/fixes/bash/accounts_no_uid_except_zero.sh b/RHEL6/input/fixes/bash/accounts_no_uid_except_zero.sh
new file mode 100644
index 0000000..7a052ec
--- /dev/null
+++ b/RHEL6/input/fixes/bash/accounts_no_uid_except_zero.sh
@@ -0,0 +1 @@
+awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs passwd -l
diff --git a/RHEL6/input/profiles/CS2.xml b/RHEL6/input/profiles/CS2.xml
index 3958779..302cf5b 100644
--- a/RHEL6/input/profiles/CS2.xml
+++ b/RHEL6/input/profiles/CS2.xml
@@ -76,7 +76,7 @@
 <select idref="disable_prelink" selected="true" />
 <select idref="account_unique_name" selected="true"/>
 <select idref="no_hashes_outside_shadow" selected="true"/>
-<select idref="no_uidzero_except_root" selected="true"/>
+<select idref="accounts_no_uid_except_zero" selected="true"/>
 
 <select idref="set_password_hashing_algorithm_systemauth" selected="true"/>
 <select idref="set_password_hashing_algorithm_logindefs" selected="true"/>
diff --git a/RHEL6/input/profiles/common.xml b/RHEL6/input/profiles/common.xml
index 4ef3c0d..5eda579 100644
--- a/RHEL6/input/profiles/common.xml
+++ b/RHEL6/input/profiles/common.xml
@@ -22,7 +22,7 @@
 <select idref="no_shelllogin_for_systemaccounts" selected="true"/>
 <select idref="no_empty_passwords" selected="true"/>
 <select idref="no_hashes_outside_shadow" selected="true"/>
-<select idref="no_uidzero_except_root" selected="true"/>
+<select idref="accounts_no_uid_except_zero" selected="true"/>
 
 <select idref="userowner_shadow_file" selected="true"/>
 <select idref="groupowner_shadow_file" selected="true"/>
diff --git a/RHEL6/input/profiles/fisma-medium-rhel6-server.xml b/RHEL6/input/profiles/fisma-medium-rhel6-server.xml
index 558ae63..318fdee 100644
--- a/RHEL6/input/profiles/fisma-medium-rhel6-server.xml
+++ b/RHEL6/input/profiles/fisma-medium-rhel6-server.xml
@@ -67,7 +67,7 @@
 <select idref="audit_logs_permissions" selected="true" />
 <select idref="audit_logs_rootowner" selected="true" />
 <select idref="audit_config_immutable" selected="true" />
-<select idref="no_uidzero_except_root" selected="true" />
+<select idref="accounts_no_uid_except_zero" selected="true" />
 <select idref="rpm_verify_permissions" selected="true" />
 
 <!--	AC-6(2) -->
diff --git a/RHEL6/input/profiles/nist-CL-IL-AL.xml b/RHEL6/input/profiles/nist-CL-IL-AL.xml
index f633f5e..82ee2a1 100644
--- a/RHEL6/input/profiles/nist-CL-IL-AL.xml
+++ b/RHEL6/input/profiles/nist-CL-IL-AL.xml
@@ -156,7 +156,7 @@ assurance."</description>
 <select idref="no_files_unowned_by_group" selected="true" \>
 <select idref="world_writable_files_system_ownership" selected="true" \>
 <select idref="umask_for_daemons" selected="true" \>
-<select idref="no_uidzero_except_root" selected="true" \>
+<select idref="accounts_no_uid_except_zero" selected="true" \>
 <select idref="userowner_rsyslog_files" selected="true" \>
 <select idref="groupowner_rsyslog_files" selected="true" \>
 
diff --git a/RHEL6/input/profiles/rht-ccp.xml b/RHEL6/input/profiles/rht-ccp.xml
index 173a891..959c4d0 100644
--- a/RHEL6/input/profiles/rht-ccp.xml
+++ b/RHEL6/input/profiles/rht-ccp.xml
@@ -49,7 +49,7 @@
 <select idref="no_shelllogin_for_systemaccounts" selected="true"/>
 <select idref="no_empty_passwords" selected="true"/>
 <select idref="no_hashes_outside_shadow" selected="true"/>
-<select idref="no_uidzero_except_root" selected="true"/>
+<select idref="accounts_no_uid_except_zero" selected="true"/>
 <select idref="accounts_password_minlen_login_defs" selected="true"/>
 <select idref="accounts_minimum_age_login_defs" selected="true"/>
 <select idref="accounts_maximum_age_login_defs" selected="true"/>
diff --git a/RHEL6/input/profiles/usgcb-rhel6-server.xml b/RHEL6/input/profiles/usgcb-rhel6-server.xml
index 2c72684..a736b04 100644
--- a/RHEL6/input/profiles/usgcb-rhel6-server.xml
+++ b/RHEL6/input/profiles/usgcb-rhel6-server.xml
@@ -63,7 +63,7 @@
 <select idref="restrict_serial_port_logins" selected="true" />
 <select idref="no_empty_passwords" selected="true" />
 <select idref="no_hashes_outside_shadow" selected="true" />
-<select idref="no_uidzero_except_root" selected="true" />
+<select idref="accounts_no_uid_except_zero" selected="true" />
 <refine-value idref="var_accounts_password_warn_age_login_defs" selector="14"/>
 <select idref="accounts_password_warn_age_login_defs" selected="true" />
 <refine-value idref="var_accounts_maximum_age_login_defs" selector="60" />
diff --git a/RHEL6/input/system/accounts/restrictions/root_logins.xml b/RHEL6/input/system/accounts/restrictions/root_logins.xml
index b92469f..119931b 100644
--- a/RHEL6/input/system/accounts/restrictions/root_logins.xml
+++ b/RHEL6/input/system/accounts/restrictions/root_logins.xml
@@ -167,7 +167,7 @@ become inaccessible.
 </Rule>
 
 
-<Rule id="no_uidzero_except_root" severity="medium">
+<Rule id="accounts_no_uid_except_zero" severity="medium">
 <title>Verify Only Root Has UID 0</title>
 <description>
 If any account other than root has a UID of 0,
-- 
1.7.1