Merge "Check for users w/o home dirs [+Docs]"

doc/metadata/rhel7/RHEL-07-020620.rst

@@ -1,7 +1,9 @@
 ---
 id: RHEL-07-020620
-status: not implemented
-tag: misc
+status: implemented
+tag: auth
 ---
 
-This STIG requirement is not yet implemented.
+The usernames of all users without home directories assigned are provided in
+the Ansible console output. Deployers should use this list of usernames to
+audit each system to ensure every user has a valid home directory.

library/get_users

@@ -0,0 +1,84 @@
+#!/usr/bin/env python
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Get user facts."""
+
+import pwd
+from ansible.module_utils.basic import AnsibleModule
+
+
+DOCUMENTATION = """
+---
+module: get_users
+short_description:
+    - A module for gathering facts about Linux users.
+description:
+    - This module gathers facts about the Linux users and groups that exist
+      on the system.
+author: major@mhtx.net
+"""
+
+EXAMPLES = '''
+- get_users:
+    min_uid: 1000
+    max_uid: 2000
+'''
+
+RETURN = '''
+users:
+    description: users matching arguments provided
+    returned: success
+    type: list
+'''
+
+
+def main():
+    """Ansible calls this function."""
+    module = AnsibleModule(
+        argument_spec=dict(
+            min_uid=dict(default=0, type='int'),
+            max_uid=dict(default=65535, type='int'),
+        ),
+        supports_check_mode=True,
+    )
+
+    users = []
+
+    # Loop through the users that exist on the system.
+    for user_record in pwd.getpwall():
+
+        # Ensure that the user matches the parameters provided.
+        if (user_record.pw_uid >= module.params['min_uid'] and
+           user_record.pw_uid <= module.params['max_uid']):
+
+            # Assemble a dictionary of the user information and append it to
+            # our list.
+            user_dict = {
+                'name': user_record.pw_name,
+                'uid': user_record.pw_uid,
+                'gid': user_record.pw_gid,
+                'gecos': user_record.pw_gecos,
+                'dir': user_record.pw_dir,
+                'shell': user_record.pw_shell
+            }
+            users.append(user_dict)
+
+    # Return the user data to the Ansible task.
+    module.exit_json(
+        changed=False,
+        users=users
+    )
+
+if __name__ == '__main__':
+    main()

tasks/rhel7stig/auth.yml

@@ -13,6 +13,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Get a list of users on the system to use throughout the auth tasks
+  action: get_users
+  register: user_list
+  check_mode: no
+  tags:
+    - always
+
 - name: Check if /etc/security/pwquality.conf exists
   stat:
     path: /etc/security/pwquality.conf
@@ -163,3 +170,16 @@
     - auth
     - high
     - RHEL-07-020310
+
+- name: RHEL-07-020620 - All local interactive users must have a home directory assigned in the /etc/passwd file.
+  debug:
+    msg: |
+      The following users do not have a home directory assigned:
+      {{ user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | join(', ') }}
+  when:
+    - user_list is defined
+    - user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | list | length > 0
+  tags:
+    - auth
+    - medium
+    - RHEL-07-020620