Set home dir mode/owner/group owner [+Docs]

This patch sets the mode, owner, and group owner for each home directory to
the correct values.

The STIG also requires ownership/permission changes for files/directories
within each user's home directory, but these changes can be highly disruptive
for certain users.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I1c4a8dfb1e752d4426b471325cd09b2abf5a4ca7

defaults/main.yml

@@ -516,6 +516,8 @@ security_reset_perm_ownership: yes                           # RHEL-07-010010
 # Search for files/directories owned by invalid users or groups.
 security_search_for_invalid_owner: no                        # RHEL-07-020360
 security_search_for_invalid_group_owner: no                  # RHEL-07-020370
+# Set user/group owners on each home directory and set mode to 0750.
+security_set_home_directory_permissions_and_owners: no       # RHEL-07-020650 / RHEL-07-020660 / RHEL-07-020670
 
 ## Graphical interfaces (graphical)
 # Disable automatic gdm logins

doc/metadata/rhel7/RHEL-07-020650.rst

@@ -1,7 +1,25 @@
 ---
 id: RHEL-07-020650
-status: not implemented
-tag: misc
+status: opt-in
+tag: file_perms
 ---
 
-This STIG requirement is not yet implemented.
+Although the STIG requires that all home directories have the proper owner,
+group owner, and permissions, these changes might be disruptive in some
+environments. These tasks are not executed by default.
+
+Deployers can opt in for the following changes to each home directory:
+
+* Permissions are set to ``0750`` at a maximum. If permissions are already
+  more restrictive than ``0750``, the permissions are left unchanged.
+
+* User ownership is set to the ``UID`` of the user.
+
+* Group ownership is set to the ``GID`` of the user.
+
+Deployers can opt in for these changes by setting the following Ansible
+variable:
+
+.. code-block:: yaml
+
+    security_set_home_directory_permissions_and_owners: yes

doc/metadata/rhel7/RHEL-07-020660.rst

@@ -1,7 +1,10 @@
 ---
 id: RHEL-07-020660
-status: not implemented
-tag: misc
+status: opt-in
+tag: file_perms
 ---
 
-This STIG requirement is not yet implemented.
+This control is implemented by the tasks for another control. Refer to the
+documentation for more details on the change and how to opt out:
+
+* :ref:`stig-RHEL-07-020650`

doc/metadata/rhel7/RHEL-07-020670.rst

@@ -1,7 +1,10 @@
 ---
 id: RHEL-07-020670
-status: not implemented
-tag: misc
+status: opt-in
+tag: file_perms
 ---
 
-This STIG requirement is not yet implemented.
+This control is implemented by the tasks for another control. Refer to the
+documentation for more details on the change and how to opt out:
+
+* :ref:`stig-RHEL-07-020650`

doc/metadata/rhel7/RHEL-07-020680.rst

@@ -1,7 +1,10 @@
 ---
 id: RHEL-07-020680
-status: not implemented
-tag: misc
+status: exception - manual intervention
+tag: file_perms
 ---
 
-This STIG requirement is not yet implemented.
+Although the STIG has requirements for ownership and permissions of files and
+directories in each user's home directory, broad changes to these settings
+might cause disruptions to users on a system. Therefore, these changes are left
+to deployers to examine and adjust manually.

doc/metadata/rhel7/RHEL-07-020690.rst

@@ -1,7 +1,10 @@
 ---
 id: RHEL-07-020690
-status: not implemented
-tag: misc
+status: exception - manual intervention
+tag: file_perms
 ---
 
-This STIG requirement is not yet implemented.
+Although the STIG has requirements for ownership and permissions of files and
+directories in each user's home directory, broad changes to these settings
+might cause disruptions to users on a system. Therefore, these changes are left
+to deployers to examine and adjust manually.

doc/metadata/rhel7/RHEL-07-020700.rst

@@ -1,7 +1,10 @@
 ---
 id: RHEL-07-020700
-status: not implemented
-tag: misc
+status: exception - manual intervention
+tag: file_perms
 ---
 
-This STIG requirement is not yet implemented.
+Although the STIG has requirements for ownership and permissions of files and
+directories in each user's home directory, broad changes to these settings
+might cause disruptions to users on a system. Therefore, these changes are left
+to deployers to examine and adjust manually.

tasks/rhel7stig/file_perms.yml

@@ -96,6 +96,23 @@
     - medium
     - RHEL-07-020370
 
+- name: Set proper owner, group owner, and permissions on home directories
+  file:
+    dest: "{{ item.dir }}"
+    owner: "{{ item.name }}"
+    group: "{{ item.group.name }}"
+    mode: "u-X,g-ws,o-rwxt"
+  when:
+    - item.uid >= 1000
+    - security_set_home_directory_permissions_and_owners | bool
+  with_items: "{{ user_list.users | selectattr('uid', 'greater_than', 999) | list }}"
+  tags:
+    - medium
+    - file_perms
+    - RHEL-07-020650
+    - RHEL-07-020660
+    - RHEL-07-020670
+
 - name: Check if cn_map file is present
   stat:
     path: /etc/pam_pkcs11/cn_map

tests/test.yml

@@ -93,3 +93,4 @@
     security_disable_account_if_password_expires: yes
     security_rhel7_initialize_aide: yes
     security_require_grub_authentication: yes
+    security_set_home_directory_permissions_and_owners_recursively: no