openstack/ansible-hardening
Code Issues Proposed changes

Create home directories by default [+Docs]

Browse Source 
This patch adds a task to adjust /etc/login.defs so that home
directories are created by default for all new user accounts.
This is the standard for CentOS/RHEL, but this involves a change
for Ubuntu systems.

Docs are included.

Implements: blueprint security-rhel7-stig
Change-Id: If88719fed6def2d13d5b5798eaed98baf7971889
This commit is contained in:
Major Hayden
2016-11-18 14:43:16 -06:00
parent 66ebdc9967
commit acdd6d5f0c
3 changed files with 32 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
defaults/main.yml
View File

@@ -468,6 +468,8 @@ security_require_sha512_password_storage: yes # RHEL-07-010180
security_libuser_crypt_style_sha512: yes # RHEL-07-010190 security_libuser_crypt_style_sha512: yes # RHEL-07-010190
# Set a maximum lifetime limit for user passwords. # Set a maximum lifetime limit for user passwords.
#security_password_max_lifetime_days: 60 # RHEL-07-010220 #security_password_max_lifetime_days: 60 # RHEL-07-010220
# Create home directories for new users by default.
security_create_home_directory_default: yes # RHEL-07-020630
## File permissions (file_perms) ## File permissions (file_perms)
# Reset file permissions and ownership for files installed via RPM packages. # Reset file permissions and ownership for files installed via RPM packages.

20
doc/metadata/rhel7/RHEL-07-020630.rst
View File

@@ -1,7 +1,21 @@
--- ---
id: RHEL-07-020630 id: RHEL-07-020630
status: not implemented status: implemented
tag: misc tag: auth
--- ---
This STIG requirement is not yet implemented. The ``CREATE_HOME`` variable is set to ``yes`` by the tasks in the security
role. This ensures that home directories are created each time a new user
account is created.
Deployers can opt out of this change by setting the following Ansible variable:
.. code-block:: yaml
security_create_home_directory_default: no
.. note::
On CentOS 7 and Red Hat Enterprise Linux 7 systems, home directores are
always created with new users by default. Home directories are not created
by default on Ubuntu systems.

13
tasks/rhel7stig/auth.yml
View File

@@ -183,3 +183,16 @@
- auth - auth
- medium - medium
- RHEL-07-020620 - RHEL-07-020620
- name: RHEL-07-020630 - All local interactive user accounts, upon creation, must be assigned a home directory.
lineinfile:
dest: /etc/login.defs
regexp: "^(#)?CREATE_HOME"
line: "CREATE_HOME yes"
state: present
when:
- security_create_home_directory_default | bool
tags:
- auth
- medium
- RHEL-07-020630