From 5fdee29c7073f39b7c43263db0b823b49f6f2f57 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Tue, 13 Dec 2016 10:41:00 -0600
Subject: [PATCH] Set home dir mode/owner/group owner [+Docs]

This patch sets the mode, owner, and group owner for each home directory to
the correct values.

The STIG also requires ownership/permission changes for files/directories
within each user's home directory, but these changes can be highly disruptive
for certain users.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I1c4a8dfb1e752d4426b471325cd09b2abf5a4ca7
---
 defaults/main.yml                     |  2 ++
 doc/metadata/rhel7/RHEL-07-020650.rst | 24 +++++++++++++++++++++---
 doc/metadata/rhel7/RHEL-07-020660.rst |  9 ++++++---
 doc/metadata/rhel7/RHEL-07-020670.rst |  9 ++++++---
 doc/metadata/rhel7/RHEL-07-020680.rst |  9 ++++++---
 doc/metadata/rhel7/RHEL-07-020690.rst |  9 ++++++---
 doc/metadata/rhel7/RHEL-07-020700.rst |  9 ++++++---
 tasks/rhel7stig/file_perms.yml        | 17 +++++++++++++++++
 tests/test.yml                        |  1 +
 9 files changed, 71 insertions(+), 18 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 057fc730..bf8917d3 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -516,6 +516,8 @@ security_reset_perm_ownership: yes                           # RHEL-07-010010
 # Search for files/directories owned by invalid users or groups.
 security_search_for_invalid_owner: no                        # RHEL-07-020360
 security_search_for_invalid_group_owner: no                  # RHEL-07-020370
+# Set user/group owners on each home directory and set mode to 0750.
+security_set_home_directory_permissions_and_owners: no       # RHEL-07-020650 / RHEL-07-020660 / RHEL-07-020670
 
 ## Graphical interfaces (graphical)
 # Disable automatic gdm logins
diff --git a/doc/metadata/rhel7/RHEL-07-020650.rst b/doc/metadata/rhel7/RHEL-07-020650.rst
index 04a869db..04dfd5d2 100644
--- a/doc/metadata/rhel7/RHEL-07-020650.rst
+++ b/doc/metadata/rhel7/RHEL-07-020650.rst
@@ -1,7 +1,25 @@
 ---
 id: RHEL-07-020650
-status: not implemented
-tag: misc
+status: opt-in
+tag: file_perms
 ---
 
-This STIG requirement is not yet implemented.
+Although the STIG requires that all home directories have the proper owner,
+group owner, and permissions, these changes might be disruptive in some
+environments. These tasks are not executed by default.
+
+Deployers can opt in for the following changes to each home directory:
+
+* Permissions are set to ``0750`` at a maximum. If permissions are already
+  more restrictive than ``0750``, the permissions are left unchanged.
+
+* User ownership is set to the ``UID`` of the user.
+
+* Group ownership is set to the ``GID`` of the user.
+
+Deployers can opt in for these changes by setting the following Ansible
+variable:
+
+.. code-block:: yaml
+
+    security_set_home_directory_permissions_and_owners: yes
diff --git a/doc/metadata/rhel7/RHEL-07-020660.rst b/doc/metadata/rhel7/RHEL-07-020660.rst
index 0ac1fe34..89e275bf 100644
--- a/doc/metadata/rhel7/RHEL-07-020660.rst
+++ b/doc/metadata/rhel7/RHEL-07-020660.rst
@@ -1,7 +1,10 @@
 ---
 id: RHEL-07-020660
-status: not implemented
-tag: misc
+status: opt-in
+tag: file_perms
 ---
 
-This STIG requirement is not yet implemented.
+This control is implemented by the tasks for another control. Refer to the
+documentation for more details on the change and how to opt out:
+
+* :ref:`stig-RHEL-07-020650`
diff --git a/doc/metadata/rhel7/RHEL-07-020670.rst b/doc/metadata/rhel7/RHEL-07-020670.rst
index da98905b..2aaed5ea 100644
--- a/doc/metadata/rhel7/RHEL-07-020670.rst
+++ b/doc/metadata/rhel7/RHEL-07-020670.rst
@@ -1,7 +1,10 @@
 ---
 id: RHEL-07-020670
-status: not implemented
-tag: misc
+status: opt-in
+tag: file_perms
 ---
 
