openstack
/
ansible-hardening
Code Issues Proposed changes

Check for users w/o home dirs [+Docs] 

This patch adds a new Ansible module called 'get_users' that pulls
a list of users from a system. Tasks are added to check for any users
that don't have a home directory.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I53e776659e5a0a3e3235cfa91c2bfcdc35bbf7a9
This commit is contained in:
Major Hayden 2016-11-18 13:40:34 -06:00
parent 251a5d1c87
commit 66ebdc9967
3 changed files with 109 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
doc/metadata/rhel7/RHEL-07-020620.rst
View File

@ -1,7 +1,9 @@
---
id: RHEL-07-020620
status: not implemented
tag: misc
status: implemented
tag: auth
---
This STIG requirement is not yet implemented.
The usernames of all users without home directories assigned are provided in
the Ansible console output. Deployers should use this list of usernames to
audit each system to ensure every user has a valid home directory.

84
library/get_users Executable file
View File

@ -0,0 +1,84 @@
#!/usr/bin/env python
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Get user facts."""
import pwd
from ansible.module_utils.basic import AnsibleModule
DOCUMENTATION = """
---
module: get_users
short_description:
- A module for gathering facts about Linux users.
description:
- This module gathers facts about the Linux users and groups that exist
on the system.
author: major@mhtx.net
"""
EXAMPLES = '''
- get_users:
min_uid: 1000
max_uid: 2000
'''
RETURN = '''
users:
description: users matching arguments provided
returned: success
type: list
'''
def main():
"""Ansible calls this function."""
module = AnsibleModule(
argument_spec=dict(
min_uid=dict(default=0, type='int'),
max_uid=dict(default=65535, type='int'),
),
supports_check_mode=True,
)
users = []
# Loop through the users that exist on the system.
for user_record in pwd.getpwall():
# Ensure that the user matches the parameters provided.
if (user_record.pw_uid >= module.params['min_uid'] and
user_record.pw_uid <= module.params['max_uid']):
# Assemble a dictionary of the user information and append it to
# our list.
user_dict = {
'name': user_record.pw_name,
'uid': user_record.pw_uid,
'gid': user_record.pw_gid,
'gecos': user_record.pw_gecos,
'dir': user_record.pw_dir,
'shell': user_record.pw_shell
}
users.append(user_dict)
# Return the user data to the Ansible task.
module.exit_json(
changed=False,
users=users
)
if __name__ == '__main__':
main()

20
tasks/rhel7stig/auth.yml
View File

@ -13,6 +13,13 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Get a list of users on the system to use throughout the auth tasks
action: get_users
register: user_list
check_mode: no
tags:
- always
- name: Check if /etc/security/pwquality.conf exists
stat:
path: /etc/security/pwquality.conf
@ -163,3 +170,16 @@
- auth
- high
- RHEL-07-020310
- name: RHEL-07-020620 - All local interactive users must have a home directory assigned in the /etc/passwd file.
debug:
msg: |
The following users do not have a home directory assigned:
{{ user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | join(', ') }}
when:
- user_list is defined
- user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | list | length > 0
tags:
- auth
- medium
- RHEL-07-020620