Harden user home dirs

roles/os_hardening/README.md

@@ -187,6 +187,9 @@ We know that this is the case on Raspberry Pi.
 - `proc_mnt_options`
   - Default: `rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}`
   - Description: Mount proc with hardenized options, including `hidepid` with variable value.
+- `os_ignore_home_folder_users`
+  - Default: `lost+found`
+  - Description: specify user home folders in `/home` that shouldn't be chmodded to 700
 
 ## Packages
 

roles/os_hardening/defaults/main.yml

@@ -13,8 +13,14 @@ os_auth_pam_pwquality_options: 'try_first_pass retry=3 type='  # used in RHEL7
 os_auth_root_ttys: [console, tty1, tty2, tty3, tty4, tty5, tty6]
 
 os_chfn_restrict: ''
+
+# Set to false to disable chmod /home folders to 700
+os_chmod_home_folders: true
+
 # may contain: change_user
 os_security_users_allow: []
+# specify user home folders in /home that shouldn't be chmodded to 700
+os_ignore_home_folder_users: ['lost+found']
 # specify system accounts those login should not be disabled and password not changed
 os_ignore_users: ['vagrant', 'kitchen']
 os_security_kernel_enable_module_loading: true

roles/os_hardening/tasks/user_accounts.yml

@@ -45,3 +45,20 @@
     createhome: false
   with_flattened:
     - '{{ sys_accs_cond | default([]) | difference(os_ignore_users) | list }}'
+
+- name: get all home directories in /home, but skip ignored users
+  find:
+    paths: /home/
+    recurse: false
+    file_type: directory
+    excludes: "{{ os_ignore_home_folder_users | join(',') }}"
+  register: home_directories
+  when: os_chmod_home_folders | bool
+
+- name: set ownership of /home directories to 0700
+  file:
+    mode: 0700
+    path: "{{ item.path }}"
+    state: directory
+  loop: "{{ home_directories.files }}"
+  when: os_chmod_home_folders | bool