search

ansible-lockdown / RHEL7-CIS

Ansible role for Red Hat 7 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
473 stars 303 forks source link

Tasks which modify users' home directories do not apply to domain users #150

Closed benformosa closed 4 years ago

benformosa commented 4 years ago

The List users accounts task relies on the content of /etc/password to list users.

In my environment, systems are domain joined, and so users are not listed in /etc/passwd.

It might be useful to additionally locate users by subdirectories in /home.

This creates a fact all_users containing all users in /etc/passwd and the name of each directory under /home.

---
- hosts: localhost
  tasks:
    - name: "PRELIM | List users accounts"
      command: "awk -F: '{print $1}' /etc/passwd"
      register: users
      changed_when: no
      check_mode: no

    - name: "PRELIM | List home directories"
      find:
        paths:
          - /home
        file_type: directory
      register: homes

    - name: "PRELIM | List all users"
      set_fact:
        all_users: "{{ just_users | union(just_homes) | unique }}"
      vars:
        just_users: "{{ users | json_query('stdout_lines') }}"
        just_homes: "{{ homes | json_query('files[*].path') | regex_replace('/home/', '') }}"

    - name: display all users
      debug:
        var: all_users
erpadmin commented 4 years ago

Just one man's opinion, but imo the playbook should adhere directly to the benchmark and its the benchmark that would need to be updated.

benformosa commented 4 years ago

I agree that this playbook should follow the benchmark, however I'm not sure if that means the wording of the rules or the provided scripts.

The preamble to section 6.2 points out that the rules in that section should also apply to domain users:

6.2 User and Group Settings This section provides guidance on securing aspects of the users and groups. Note: The recommendations in this section check local users and groups. Any users or groups from other sources such as LDAP will not be audited. In a domain environment similar checks should be performed against domain users and groups.

erpadmin commented 4 years ago

From the auditing perspective, the appliance we use executes the checks exactly as defined in the benchmark. I recall several things referencing /etc/passwd such as for file permissions, unowned directories, and so forth.

What I ended up doing for site specific requirements was add in my own playbook called at the end for one-off additions or fixes. That lets me run a %99 vanillla version of this playbook across all our boxes.

benformosa commented 4 years ago

I'm not worried if this isn't merged, I'm happy maintaining my own fork or extra playbooks.