-This STIG requirement is not yet implemented.
+This control is implemented by the tasks for another control. Refer to the
+documentation for more details on the change and how to opt out:
+
+* :ref:`stig-RHEL-07-020650`
diff --git a/doc/metadata/rhel7/RHEL-07-020680.rst b/doc/metadata/rhel7/RHEL-07-020680.rst
index 033c8a0a..93ddeebd 100644
--- a/doc/metadata/rhel7/RHEL-07-020680.rst
+++ b/doc/metadata/rhel7/RHEL-07-020680.rst
@@ -1,7 +1,10 @@
 ---
 id: RHEL-07-020680
-status: not implemented
-tag: misc
+status: exception - manual intervention
+tag: file_perms
 ---
 
-This STIG requirement is not yet implemented.
+Although the STIG has requirements for ownership and permissions of files and
+directories in each user's home directory, broad changes to these settings
+might cause disruptions to users on a system. Therefore, these changes are left
+to deployers to examine and adjust manually.
diff --git a/doc/metadata/rhel7/RHEL-07-020690.rst b/doc/metadata/rhel7/RHEL-07-020690.rst
index 22a3c3bc..bee110ec 100644
--- a/doc/metadata/rhel7/RHEL-07-020690.rst
+++ b/doc/metadata/rhel7/RHEL-07-020690.rst
@@ -1,7 +1,10 @@
 ---
 id: RHEL-07-020690
-status: not implemented
-tag: misc
+status: exception - manual intervention
+tag: file_perms
 ---
 
-This STIG requirement is not yet implemented.
+Although the STIG has requirements for ownership and permissions of files and
+directories in each user's home directory, broad changes to these settings
+might cause disruptions to users on a system. Therefore, these changes are left
+to deployers to examine and adjust manually.
diff --git a/doc/metadata/rhel7/RHEL-07-020700.rst b/doc/metadata/rhel7/RHEL-07-020700.rst
index ff62e272..86769d4d 100644
--- a/doc/metadata/rhel7/RHEL-07-020700.rst
+++ b/doc/metadata/rhel7/RHEL-07-020700.rst
@@ -1,7 +1,10 @@
 ---
 id: RHEL-07-020700
-status: not implemented
-tag: misc
+status: exception - manual intervention
+tag: file_perms
 ---
 
-This STIG requirement is not yet implemented.
+Although the STIG has requirements for ownership and permissions of files and
+directories in each user's home directory, broad changes to these settings
+might cause disruptions to users on a system. Therefore, these changes are left
+to deployers to examine and adjust manually.
diff --git a/tasks/rhel7stig/file_perms.yml b/tasks/rhel7stig/file_perms.yml
index b7f0f7de..cd5e92c3 100644
--- a/tasks/rhel7stig/file_perms.yml
+++ b/tasks/rhel7stig/file_perms.yml
@@ -96,6 +96,23 @@
     - medium
     - RHEL-07-020370
 
+- name: Set proper owner, group owner, and permissions on home directories
+  file:
+    dest: "{{ item.dir }}"
+    owner: "{{ item.name }}"
+    group: "{{ item.group.name }}"
+    mode: "u-X,g-ws,o-rwxt"
+  when:
+    - item.uid >= 1000
+    - security_set_home_directory_permissions_and_owners | bool
+  with_items: "{{ user_list.users | selectattr('uid', 'greater_than', 999) | list }}"
+  tags:
+    - medium
+    - file_perms
+    - RHEL-07-020650
+    - RHEL-07-020660
+    - RHEL-07-020670
+
 - name: Check if cn_map file is present
   stat:
     path: /etc/pam_pkcs11/cn_map
diff --git a/tests/test.yml b/tests/test.yml
index 863ed292..eacabd1c 100644
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -93,3 +93,4 @@
     security_disable_account_if_password_expires: yes
     security_rhel7_initialize_aide: yes
     security_require_grub_authentication: yes
+    security_set_home_directory_permissions_and_owners_recursively: no