Set home dir mode/owner/group owner [+Docs]
This patch sets the mode, owner, and group owner for each home directory to the correct values. The STIG also requires ownership/permission changes for files/directories within each user's home directory, but these changes can be highly disruptive for certain users. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: I1c4a8dfb1e752d4426b471325cd09b2abf5a4ca7
This commit is contained in:
parent
ce386ec8c3
commit
5fdee29c70
|
@ -516,6 +516,8 @@ security_reset_perm_ownership: yes # RHEL-07-010010
|
|||
# Search for files/directories owned by invalid users or groups.
|
||||
security_search_for_invalid_owner: no # RHEL-07-020360
|
||||
security_search_for_invalid_group_owner: no # RHEL-07-020370
|
||||
# Set user/group owners on each home directory and set mode to 0750.
|
||||
security_set_home_directory_permissions_and_owners: no # RHEL-07-020650 / RHEL-07-020660 / RHEL-07-020670
|
||||
|
||||
## Graphical interfaces (graphical)
|
||||
# Disable automatic gdm logins
|
||||
|
|
|
@ -1,7 +1,25 @@
|
|||
---
|
||||
id: RHEL-07-020650
|
||||
status: not implemented
|
||||
tag: misc
|
||||
status: opt-in
|
||||
tag: file_perms
|
||||
---
|
||||
|
||||
This STIG requirement is not yet implemented.
|
||||
Although the STIG requires that all home directories have the proper owner,
|
||||
group owner, and permissions, these changes might be disruptive in some
|
||||
environments. These tasks are not executed by default.
|
||||
|
||||
Deployers can opt in for the following changes to each home directory:
|
||||
|
||||
* Permissions are set to ``0750`` at a maximum. If permissions are already
|
||||
more restrictive than ``0750``, the permissions are left unchanged.
|
||||
|
||||
* User ownership is set to the ``UID`` of the user.
|
||||
|
||||
* Group ownership is set to the ``GID`` of the user.
|
||||
|
||||
Deployers can opt in for these changes by setting the following Ansible
|
||||
variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_set_home_directory_permissions_and_owners: yes
|
||||
|
|
|
@ -1,7 +1,10 @@
|
|||
---
|
||||
id: RHEL-07-020660
|
||||
status: not implemented
|
||||
tag: misc
|
||||
status: opt-in
|
||||
tag: file_perms
|
||||
---
|
||||
|
||||
This STIG requirement is not yet implemented.
|
||||
This control is implemented by the tasks for another control. Refer to the
|
||||
documentation for more details on the change and how to opt out:
|
||||
|
||||
* :ref:`stig-RHEL-07-020650`
|
||||
|
|
|
@ -1,7 +1,10 @@
|
|||
---
|
||||
id: RHEL-07-020670
|
||||
status: not implemented
|
||||
tag: misc
|
||||
status: opt-in
|
||||
tag: file_perms
|
||||
---
|
||||
|
||||
This STIG requirement is not yet implemented.
|
||||
This control is implemented by the tasks for another control. Refer to the
|
||||
documentation for more details on the change and how to opt out:
|
||||
|
||||
* :ref:`stig-RHEL-07-020650`
|
||||
|
|
|
@ -1,7 +1,10 @@
|
|||
---
|
||||
id: RHEL-07-020680
|
||||
status: not implemented
|
||||
tag: misc
|
||||
status: exception - manual intervention
|
||||
tag: file_perms
|
||||
---
|
||||
|
||||
This STIG requirement is not yet implemented.
|
||||
Although the STIG has requirements for ownership and permissions of files and
|
||||
directories in each user's home directory, broad changes to these settings
|
||||
might cause disruptions to users on a system. Therefore, these changes are left
|
||||
to deployers to examine and adjust manually.
|
||||
|
|
|
@ -1,7 +1,10 @@
|
|||
---
|
||||
id: RHEL-07-020690
|
||||
status: not implemented
|
||||
tag: misc
|
||||
status: exception - manual intervention
|
||||
tag: file_perms
|
||||
---
|
||||
|
||||
This STIG requirement is not yet implemented.
|
||||
Although the STIG has requirements for ownership and permissions of files and
|
||||
directories in each user's home directory, broad changes to these settings
|
||||
might cause disruptions to users on a system. Therefore, these changes are left
|
||||
to deployers to examine and adjust manually.
|
||||
|
|
|
@ -1,7 +1,10 @@
|
|||
---
|
||||
id: RHEL-07-020700
|
||||
status: not implemented
|
||||
tag: misc
|
||||
status: exception - manual intervention
|
||||
tag: file_perms
|
||||
---
|
||||
|
||||
This STIG requirement is not yet implemented.
|
||||
Although the STIG has requirements for ownership and permissions of files and
|
||||
directories in each user's home directory, broad changes to these settings
|
||||
might cause disruptions to users on a system. Therefore, these changes are left
|
||||
to deployers to examine and adjust manually.
|
||||
|
|
|
@ -96,6 +96,23 @@
|
|||
- medium
|
||||
- RHEL-07-020370
|
||||
|
||||
- name: Set proper owner, group owner, and permissions on home directories
|
||||
file:
|
||||
dest: "{{ item.dir }}"
|
||||
owner: "{{ item.name }}"
|
||||
group: "{{ item.group.name }}"
|
||||
mode: "u-X,g-ws,o-rwxt"
|
||||
when:
|
||||
- item.uid >= 1000
|
||||
- security_set_home_directory_permissions_and_owners | bool
|
||||
with_items: "{{ user_list.users | selectattr('uid', 'greater_than', 999) | list }}"
|
||||
tags:
|
||||
- medium
|
||||
- file_perms
|
||||
- RHEL-07-020650
|
||||
- RHEL-07-020660
|
||||
- RHEL-07-020670
|
||||
|
||||
- name: Check if cn_map file is present
|
||||
stat:
|
||||
path: /etc/pam_pkcs11/cn_map
|
||||
|
|
|
@ -93,3 +93,4 @@
|
|||
security_disable_account_if_password_expires: yes
|
||||
security_rhel7_initialize_aide: yes
|
||||
security_require_grub_authentication: yes
|
||||
security_set_home_directory_permissions_and_owners_recursively: no
|
||||
|
|
Loading…
Reference in New Issue