diff --git a/doc/metadata/rhel7/RHEL-07-020620.rst b/doc/metadata/rhel7/RHEL-07-020620.rst index 125333dd..3e2b6656 100644 --- a/doc/metadata/rhel7/RHEL-07-020620.rst +++ b/doc/metadata/rhel7/RHEL-07-020620.rst @@ -1,7 +1,9 @@ --- id: RHEL-07-020620 -status: not implemented -tag: misc +status: implemented +tag: auth --- -This STIG requirement is not yet implemented. +The usernames of all users without home directories assigned are provided in +the Ansible console output. Deployers should use this list of usernames to +audit each system to ensure every user has a valid home directory. diff --git a/library/get_users b/library/get_users new file mode 100755 index 00000000..7450edb2 --- /dev/null +++ b/library/get_users @@ -0,0 +1,84 @@ +#!/usr/bin/env python +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Get user facts.""" + +import pwd +from ansible.module_utils.basic import AnsibleModule + + +DOCUMENTATION = """ +--- +module: get_users +short_description: + - A module for gathering facts about Linux users. +description: + - This module gathers facts about the Linux users and groups that exist + on the system. +author: major@mhtx.net +""" + +EXAMPLES = ''' +- get_users: + min_uid: 1000 + max_uid: 2000 +''' + +RETURN = ''' +users: + description: users matching arguments provided + returned: success + type: list +''' + + +def main(): + """Ansible calls this function.""" + module = AnsibleModule( + argument_spec=dict( + min_uid=dict(default=0, type='int'), + max_uid=dict(default=65535, type='int'), + ), + supports_check_mode=True, + ) + + users = [] + + # Loop through the users that exist on the system. + for user_record in pwd.getpwall(): + + # Ensure that the user matches the parameters provided. + if (user_record.pw_uid >= module.params['min_uid'] and + user_record.pw_uid <= module.params['max_uid']): + + # Assemble a dictionary of the user information and append it to + # our list. + user_dict = { + 'name': user_record.pw_name, + 'uid': user_record.pw_uid, + 'gid': user_record.pw_gid, + 'gecos': user_record.pw_gecos, + 'dir': user_record.pw_dir, + 'shell': user_record.pw_shell + } + users.append(user_dict) + + # Return the user data to the Ansible task. + module.exit_json( + changed=False, + users=users + ) + +if __name__ == '__main__': + main() diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml index df38073b..8c72628d 100644 --- a/tasks/rhel7stig/auth.yml +++ b/tasks/rhel7stig/auth.yml @@ -13,6 +13,13 @@ # See the License for the specific language governing permissions and # limitations under the License. +- name: Get a list of users on the system to use throughout the auth tasks + action: get_users + register: user_list + check_mode: no + tags: + - always + - name: Check if /etc/security/pwquality.conf exists stat: path: /etc/security/pwquality.conf @@ -163,3 +170,16 @@ - auth - high - RHEL-07-020310 + +- name: RHEL-07-020620 - All local interactive users must have a home directory assigned in the /etc/passwd file. + debug: + msg: | + The following users do not have a home directory assigned: + {{ user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | join(', ') }} + when: + - user_list is defined + - user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | list | length > 0 + tags: + - auth + - medium + - RHEL-07-020620