Check for users w/o home dirs [+Docs]
This patch adds a new Ansible module called 'get_users' that pulls a list of users from a system. Tasks are added to check for any users that don't have a home directory. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: I53e776659e5a0a3e3235cfa91c2bfcdc35bbf7a9
This commit is contained in:
parent
251a5d1c87
commit
66ebdc9967
|
@ -1,7 +1,9 @@
|
||||||
---
|
---
|
||||||
id: RHEL-07-020620
|
id: RHEL-07-020620
|
||||||
status: not implemented
|
status: implemented
|
||||||
tag: misc
|
tag: auth
|
||||||
---
|
---
|
||||||
|
|
||||||
This STIG requirement is not yet implemented.
|
The usernames of all users without home directories assigned are provided in
|
||||||
|
the Ansible console output. Deployers should use this list of usernames to
|
||||||
|
audit each system to ensure every user has a valid home directory.
|
||||||
|
|
|
@ -0,0 +1,84 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
# Copyright 2016, Rackspace US, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
"""Get user facts."""
|
||||||
|
|
||||||
|
import pwd
|
||||||
|
from ansible.module_utils.basic import AnsibleModule
|
||||||
|
|
||||||
|
|
||||||
|
DOCUMENTATION = """
|
||||||
|
---
|
||||||
|
module: get_users
|
||||||
|
short_description:
|
||||||
|
- A module for gathering facts about Linux users.
|
||||||
|
description:
|
||||||
|
- This module gathers facts about the Linux users and groups that exist
|
||||||
|
on the system.
|
||||||
|
author: major@mhtx.net
|
||||||
|
"""
|
||||||
|
|
||||||
|
EXAMPLES = '''
|
||||||
|
- get_users:
|
||||||
|
min_uid: 1000
|
||||||
|
max_uid: 2000
|
||||||
|
'''
|
||||||
|
|
||||||
|
RETURN = '''
|
||||||
|
users:
|
||||||
|
description: users matching arguments provided
|
||||||
|
returned: success
|
||||||
|
type: list
|
||||||
|
'''
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
"""Ansible calls this function."""
|
||||||
|
module = AnsibleModule(
|
||||||
|
argument_spec=dict(
|
||||||
|
min_uid=dict(default=0, type='int'),
|
||||||
|
max_uid=dict(default=65535, type='int'),
|
||||||
|
),
|
||||||
|
supports_check_mode=True,
|
||||||
|
)
|
||||||
|
|
||||||
|
users = []
|
||||||
|
|
||||||
|
# Loop through the users that exist on the system.
|
||||||
|
for user_record in pwd.getpwall():
|
||||||
|
|
||||||
|
# Ensure that the user matches the parameters provided.
|
||||||
|
if (user_record.pw_uid >= module.params['min_uid'] and
|
||||||
|
user_record.pw_uid <= module.params['max_uid']):
|
||||||
|
|
||||||
|
# Assemble a dictionary of the user information and append it to
|
||||||
|
# our list.
|
||||||
|
user_dict = {
|
||||||
|
'name': user_record.pw_name,
|
||||||
|
'uid': user_record.pw_uid,
|
||||||
|
'gid': user_record.pw_gid,
|
||||||
|
'gecos': user_record.pw_gecos,
|
||||||
|
'dir': user_record.pw_dir,
|
||||||
|
'shell': user_record.pw_shell
|
||||||
|
}
|
||||||
|
users.append(user_dict)
|
||||||
|
|
||||||
|
# Return the user data to the Ansible task.
|
||||||
|
module.exit_json(
|
||||||
|
changed=False,
|
||||||
|
users=users
|
||||||
|
)
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
main()
|
|
@ -13,6 +13,13 @@
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
|
- name: Get a list of users on the system to use throughout the auth tasks
|
||||||
|
action: get_users
|
||||||
|
register: user_list
|
||||||
|
check_mode: no
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
- name: Check if /etc/security/pwquality.conf exists
|
- name: Check if /etc/security/pwquality.conf exists
|
||||||
stat:
|
stat:
|
||||||
path: /etc/security/pwquality.conf
|
path: /etc/security/pwquality.conf
|
||||||
|
@ -163,3 +170,16 @@
|
||||||
- auth
|
- auth
|
||||||
- high
|
- high
|
||||||
- RHEL-07-020310
|
- RHEL-07-020310
|
||||||
|
|
||||||
|
- name: RHEL-07-020620 - All local interactive users must have a home directory assigned in the /etc/passwd file.
|
||||||
|
debug:
|
||||||
|
msg: |
|
||||||
|
The following users do not have a home directory assigned:
|
||||||
|
{{ user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | join(', ') }}
|
||||||
|
when:
|
||||||
|
- user_list is defined
|
||||||
|
- user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | list | length > 0
|
||||||
|
tags:
|
||||||
|
- auth
|
||||||
|
- medium
|
||||||
|
- RHEL-07-020620
|
||||||
|
|
Loading…
Reference in New Issue